ergoz · ergoz · Aug 10, 2019 · Aug 10, 2019 · Aug 10, 2019 · Aug 10, 2019
diff --git a/AUTHORS b/AUTHORS
@@ -18,4 +18,5 @@ James Hovious @jameshovious
 Liam Bowen <[email protected]>
 Michael Henke
 Paul Maddox <[email protected]>
+Vinicius Rangel <[email protected]>
 Xackery Xtal <[email protected]>
diff --git a/constants.go b/constants.go
@@ -36,6 +36,8 @@ const (
 	ERROR_SERVICE_DEPENDENCY_DELETED = 1075
 )
 
+const INVALID_HANDLE = ^HANDLE(0)
+
 const (
 	WAIT_ABANDONED = 0x00000080
 	WAIT_OBJECT_0  = 0x00000000
@@ -3048,3 +3050,64 @@ const (
 	SCALE_450_PERCENT           = 450
 	SCALE_500_PERCENT           = 500
 )
+
+// https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea
+const (
+	PIPE_ACCESS_INBOUND           DWORD = 0x00000001
+	PIPE_ACCESS_OUTBOUND                = 0x00000002
+	PIPE_ACCESS_DUPLEX                  = 0x00000003
+	FILE_FLAG_FIRST_PIPE_INSTANCE       = 0x00080000
+	WRITE_DAC                           = 0x00040000
+	WRITE_OWNER                         = 0x00080000
+	ACCESS_SYSTEM_SECURITY              = 0x01000000
+
+	PIPE_TYPE_BYTE             = 0x00000000
+	PIPE_TYPE_MESSAGE          = 0x00000004
+	PIPE_READMODE_BYTE         = 0x00000000
+	PIPE_READMODE_MESSAGE      = 0x00000002
+	PIPE_WAIT                  = 0x00000000
+	PIPE_NOWAIT                = 0x00000001
+	PIPE_ACCEPT_REMOTE_CLIENTS = 0x00000000
+	PIPE_REJECT_REMOTE_CLIENTS = 0x00000008
+
+	PIPE_UNLIMITED_INSTANCES = 255
+)
+
+// https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea
+const (
+	GENERIC_READ    DWORD = 0x80000000
+	GENERIC_WRITE         = 0x40000000
+	GENERIC_EXECUTE       = 0x20000000
+	GENERIC_ALL           = 0x10000000
+
+	FILE_SHARE_DELETE = 0x00000004
+	FILE_SHARE_READ   = 0x00000001
+	FILE_SHARE_WRITE  = 0x00000002
+
+	CREATE_ALWAYS     = 2
+	CREATE_NEW        = 1
+	OPEN_ALWAYS       = 4
+	OPEN_EXISTING     = 3
+	TRUNCATE_EXISTING = 5
+
+	FILE_ATTRIBUTE_ARCHIVE   = 0x20
+	FILE_ATTRIBUTE_ENCRYPTED = 0x4000
+	FILE_ATTRIBUTE_HIDDEN    = 0x2
+	FILE_ATTRIBUTE_NORMAL    = 0x80
+	FILE_ATTRIBUTE_OFFLINE   = 0x1000
+	FILE_ATTRIBUTE_READONLY  = 0x1
+	FILE_ATTRIBUTE_SYSTEM    = 0x4
+	FILE_ATTRIBUTE_TEMPORARY = 0x100
+
+	FILE_FLAG_BACKUP_SEMANTICS   = 0x02000000
+	FILE_FLAG_DELETE_ON_CLOSE    = 0x04000000
+	FILE_FLAG_NO_BUFFERING       = 0x20000000
+	FILE_FLAG_OPEN_NO_RECALL     = 0x00100000
+	FILE_FLAG_OPEN_REPARSE_POINT = 0x00200000
+	FILE_FLAG_OVERLAPPED         = 0x40000000
+	FILE_FLAG_POSIX_SEMANTICS    = 0x0100000
+	FILE_FLAG_RANDOM_ACCESS      = 0x10000000
+	FILE_FLAG_SESSION_AWARE      = 0x00800000
+	FILE_FLAG_SEQUENTIAL_SCAN    = 0x08000000
+	FILE_FLAG_WRITE_THROUGH      = 0x80000000
+)
diff --git a/kernel32.go b/kernel32.go
@@ -14,6 +14,9 @@ var (
 	modkernel32                    = syscall.NewLazyDLL("kernel32.dll")
 	procCopyMemory                 = modkernel32.NewProc("RtlCopyMemory")
 	procCloseHandle                = modkernel32.NewProc("CloseHandle")
+	procConnectNamedPipe           = modkernel32.NewProc("ConnectNamedPipe")
+	procCreateFileW                = modkernel32.NewProc("CreateFileW")
+	procCreateNamedPipeW           = modkernel32.NewProc("CreateNamedPipeW")
 	procCreateProcessA             = modkernel32.NewProc("CreateProcessA")
 	procCreateProcessW             = modkernel32.NewProc("CreateProcessW")
 	procCreateRemoteThread         = modkernel32.NewProc("CreateRemoteThread")
@@ -64,6 +67,7 @@ var (
 	procVirtualQuery               = modkernel32.NewProc("VirtualQuery")
 	procVirtualQueryEx             = modkernel32.NewProc("VirtualQueryEx")
 	procWaitForSingleObject        = modkernel32.NewProc("WaitForSingleObject")
+	procWriteFile                  = modkernel32.NewProc("WriteFile")
 	procWriteProcessMemory         = modkernel32.NewProc("WriteProcessMemory")
 
 	procResumeThread  = modkernel32.NewProc("ResumeThread")
@@ -217,6 +221,67 @@ func VirtualProtect(lpAddress uintptr, dwSize int, flNewProtect int, lpflOldProt
 	return ret != 0
 }
 
+func CreateFile(
+	name string,
+	desiredAccess DWORD,
+	shareMode DWORD,
+	securityAttributes *SECURITY_ATTRIBUTES,
+	creationDisposition DWORD,
+	flagsAndAttributes DWORD,
+	templateFile HANDLE,
+) (HANDLE, error) {
+	handle, _, err := procCreateFileW.Call(
+		uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr(name))),
+		uintptr(desiredAccess),
+		uintptr(shareMode),
+		uintptr(unsafe.Pointer(securityAttributes)),
+		uintptr(creationDisposition),
+		uintptr(flagsAndAttributes),
+		uintptr(templateFile),
+	)
+	if !IsErrSuccess(err) {
+		return HANDLE(handle), err
+	}
+	return HANDLE(handle), err
+}
+
+func ConnectNamedPipe(handle HANDLE, overlapped *OVERLAPPED) (bool, error) {
+	ok, _, err := procConnectNamedPipe.Call(
+		uintptr(handle),
+		uintptr(unsafe.Pointer(overlapped)),
+	)
+	if IsErrSuccess(err) {
+		return ok != 0, err
+	}
+	return ok != 0, nil
+}
+
+func CreateNamedPipe(
+	name string,
+	openMode DWORD,
+	pipeMode DWORD,
+	maxInstances DWORD,
+	outBufferSize DWORD,
+	inBufferSize DWORD,
+	defaultTimeOut DWORD,
+	securityAttributes *SECURITY_ATTRIBUTES,
+) (HANDLE, error) {
+	handle, _, err := procCreateNamedPipeW.Call(
+		uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr(name))),
+		uintptr(openMode),
+		uintptr(pipeMode),
+		uintptr(maxInstances),
+		uintptr(outBufferSize),
+		uintptr(inBufferSize),
+		uintptr(defaultTimeOut),
+		uintptr(unsafe.Pointer(securityAttributes)),
+	)
+	if !IsErrSuccess(err) {
+		return INVALID_HANDLE, err
+	}
+	return HANDLE(handle), nil
+}
+
 // https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx
 func CreateProcessA(lpApplicationName *string,
 	lpCommandLine string,
@@ -306,7 +371,7 @@ func GetProcAddress(hProcess HANDLE, procname string) (addr uintptr, err error)
 // https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437(v=vs.85).aspx
 // Credit: https://github.com/contester/runlib/blob/master/win32/win32_windows.go#L577
 func CreateRemoteThread(hprocess HANDLE, sa *syscall.SecurityAttributes,
-	stackSize uint32, startAddress uint32, parameter uintptr, creationFlags uint32) (syscall.Handle, uint32, error) {
+	stackSize uint32, startAddress uint32, parameter uintptr, creationFlags uint32) (HANDLE, uint32, error) {
 	var threadId uint32
 	r1, _, e1 := procCreateRemoteThread.Call(
 		uintptr(hprocess),
@@ -318,9 +383,9 @@ func CreateRemoteThread(hprocess HANDLE, sa *syscall.SecurityAttributes,
 		uintptr(unsafe.Pointer(&threadId)))
 
 	if int(r1) == 0 {
-		return syscall.InvalidHandle, 0, e1
+		return INVALID_HANDLE, 0, e1
 	}
-	return syscall.Handle(r1), threadId, nil
+	return HANDLE(r1), threadId, nil
 }
 
 func GetModuleHandle(modulename string) HINSTANCE {
@@ -629,6 +694,20 @@ func SetSystemTime(time *SYSTEMTIME) (err error) {
 	return
 }
 
+func WriteFile(handle HANDLE, buf []byte, written *uint32, overlapped *OVERLAPPED) (bool, error) {
+	ok, _, err := procWriteFile.Call(
+		uintptr(handle),
+		uintptr(unsafe.Pointer(&buf[0])),
+		uintptr(len(buf)),
+		uintptr(unsafe.Pointer(&written)),
+		uintptr(unsafe.Pointer(overlapped)),
+	)
+	if !IsErrSuccess(err) {
+		return ok != 0, err
+	}
+	return ok != 0, err
+}
+
 //Writes data to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.
 //https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674(v=vs.85).aspx
 func WriteProcessMemory(hProcess HANDLE, lpBaseAddress uint32, data []byte, size uint) (err error) {

diff --git a/typedef.go b/typedef.go
@@ -971,6 +971,14 @@ type SECURITY_DESCRIPTOR struct {
 	Dacl     *ACL
 }
 
+type OVERLAPPED struct {
+	Internal     uintptr
+	InternalHigh uintptr
+	Offset       uint32
+	OffsetHigh   uint32
+	HEvent       HANDLE
+}
+
 type SID_IDENTIFIER_AUTHORITY struct {
 	Value [6]byte
 }