x86 and x64 support<\/strong><\/li>\n<\/ul>\nProcess interaction<\/strong><\/p>\n\n- Manage PEB32\/PEB64<\/li>\n
- Manage process through WOW64 barrier<\/li>\n<\/ul>\n
Process Memory<\/strong><\/p>\n\n- Allocate and free virtual memory<\/li>\n
- Change memory protection<\/li>\n
- Read\/Write virtual memory<\/li>\n<\/ul>\n
Process modules<\/strong><\/p>\n\n- Enumerate all (32\/64 bit) modules loaded. Enumerate modules using Loader list\/Section objects\/PE headers methods.<\/li>\n
- Get exported function address<\/li>\n
- Get the main module<\/li>\n
- Unlink module from loader lists<\/li>\n
- Inject and eject modules (including pure IL images)<\/li>\n
- Inject 64bit modules into WOW64 processes<\/li>\n
- Manually map native PE images<\/li>\n<\/ul>\n
Threads<\/strong><\/p>\n\n- Enumerate threads<\/li>\n
- Create and terminate threads. Support for cross-session thread creation.<\/li>\n
- Get thread exit code<\/li>\n
- Get main thread<\/li>\n
- Manage TEB32\/TEB64<\/li>\n
- Join threads<\/li>\n
- Suspend and resume threads<\/li>\n
- Set\/Remove hardware breakpoints<\/li>\n<\/ul>\n
Pattern search<\/strong><\/p>\n\n- Search for arbitrary pattern in local or remote process<\/li>\n<\/ul>\n
Remote code execution<\/strong><\/p>\n\n- Execute functions in remote process<\/li>\n
- Assemble own code and execute it remotely<\/li>\n
- Support for cdecl\/stdcall\/thiscall\/fastcall conventions<\/li>\n
- Support for arguments passed by value, pointer or reference, including structures<\/li>\n
- FPU types are supported<\/li>\n
- Execute code in new thread or any existing one<\/li>\n<\/ul>\n
Remote hooking<\/strong><\/p>\n\n- Hook functions in remote process using int3 or hardware breakpoints<\/li>\n
- Hook functions upon return<\/li>\n<\/ul>\n
Manual map features<\/strong><\/p>\n\n- x86 and x64 image support<\/li>\n
- Mapping into any arbitrary unprotected process<\/li>\n
- Section mapping with proper memory protection flags<\/li>\n
- Image relocations (only 2 types supported. I haven’t seen a single PE image with some other relocation types)<\/li>\n
- Imports and Delayed imports are resolved<\/li>\n
- Bound import is resolved as a side effect, I think<\/li>\n
- Module exports<\/li>\n
- Loading of forwarded export images<\/li>\n
- Api schema name redirection<\/li>\n
- SxS redirection and isolation<\/li>\n
- Activation context support<\/li>\n
- Dll path resolving similar to native load order<\/li>\n
- TLS callbacks. Only for one thread and only with PROCESS_ATTACH\/PROCESS_DETACH reasons.<\/li>\n
- Static TLS<\/li>\n
- Exception handling support (SEH and C++)<\/li>\n
- Adding module to some native loader structures(for basic module api support: GetModuleHandle, GetProcAdress, etc.)<\/li>\n
- Security cookie initialization<\/li>\n
- C++\/CLI images are supported<\/li>\n
- Image unloading<\/li>\n
- Increase reference counter for import libraries in case of manual import mapping<\/li>\n
- Cyclic dependencies are handled properly<\/li>\n<\/ul>\n
Driver features<\/strong><\/p>\n\n- Allocate\/free\/protect user memory<\/li>\n
- Read\/write user and kernel memory<\/li>\n
- Disable permanent DEP for WOW64 processes<\/li>\n
- Change process protection flag<\/li>\n
- Change handle access rights<\/li>\n
- Remap process memory<\/li>\n
- Hiding allocated user-mode memory<\/li>\n
- User-mode dll injection and manual mapping<\/li>\n
- Manual mapping of drivers<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
Blackbone https:\/\/github.com\/DarthTon\/Blackbone Windows memory hacking library Features x86 and x64 support Process interaction Manage PEB32\/PEB64 Manage process through WOW64 barrier Process Memory Allocate and free virtual memory Change memory protection Read\/Write virtual memory Process modules Enumerate all (32\/64 bit) modules loaded. Enumerate modules using Loader list\/Section objects\/PE headers methods. Get exported function address Get … Continue reading Nice DLL Injection LIB<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[7],"tags":[17],"_links":{"self":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/52"}],"collection":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=52"}],"version-history":[{"count":1,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/52\/revisions"}],"predecessor-version":[{"id":53,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/52\/revisions\/53"}],"wp:attachment":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=52"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=52"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=52"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}