dllinquent

Search running process for a given dll/function.
Exposes a bufio.Scanner-like interface for walking a process' PEB

Examples

Walker

walker, _ := NewPebWalker(pid)
for walker.Walk() {
    dll := walker.Dll()

    if strings.HasSuffix(dll.DllFullName, "amsi.dll") {
        hFunc, _ = windows.GetProcAddress(
            windows.Handle(dll.DllBaseAddr), 
            "AmsiScanBuffer",
            )

        funcOffset = uint64(dll.FuncAddress) - dll.DllBaseAddr
        fmt.Printf("AmsiScanBuffer offset: %v", funcOffset)
    }
    
    if walker.Err() == io.EOF {
        fmt.Println("amsi not loaded")
    }
}

err = walker.Err()
return

Finding Dlls/Functions

// dllinquent.FindInSelf("amsi.dll", "AmsiScanBuffer")          (Dll, err)
// dllinquent.FindInProcess(123, "amsi.dll", "AmsiScanBuffer")  (Dll, err)
// dllinquent.FindInProcesses("amsi.dll", "AmsiScanBuffer")     (map[Process]Dll, err)

func HasAmsi() (hasAmsi bool, dll Dll, err error) {
	dll, err = dllinquent.FindInSelf("amsi.dll", "AmsiScanBuffer")
	if err != nil {
		return
	}

	if dll != (dllinquent.Dll{}) {
		hasAmsi = true
	}
	return
}

Name		Name	Last commit message	Last commit date
Latest commit History 12 Commits
LICENSE		LICENSE
dllinquent.go		dllinquent.go
dllinquent_test.go		dllinquent_test.go
go.mod		go.mod
go.sum		go.sum
pebwalker.go		pebwalker.go
readme.md		readme.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

dllinquent

Examples

Walker

Finding Dlls/Functions

About

Languages

License

audibleblink/dllinquent

Folders and files

Latest commit

History

Repository files navigation

dllinquent

Examples

Walker

Finding Dlls/Functions

About

Resources

License

Stars

Watchers

Forks

Languages