Windows memory hacking library

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sign up

Источник

Картинка с сайта: www.kitploit.com

Windows memory hacking library

Features

  • x86 and x64 support

Process interaction

  • Manage PEB32/PEB64
  • Manage process through WOW64 barrier

Process Memory

  • Allocate and free virtual memory
  • Change memory protection
  • Read/Write virtual memory

Process modules

  • Enumerate all (32/64 bit) modules loaded. Enumerate modules using Loader list/Section objects/PE headers methods.
  • Get exported function address
  • Get the main module
  • Unlink module from loader lists
  • Inject and eject modules (including pure IL images)
  • Inject 64bit modules into WOW64 processes
  • Manually map native PE images

Threads

  • Enumerate threads
  • Create and terminate threads. Support for cross-session thread creation.
  • Get thread exit code
  • Get main thread
  • Manage TEB32/TEB64
  • Join threads
  • Suspend and resume threads
  • Set/Remove hardware breakpoints

Pattern search

  • Search for arbitrary pattern in local or remote process

Remote code execution

  • Execute functions in remote process
  • Assemble own code and execute it remotely
  • Support for cdecl/stdcall/thiscall/fastcall conventions
  • Support for arguments passed by value, pointer or reference, including structures
  • FPU types are supported
  • Execute code in new thread or any existing one

Remote hooking

  • Hook functions in remote process using int3 or hardware breakpoints
  • Hook functions upon return

Manual map features

  • x86 and x64 image support
  • Mapping into any arbitrary unprotected process
  • Section mapping with proper memory protection flags
  • Image relocations (only 2 types supported. I haven’t seen a single PE image with some other relocation types)
  • Imports and Delayed imports are resolved
  • Bound import is resolved as a side effect, I think
  • Module exports
  • Loading of forwarded export images
  • Api schema name redirection
  • SxS redirection and isolation
  • Activation context support
  • Dll path resolving similar to native load order
  • TLS callbacks. Only for one thread and only with PROCESS_ATTACH/PROCESS_DETACH reasons.
  • Static TLS
  • Exception handling support (SEH and C++)
  • Adding module to some native loader structures(for basic module api support: GetModuleHandle, GetProcAdress, etc.)
  • Security cookie initialization
  • C++/CLI images are supported
  • Image unloading
  • Increase reference counter for import libraries in case of manual import mapping
  • Cyclic dependencies are handled properly

Driver features

  • Allocate/free/protect user memory
  • Read/write user and kernel memory
  • Disable permanent DEP for WOW64 processes
  • Change process protection flag
  • Change handle access rights
  • Remap process memory
  • Hiding allocated user-mode memory
  • User-mode dll injection and manual mapping
  • Manual mapping of drivers

Requirements

  • Visual Studio 2017 15.7 or higher
  • Windows SDK 10.0.17134 or higher
  • WDK 10.0.17134 or higher (driver only)
  • VC++ 2017 Libs for Spectre (x86 and x64)
  • Visual C++ ATL (x86/x64) with Spectre Mitigations


Blackbone — Windows Memory Hacking Library


Reviewed by Zion3R
on

8:30 AM


Rating: 5

Источник

Radon

Memory hacking library for windows.

Instalation

[dependencies.radon]
git = "https://github.com/sy1ntexx/radon"

Opening processes

use radon::types::access_rights::PROCESS_ALL_ACCESS;
use radon::process as ps;

let process = ps::Processes::new()?
    .find(|p| p.sz_exe_file == "Process name.exe")
    .unwrap()
    .open(false, PROCESS_ALL_ACCESS)?;

Modules iterating

let process = get_process();
process
    .modules()?
    .for_each(|m| dbg!(m));

Reading / Writing memory

let process = get_process();
let mut value = process.read_process_memory::<u32>(0xFF)?;
value += 100;

process.write_process_memory(0xFF, value)?;

Allocating / Freeing / Protecting / Querying memory

use radon::types::protection_flags::{PAGE_EXECUTE_READWRITE, PAGE_READONLY};
use radon::types::allocation_types::{MEM_COMMIT, MEM_RESERVE};
use radon::types::free_types::MEM_RELEASE;

let process = get_process();
let mut chunk = process.virtual_allocate(
    0,
    1000,
    MEM_COMMIT | MEM_RESERVE,
    PAGE_EXECUTE_READWRITE
)?;
let info = process.virtual_query(chunk)?;

process.virtual_protect(chunk, 1000, PAGE_READONLY)?;
process.virtual_free(chunk, 0, MEM_RELEASE)?;

Searching for patterns

use radon::pattern::Pattern;

let process = get_process();
let address = process.find_pattern(
    "Something.exe",
    // Available styles: IDA, Code, PiDB
    Pattern::from_ida_style("48 89 85 F0 00 00 00 4C 8B ? ? ? ? ? 48 8D")
)?;

Macros

use radon::{interface, xstruct};

struct CEntity;

// Creates a trait that will emulate behavior of virtual functions in C++.
interface! {
    trait IEntity {
        0 @ fn get_health() -> u32;
        1 @ fn set_health(new_value: u32);
    }
    impl for CEntity;
    /*
    class IEntity {
        virtual int get_health() = 0;
        virtual void set_health(int new_value) = 0;
    };
    */
}

// Creates struct with explicitly defined offsets.
xstruct! {
    struct CPlayer {
        // health will be availble at offset 0x100
        0x100 @ health: u32,
        // stamina will be availble at offset 0x100
        0x250 @ stamina: f32
    }
}

Источник

  • x86 and x64 support

  • Process interaction

  • Manage PEB32/PEB64

  • Manage process through WOW64 barrier

  • Process Memory

  • Allocate and free virtual memory

  • Change memory protection

  • Read/Write virtual memory

  • Process modules

  • Enumerate all (32/64 bit) modules loaded. Enumerate modules using Loader list/Section objects/PE headers methods.

  • Get exported function address

  • Get the main module

  • Unlink module from loader lists

  • Inject and eject modules (including pure IL images)

  • Inject 64bit modules into WOW64 processes

  • Manually map native PE images

  • Threads

  • Enumerate threads

  • Create and terminate threads. Support for cross-session thread creation.

  • Get thread exit code

  • Get main thread

  • Manage TEB32/TEB64

  • Join threads

  • Suspend and resume threads

  • Set/Remove hardware breakpoints

  • Pattern search

  • Search for arbitrary pattern in local or remote process

  • Remote code execution

  • Execute functions in remote process

  • Assemble own code and execute it remotely

  • Support for cdecl/stdcall/thiscall/fastcall conventions

  • Support for arguments passed by value, pointer or reference, including structures

  • FPU types are supported

  • Execute code in new thread or any existing one

  • Remote hooking

  • Hook functions in remote process using int3 or hardware breakpoints

  • Hook functions upon return

  • Manual map features

  • x86 and x64 image support

  • Mapping into any arbitrary unprotected process

  • Section mapping with proper memory protection flags

  • Image relocations (only 2 types supported. I haven’t seen a single PE image with some other relocation types)

  • Imports and Delayed imports are resolved

  • Bound import is resolved as a side effect, I think

  • Module exports

  • Loading of forwarded export images

  • Api schema name redirection

  • SxS redirection and isolation

  • Activation context support

  • Dll path resolving similar to native load order

  • TLS callbacks. Only for one thread and only with PROCESS_ATTACH/PROCESS_DETACH reasons.

  • Static TLS

  • Exception handling support (SEH and C++)

  • Adding module to some native loader structures(for basic module api support: GetModuleHandle, GetProcAdress, etc.)

  • Security cookie initialization

  • C++/CLI images are supported

  • Image unloading

  • Increase reference counter for import libraries in case of manual import mapping

  • Cyclic dependencies are handled properly

  • Driver features

  • Allocate/free/protect user memory

  • Read/write user and kernel memory

  • Disable permanent DEP for WOW64 processes

  • Change process protection flag

  • Change handle access rights

  • Remap process memory

  • Hiding allocated user-mode memory

  • User-mode dll injection and manual mapping

  • Manual mapping of drivers

    • Blackbone is licensed under the MIT License. Dependencies are under their respective licenses.

    Источник

    Blackbone is a tool used to hack windows memory library. Blackbone is licensed under the MIT License. 

    Features Of Blackbone

    Process interaction
    1. Manage PEB32/PEB64
    2. Manage process through WOW64 barrier
    Process Memory
    1. Allocate and free virtual memory
    2. Change memory protection
    3. Read/Write virtual memory

    Also Read BLEAH – A BLE Scanner For SMART Devices Hacking

    Process modules
    1. Enumerate all (32/64 bit) modules loaded. Enumerate modules using Loader list/Section objects/PE headers methods.
    2. Get exported function address
    3. Get the main module
    4. Unlink module from loader lists
    5. Inject and eject modules (including pure IL images)
    6. Inject 64bit modules into WOW64 processes
    7. Manually map native PE images
    Threads
    1. Enumerate threads
    2. Create and terminate threads. Support for cross-session thread creation.
    3. Get thread exit code
    4. Get main thread
    5. Manage TEB32/TEB64
    6. Join threads
    7. Suspend and resume threads
    8. Set/Remove hardware breakpoints
    Pattern search
    1. Search for arbitrary pattern in local or remote process
    Remote code execution
    1. Execute functions in remote process
    2. Assemble own code and execute it remotely
    3. Support for cdecl/stdcall/thiscall/fastcall conventions
    4. Support for arguments passed by value, pointer or reference, including structures
    5. FPU types are supported
    6. Execute code in new thread or any existing one
    Remote hooking
    1. Hook functions in remote process using int3 or hardware breakpoints
    2. Hook functions upon return
    Manual map features
    1. x86 and x64 image support
    2. Mapping into any arbitrary unprotected process
    3. Section mapping with proper memory protection flags
    4. Image relocations (only 2 types supported. I haven’t seen a single PE image with some other relocation types)
    5. Imports and Delayed imports are resolved
    6. Bound import is resolved as a side effect, I think
    7. Module exports
    8. Loading of forwarded export images
    9. Api schema name redirection
    10. SxS redirection and isolation
    11. Activation context support
    12. Dll path resolving similar to native load order
    13. TLS callbacks. Only for one thread and only with PROCESS_ATTACH/PROCESS_DETACH reasons.
    14. Static TLS
    15. Exception handling support (SEH and C++)
    16. Adding module to some native loader structures(for basic module api support: GetModuleHandle, GetProcAdress, etc.)
    17. Security cookie initialization
    18. C++/CLI images are supported
    19. Image unloading
    20. Increase reference counter for import libraries in case of manual import mapping
    21. Cyclic dependencies are handled properly
    Driver features
    1. Allocate/free/protect user memory
    2. Read/write user and kernel memory
    3. Disable permanent DEP for WOW64 processes
    4. Change process protection flag
    5. Change handle access rights
    6. Remap process memory
    7. Hiding allocated user-mode memory
    8. User-mode dll injection and manual mapping
    9. Manual mapping of drivers

     

    Источник

    Понравилась статья? Поделить с друзьями:
    0 0 голоса
    Рейтинг статьи
    Подписаться
    Уведомить о
    guest

    0 комментариев
    Старые
    Новые Популярные
    Межтекстовые Отзывы
    Посмотреть все комментарии
  • Statistica for windows statsoft statistica
  • Как удалить залипание клавиш в windows 10
  • Как разгрузить оперативную память на компьютере windows 10
  • Windows r serverstandard edition windows находится в режиме уведомления
  • Windbg windows 10 download