package main import "syscall" // Known Bitwarden strings that may match // the Regex pattern. I need to add more! var StaticBWStrings = []string{ "Refused to evaluate", "Refused to compile", "/index.html", "Open_Sans-normal-", "ch-ua-full-version", "refresh_token", "ResourcePoolMemoryUsage.Renderer", "codeUtf8", "data:image/svg+xml", "command\"", "aultTimeoutAction", "[Email MasterPassword ] x64", "app/main.js", "no-items-image", "HighResolutionTimerUsage", "[rememberEmail", "#22##22##22##22##22##2", "%.355555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555540$", "'1Zif]-+'1Zif]", "(forced-colors: active) rklar-lineip", "(min-width: )", "0px 0px 0px 0px", "1)4`3a3b3k4l4m4n4", ".0ntrol", "3#$33$6$33$#33#", "3b4bEbFbGb8b9b:b;b", ";P;H;L;LSX;D;P;D;P;D;DSXSXSX;D;DSX;H;L;DSXSX;HSX;D;", "Cache-Control", "Content-Type", "DSXSX;P=LSX=", "L;D;D;PSX;P;D;H;t;D;l;D;L;D;P;D;", "X;PSX;DSX=L;D;P;L=LSX;D;D;L;P;H;D;HSX;HSX;PSX;L;LSX;", "Zone:EventTarget", "Zone:FileReader", "Zone:IntersectionObserver", "Zone:MutationObserver", "Zone:PromiseRejectionEvent", "Zone:ZoneAwarePromise", "Zone:blocking", "Zone:customElements", "Zone:geolocationard", "Zone:legacyetch", "Zone:on_property", "Zone:queueMicrotask", "Zone:requestAnimationFrame", "Zone:toStringtsch", "[MNq! !qNM[", "]?#&&O((''$$@", "accelerometer", "acceptation/json", "account-switcher", "action-buttons", "activeTrustedrgetR", "all and (-ms-high-contrast:", "all and (max-width: 240px)", "application/font-woff", "application/json; charset=utf-8", "ark_interactive", "asswordGenerationHistoryo{", "attribution-reporting", "aultTimeoutI", "axbufferpxain dro", "box-content-row", "browsing-topics", "bwi-angle-down", "bwi-angle-right", "bwi-angle-up58-0", "bwi-eye-slash", "bwi-lock", "cdk-high-contrast-active", "cdk-overlay-containergling", "cdk-virtual-scroll", "ch-device-memory", "ch-prefers-color-scheme", "ch-prefers-reduced-motion", "ch-save-data", "ch-ua-bitness", "ch-ua-mobile", "ch-ua-platform", "ch-ua-platform-version", "ch-ua-reduced", "ch-viewport-height", "ch-viewport-width", "chrome-error", "chrome-extension", "chrome-untrusted", "chromeitornenthesis", "clipboard-read", "clipboard-write", "content-type", "cross-origin-isolated", "ction-buttons", "ctiveUserId", "curitypolicyviolation", "detaill-scroll-item", "device-type/jsonn", "dfParallelismI", "display-capture", "encrypted-media", "environment-selector-btn", "eyyee|mA33B<94@", "file:lmelinematchis", "filter-button", "filter-heading", "filter-option", "flex-cipher-list-item", "font-weight: 300;", "footer to fetch", "g-submitted", "googlechrome", "hcaptcha_iframeesst", "http://www.w3.org/2000/svg", "i-arrow-circle-right", "identity-credentials-get", "idle-detection", "inner-content", "interest-cohort", "join-ad-interest-group", "keyboard-map", "layout_frontend", "magnetometer", "monospacedrbatim", "ng-tns-c58-0", "ollectionso", "otificationclick", "otp-credentials", "page-top-padding", "picture-in-picture", "plication/rss+xml", "print-rotate-loading", "private-aggregation", "ption ng-star-inserted", "publickey-credentials-get", "rganizationKeyso", "b(1, 2, 3)", "rounded-circlepx;", "roviderKeyso", "run-ad-auction", "screen-wake-lock", "shared-storage", "shared-storage-select-url", "text-primaryjsonask", "text/csstWorklet", "textrestored", "toggle-button", "truncate-box", "trust-token-redemption", "tureshowpress", "tBitwarden, Inc.", "vault-filters", "window-placement", "x-draggable-row", "==|", "zRQ]]QRz####zRQ]]QRz##@((", "{\"version\":", "(min-height:", "(min-width:", "application/json", "WebFont.", ":\\Users\\", "DOMAIN_ROAMINGPROFILE", "bwi-unlock", "buttons with-rows", "Toggle visibility", "rounded-circle", "device-type/jso", "loading-spinner", "UnnecessaryWakeup", "Failed to fetch", "-eyevisibility", "display:", "bwi-send-", } const ( ChromeEXEName = "chrome.exe" MSEdgeEXEName = "msedge.exe" BWDesktopEXEName = "Bitwarden.exe" BWChromeCmdLine = "--extension-process" BWDesktopCmdLine = "--no-zygote" BWChromeRegexBytePattern = `(\x02|\x04|\x05)\x00\x00\x00[^\x00]\x00\x00\x00\x01[^\x00][^\x00][^\x00]` BWDesktopRegexBytePattern = `\x01(?:[^\x00]{3})(?:[(\x20-\x7E)]{8,})` // Matches 8+ ASCII characters only // Leave as is ERROR_NOT_ALL_ASSIGNED syscall.Errno = 1300 SecurityAnonymous = 0 SecurityIdentification = 1 SecurityImpersonation = 2 SecurityDelegation = 3 // Integrity Levels SECURITY_MANDATORY_UNTRUSTED_RID = 0x00000000 SECURITY_MANDATORY_LOW_RID = 0x00001000 SECURITY_MANDATORY_MEDIUM_RID = 0x00002000 SECURITY_MANDATORY_HIGH_RID = 0x00003000 SECURITY_MANDATORY_SYSTEM_RID = 0x00004000 SECURITY_MANDATORY_PROTECTED_PROCESS_RID = 0x00005000 SE_PRIVILEGE_ENABLED_BY_DEFAULT uint32 = 0x00000001 SE_PRIVILEGE_ENABLED uint32 = 0x00000002 SE_PRIVILEGE_REMOVED uint32 = 0x00000004 SE_PRIVILEGE_USED_FOR_ACCESS uint32 = 0x80000000 // https://docs.microsoft.com/en-us/windows/desktop/secauthz/privilege-constants SE_ASSIGNPRIMARYTOKEN_NAME = "SeAssignPrimaryTokenPrivilege" SE_AUDIT_NAME = "SeAuditPrivilege" SE_BACKUP_NAME = "SeBackupPrivilege" SE_CHANGE_NOTIFY_NAME = "SeChangeNotifyPrivilege" SE_CREATE_GLOBAL_NAME = "SeCreateGlobalPrivilege" SE_CREATE_PAGEFILE_NAME = "SeCreatePagefilePrivilege" SE_CREATE_PERMANENT_NAME = "SeCreatePermanentPrivilege" SE_CREATE_SYMBOLIC_LINK_NAME = "SeCreateSymbolicLinkPrivilege" SE_CREATE_TOKEN_NAME = "SeCreateTokenPrivilege" SE_DEBUG_NAME = "SeDebugPrivilege" SE_DELEGATE_SESSION_USER_IMPERSONATE_NAME = "SeDelegateSessionUserImpersonatePrivilege" SE_ENABLE_DELEGATION_NAME = "SeEnableDelegationPrivilege" SE_IMPERSONATE_NAME = "SeImpersonatePrivilege" SE_INC_BASE_PRIORITY_NAME = "SeIncreaseBasePriorityPrivilege" SE_INCREASE_QUOTA_NAME = "SeIncreaseQuotaPrivilege" SE_INC_WORKING_SET_NAME = "SeIncreaseWorkingSetPrivilege" SE_LOAD_DRIVER_NAME = "SeLoadDriverPrivilege" SE_LOCK_MEMORY_NAME = "SeLockMemoryPrivilege" SE_MACHINE_ACCOUNT_NAME = "SeMachineAccountPrivilege" SE_MANAGE_VOLUME_NAME = "SeManageVolumePrivilege" SE_PROF_SINGLE_PROCESS_NAME = "SeProfileSingleProcessPrivilege" SE_RELABEL_NAME = "SeRelabelPrivilege" SE_REMOTE_SHUTDOWN_NAME = "SeRemoteShutdownPrivilege" SE_RESTORE_NAME = "SeRestorePrivilege" // Memory State of pages MEM_COMMIT = 0x1000 MEM_RESERVE = 0x2000 MEM_RELEASE = 0x8000 // Memory Type MEM_IMAGE = 0x1000000 MEM_MAPPED = 0x40000 MEM_PRIVATE = 0x20000 PROCESS_CREATE_PROCESS = 0x0080 PROCESS_CREATE_THREAD = 0x0002 PROCESS_DUP_HANDLE = 0x0040 PROCESS_QUERY_INFORMATION = 0x0400 PROCESS_QUERY_LIMITED_INFORMATION = 0x1000 PROCESS_SET_INFORMATION = 0x0200 PROCESS_SET_QUOTA = 0x0100 PROCESS_SUSPEND_RESUME = 0x0800 PROCESS_TERMINATE = 0x0001 PROCESS_VM_OPERATION = 0x0008 PROCESS_VM_READ = 0x0010 PROCESS_VM_WRITE = 0x0020 PROCESS_ALL_ACCESS = 0x001F0FFF // PEB ProcessBasicInformation = 0 ProcessWow64Information = 26 CREATE_SUSPENDED = 0x00000004 SIZE = 64 * 1024 INFINITE = 0xFFFFFFFF PAGE_NOACCESS = 0x00000001 PAGE_READONLY = 0x00000002 PAGE_READWRITE = 0x00000004 PAGE_WRITECOPY = 0x00000008 PAGE_EXECUTE = 0x00000010 PAGE_EXECUTE_READ = 0x00000020 PAGE_EXECUTE_READWRITE = 0x00000040 PAGE_EXECUTE_WRITECOPY = 0x00000080 PAGE_GUARD = 0x00000100 PAGE_NOCACHE = 0x00000200 PAGE_WRITECOMBINE = 0x00000400 DELETE = 0x00010000 READ_CONTROL = 0x00020000 WRITE_DAC = 0x00040000 WRITE_OWNER = 0x00080000 SYNCHRONIZE = 0x00100000 STANDARD_RIGHTS_READ = READ_CONTROL STANDARD_RIGHTS_WRITE = READ_CONTROL STANDARD_RIGHTS_EXECUTE = READ_CONTROL STANDARD_RIGHTS_REQUIRED = DELETE | READ_CONTROL | WRITE_DAC | WRITE_OWNER STANDARD_RIGHTS_ALL = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE TOKEN_ASSIGN_PRIMARY = 0x0001 TOKEN_DUPLICATE = 0x0002 TOKEN_IMPERSONATE = 0x0004 TOKEN_QUERY = 0x0008 TOKEN_QUERY_SOURCE = 0x0010 TOKEN_ADJUST_PRIVILEGES = 0x0020 TOKEN_ADJUST_GROUPS = 0x0040 TOKEN_ADJUST_DEFAULT = 0x0080 TOKEN_ADJUST_SESSIONID = 0x0100 TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID) )