The post I made on Reddit after someone recommended I post here: https://www.reddit.com/r/golang/comments/1g7elz5/modifying_go_toolchain_to_have_an_empty_iat_for/ Goal
I want to have an empty IAT when I compile go exe. I posted about this in the past https://www.reddit.com/r/golang/comments/1fz6raq/understanding_cgo_and_iat_with_dumpfileexe/ Solution I noticed that all the imports in the IAT are because of a file in go runtime package called https://github.com/golang/go/blob/master/src/runtime/os_windows.go So having ```//go:cgo_import_dynamic runtime._CloseHandle CloseHandle%1 "kernel32.dll"``` will result in the address of CloseHandle winapi being in the local variable _CloseHandle and resulting in CloseHandle appearing in the import table. I was not able to understand what cgo_import_dynamic really does (nor find the code behind it). After some research, I read that there is a technique to hide IAT by implementing two function ``` func GetProcAddressReplacement(hModule HANDLE, lpApiName string) uintptr func GetModuleHandleReplacement(wantedModule string) (e HANDLE) ``` These are homemade and does not require any winapi call !! I was able to implement them in go. In a standalone project they work and give the correct address of CloseHandle and all the other function. This again work in a standalone project but I am having trouble integrating it in the toolchain. In "runtime/os_windows.go" I deleted the cgo import of CloseHandle and replaced the declaration of _CloseHandle by ``` var _CloseHandle = stdFunction(GetProcAddressReplacement(GetModuleHandleReplacement("kernel32.dll"), "CloseHandle")) ``` Problem And this fails. The value of _CloseHandle is 0x0 and not the address like I tested in my standalone project. After some investigation, the problem seems to come from the way I initialise _CloseHandle. Debugging In os_windows.go there is a function "func initHighResTimer()". I added some print for debugging: ``` func initHighResTimer() { println(_CloseHandle) println(GetProcAddressReplacement(GetModuleHandleReplacement("kernel32.dll"), "CloseHandle")) h := createHighResTimer() if h != 0 { ... ``` When I compile a exe sample and run it I get: ``` 0x0 <-------- The actual Value of _CloseHandle 140724969557024 <-------- Correct Address of CloseHandle API Exception 0xc0000005 0x8 0x0 0x0 PC=0x0 runtime.asmstdcall(0xfe165ffbc8) /home/Rudeus/Desktop/crazy/go-linux-amd64-bootstrap/src/runtime/sys_windows_amd64.s:76 +0x89 fp=0xfe165ffba0 sp=0xfe165ffb80 pc=0x82e5e9 rax 0x0 rbx 0x929880 rcx 0xac rdx 0xfe165ffd38 rdi 0xfe16227000 rsi 0xfe165ffda0 rbp 0xfe165ffce0 rsp 0xfe165ffb78 r8 0x9295a0 r9 0xfe165ffce0 r10 0x0 r11 0xfe165ffb70 r12 0xfe165ffd88 r13 0x0 r14 0x928940 r15 0x0 rip 0x0 rflags 0x10246 cs 0x33 fs 0x53 gs 0x2b ``` Any help please ? PS: I plan to deep dive more into the internal of go toolchain. Any resource or groups you recommend I join ? -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/8ddd66f6-6953-4f7d-a209-07483ecb342an%40googlegroups.com.
