0

When GOARCH=386, the following code will return the following error

package main

import (
    "syscall"
)
var (
    kernel32       = syscall.MustLoadDLL("kernel32.dll")
    ntdll          = syscall.MustLoadDLL("ntdll.dll")
    VirtualAlloc   = kernel32.MustFindProc("VirtualAlloc")
    RtlCopyMemory  = ntdll.MustFindProc("RtlCopyMemory")
)
func main() {}

Error:

C:\Users\me\code\shellGo>main.exe
panic: Failed to find RtlCopyMemory procedure in ntdll.dll: The specified procedure could not be found.

goroutine 1 [running]:
syscall.(*DLL).MustFindProc(0x11004070, 0x46481f, 0xd, 0x11004080)
        C:/go/src/syscall/dll_windows.go:134 +0x5c
main.init.ializers()
        C:/Users/me/code/shellGo/main.go:10 +0xc9

I have checked in procmon and the dll seems to be loaded correctly. The code runs fine when GOARCH=amd64. Note that I'm on 64bit but I'm trying to compile this in 32 bits for compatibility.

Edit: I figured I can use RtlMoveMemory, but then the shellcode doesn't run on 32 bit. Works fine on 64 bit (and yes I change my shellcode to match 32 or 64 bit)

dkx22
  • 1,103
  • 1
  • 13
  • 25
  • RtlCopyMemory is only a macro, IIRC, which means it doesn't have an actual function in the DLL. The macro wraps a call to `memcpy()`, or at least it used to the last time I looked. A quick look at the first documentation page I found via Google [here](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-rtlcopymemory) defines it as a macro as well. – Ken White Oct 31 '19 at 18:26
  • Yeah I learned that, but it doesn't explain why it's ok to do this on 64bit and not 32 though – dkx22 Oct 31 '19 at 18:45

0 Answers0