MemorySharp
C# based memory editing library targeting Windows applications, offering various functions to extract and inject data and codes into remote processes to allow interoperability.
Hey folks !
I'm delighted to post something useful for this community where I learnt so many things/tricks about Memory Editing.
Today I want to introduce my memory editing library I'm working on for now several months. The goal of this library is to provide a safe, powerful and easy to use API, keeping the remote process as clean as possible.
Features
ExamplesMemorySharp is divided into several parts. Here is list the all the features available.
- Process interactions
- Check if the process is debugged
- Gather information of the process
- Interact with the PEB (Process Environment Block)
- Memory interactions
- Allocate and free a chunk of memory
- Change the protection of allocated regions
- Get an absolute/relative address from a pointer
- Query the memory allocated
- Read and write primitive and complex data types
- Module interactions
- Enumerate all modules loaded
- Find functions inside a module
- Get the main module
- Inject and eject modules
- Thread interactions
- Create and terminate threads
- Get the exit code of terminated threads
- Get the main thread
- Get the segments addresses
- Get threads by identifier
- Interact with the TEB (Thread Environment Block)
- Join threads
- Manage the context of threads
- Query the state of threads
- Suspend and resume threads
- Window interactions
- Enumerate the windows of the process
- Enumerate the child windows of the process
- Enumerate the child windows of another window
- Flash the window (once or repeatedly)
- Get a window by its class name
- Get a window by its title (or a part of its title)
- Get the attached thread of a window
- Get the main window
- Interact with the keyboard with a window (press and release keys, write texts) without activate it
- Interact with the mouse with the window (clicks, movement)
- Post and send message
- Query the class name
- Query and modify the title
- Query and modify the size (height, width) and the position (X, Y)
- Assembly interactions
- Assemble mnemonics
- Embed FASM compiler (Fasm.NET)
- Execute remote codes (such as functions) with/without parameter(s) synchronously and asynchronously
- Inject mnemonics
- Support several calling conventions
- Data types manipulations
- Extract useful information from data types
- Convert a byte array to a managed object
- Convert a managed object to a byte array
- Convert a pointer to a managed object
- Store data in the remote process in safe (collected when unused)
- Helpers available
- ApplicationFinder: Find the right process to interact
- HandleManipulator: Convert an handle to a process or a thread
- Generic singleton: Implement a singleton on any of your class
- Randomizer: Generate random numbers, strings and Guid
- SerializationHelper: Serialize and deserialize managed object into XML
MemorySharp enable the developers to write memory injection with a nice syntax, without headaches.
The examples are available on this webpage: Binarysharp :: Products - MemorySharp (don't want to post tons of code here).
License
After a talk with some developers and notably Cypher, I decided to release MemorySharp under the MIT license. You are free to use MemorySharp in any project (even commercial projects) as long as the copyright header is left intact.
Links
Credits
I thank the entire Ownedcore community, which allows me to learn the art of the Memory Editing. Especially Apoc, who is a very inspirational person for me with his posts giving so well-written pieces of code without asking anything in return (this includes examples / offsets / guides /libraries), Cypher for his very critical mind about coding practices, Bananenbrot for giving nice advices in a lot of threads of the board, TOM_RUS for his very high-skilled eyes to read asm, making very comprehensive wrappers and Shynd, who gave me the idea of creating my own library. I certainly forget tons of people here.
I also would love to get your feedback about it.
Cheers,
ZenLulz