PyMem - Python process memory editing

[nopz]

Hello,

I'm here to present my current memory editing project.
This project is a python library for windows, providing the needed functions to start working on your own with memory editing.

This project is released under THE BEER-WARE LICENSE 6):.


What's have be done :

[+] Listing any process and map each process to the windows structure
[+] Open a Process and enter into debug mod
[+] Read memory from a debugged process
[+] Write memory to a debugged process ( need to work more on that part )
[+] List process Thread
[+] Get main thread from a process
[+] Suspend/Resume/Terminate Thread
[+] Get/Set Thread context ( Registers Eax, Ebp... )
[+] List process Modules
[+] Api Hooking
[+] DLL Injection
[+] Pattern research

Code exemple :

Code:

if __name__ == '__main__':
pymem = Pymem()
if pymem.openProcessFromName("Wow"):
  # at this step we can read and write to the process
  playerBase = pymem.readOffset([0xB366D0, 0x34, 0x24], 'uint')
  player_x = pymem.readOffset(playerBase + 0x798, 'float')
  print "Player float x: %s" % player_x
else:
  print "Could not open process"

Hook :

Code:

#First we set our hook somewhere in our code
@Hooked(func='OpenProcess',module='kernel32.dll',exit=None,params=0)
def my_openProcess(dbg, args):
	print 'Hooked explorer OpenProcess !'
	return 0x00010002

#then we just run all Hooks.
h = Hook()
pymem = Pymem()
pymem.openProcessFromName("explorer")
h.launch(pymem.pid) #Run all hooks.

DLL Injection:

Code:

if __name__ == '__main__':
  pymem = Pymem()
  if pymem.openProcessFromName("Wow"):
    if pymem.injectDLL("d:/OpenProcessHook.dll"):
      print 'Dll injected !'

Pattern research:

Code:

if __name__ == '__main__':
  pymem = Pymem()
  if pymem.openProcessFromName("Wow"):
  pymem.addPattern("Dostring", "\x55\x8B\xEC\x51\x83\x05\xCC\x74\x32\x01\x01\xA1\xC8\x74\x32\x01\x89\x45\xFC\x74\x12\x83\x3D\xD0\x74\x32\x01\x00", "xxxxxx????xx????xxxxxxx????x")
  pymem.findPatterns()
  print pymem.getPattern('Dostring')['address']

Public repository :

At Bittbucket: PyMem

I will update this thread as soon as i get more time to implement new functionalities.
Feel free to flame, comment, troll :=)

Changelog :
- 07/03/2010: Added Threading functionalities ( suspend / resume )
- 07/03/2010: Added Threading functionalities ( terminate, exit_code, context, change_context )
- 08/03/2010: Api Hooking success with pyDbg
- 10/03/2010: Added Hook API
- 10/04/2010: Added Python for Windows Extensions to the projet so you don't need to install it anymore
- 10/04/2010: Total library refactoring, optimization, decorators...
- 11/04/2010: Re-implemented Thread access.
- 25/04/2010: Added Module listing
- 25/04/2010: Added DLL Injection
- 09/05/2010: Added Pattern research


This project is currently in a development process so any suggestion is available.

[Viano]

You have to love python. I mean going all the way and not using C# and C++ resources lying around in here for free and creating your own library

[mnbvc]

sounds nice, i really like python, keep up the work! (sadly can't rep you )

[nopz]

Updated the library.

I'm now using python decorators, you don't need to go in the routine of opening a process in debug mode, then create a memory class ect...
You just have to call one method and it's done.

I will work on the hooking part and provide an easier way to implement custom hooks.

Exemple:

Code:

if __name__ == '__main__':
  pymem = Pymem()
  if pymem.openProcessFromName("Wow"):
    # at this step we can read and write to the process
    playerBase = pymem.readOffset([0xB366D0, 0x34, 0x24], 'uint')
    player_x = pymem.readOffset(playerBase + 0x798, 'float')
    print "Player float x: %s" % player_x
  else:
    print "Could not open process"

[nopz]

Updated the library again.

You can now inject a DLL into any process and list loaded modules ( dll's ... ). As always it's easy just few lines ( as the library will do all the dirty win32 things ).

Exemple :

Code:

if __name__ == '__main__':
  pymem = Pymem()
  if pymem.openProcessFromName("Wow"):
    if pymem.injectDLL("d:/OpenProcessHook.dll"):
      print 'Dll injected !'

Btw here is a snipet on how to implement api hooking :

main.py

Code:

from hook import Hook, Hooked
from pymem import Pymem

@Hooked(func='OpenProcess',module='kernel32.dll',exit=None,params=0)
def my_openProcess_hook(dbg, args):
  print 'Hooked explorer OpenProcess !'
  print args
  return 0x00010002

if __name__ == '__main__':
  h = Hook()
  pymem = Pymem()
  pymem.openProcessFromName("explorer")
  h.launch(pymem.pid)

[nopz]

Updated the library and added Pattern research and module listing.

Pattern

Code:

if __name__ == '__main__':
  pymem = Pymem()
  if pymem.openProcessFromName("Wow"):
  pymem.addPattern("Dostring", "\x55\x8B\xEC\x51\x83\x05\xCC\x74\x32\x01\x01\xA1\xC8\x74\x32\x01\x89\x45\xFC\x74\x12\x83\x3D\xD0\x74\x32\x01\x00", "xxxxxx????xx????xxxxxxx????x")
  pymem.findPatterns()
  print pymem.getPattern('Dostring')['address']

Module listing

Code:

if __name__ == '__main__':
  pymem = Pymem()
  pymem.openProcessFromName("Wow")
  l = pymem.listModules()