[source][C++]Blackbone - windows memory hacking library

[DarthTon]

I've decided to gather all my stuff into one single library and came up with this eventually.

Major features:

- x86 and x64 support

Process interaction
- Manage PEB32/PEB64
- Manage process through WOW64 barrier

Process Memory
- Allocate and free virtual memory
- Change memory protection
- Read/Write virtual memory

- Process modules
- Enumerate all (32/64 bit) modules loaded. Enumerate modules using Loader list/Section objects/PE headers methods.
- Get exported function address
- Get the main module
- Unlink module from loader lists
- Inject and eject modules (including pure IL images)
- Inject 64bit modules into WOW64 processes
- Manually map native PE images

Threads
- Enumerate threads
- Create and terminate threads. Support for cross-session thread creation.
- Get thread exit code
- Get main thread
- Manage TEB32/TEB64
- Join threads
- Suspend and resume threads
- Set/Remove hardware breakpoints

Pattern search
- Search for arbitrary pattern in local or remote process

Remote code execution
- Execute functions in remote process
- Assemble own code and execute it remotely
- Support for cdecl/stdcall/thiscall/fastcall conventions
- Support for arguments passed by value, pointer or reference, including structures
- FPU types are supported
- Execute code in new thread or any existing one

Remote hooking
- Hook functions in remote process using int3 or hardware breakpoints
- Hook functions upon return

Manual map features. This is slightly updated and improved version of my DarkMMap project
- x86 and x64 image support
- Mapping into any arbitrary unprotected process
- Section mapping with proper memory protection flags
- Image relocations (only 2 types supported. I haven't seen a single PE image with some other relocation types)
- Imports and Delayed imports are resolved
- Bound import is resolved as a side effect, I think
- Module exports
- Loading of forwarded export images
- Api schema name redirection
- SxS redirection and isolation
- Activation context support
- Dll path resolving similar to native load order
- TLS callbacks. Only for one thread and only with PROCESS_ATTACH/PROCESS_DETACH reasons.
- Static TLS
- Exception handling support (SEH and C++)
- Adding module to some native loader structures(for basic module api support: GetModuleHandle, GetProcAdress, etc.)
- Security cookie initialization
- C++/CLI images are supported
- Image unloading
- Increase reference counter for import libraries in case of manual import mapping
- Cyclic dependencies are handled properly

Repository contains test application to demonstrate basic usage.

Library is licensed under the MIT License. Dependencies are under their respective licenses.

Source - Blackbone - GitHub

Because of c++11 usage, VS2013 or higher is required to compile it. GCC, Clang and ICC aren't officially supported yet, I'm planning to add compiler support a bit later.

Enjoy.

[d3rrial]

Nice, very interesting. Looks pretty good at a first glance.

Looks like C++11? Maybe worth mentioning

[DarthTon]

Yes, I used some of c++11 features. But for me it's already like c++03, nothing extraordinary and unusual that is worth mentioning.

[d3rrial]

For you not, of course, the boost libs are also almost second nature to me now, but people aren't born with all knowledge

Point is: Some compilers need extra flags to compile c++11 compliant, so I think its worth a tiny note

[DrD]

To anyone who has trouble with this library, you can get VADPurgeDef.h from his DarkMM svn. Also your compiler needs to fully support C++11, the November CTM didn't work for me with VS 2012. So I loaded it up in VS 2013 and it compiles and works fine. It's a nice clean library, thanks for sharing it.

[DarthTon]

To anyone who has trouble with this library, you can get VADPurgeDef.h from his DarkMM svn. Also your compiler needs to fully support C++11, the November CTM didn't work for me with VS 2012. So I loaded it up in VS 2013 and it compiles and works fine. It's a nice clean library, thanks for sharing it.

Thanks for note. I've added missing VADPurgeDef.h into project and added notes about compiler support.

[Cypher]

Nice! Thanks for sharing.

[_Mike]

Looks good. Thanks for sharing. +Rep
Just one question (maybe I'm misunderstanding the description)

- Adding module to some native loader structures(for basic module api support: GetModuleHandle, GetProcAdress, etc.)

If you're going to make the module visible to win32, why not LoadLibrary() it?

[DarthTon]

If you're going to make the module visible to win32, why not LoadLibrary() it?

Module isn't entirely visible, it still has no section object and isn't present in any list used in module enumeration functions. Also it's a completely optional feature implemented via flag.

[wtblife]

The TestApp seems to always stop at "Trying to map C:\windows\system32\calc.exe into current process" for me. Does anyone else have this issue?

[Cypher]

Both x86 and x64 work* for me as long as I run it normally. Tested on Windows 8.1 x64.

Both crash if you enable Application Verifier. It seems there are two issues. The first isn't a big deal (just passing a null handle to an API), but the second actually causes a crash under both architectures.**

I'm opening bugs on github now.

* Remote function call test doesn't crash, but it also doesn't work, because CSRSS is a protected process in Windows 8.1.

** May not actually be the fault of the library, it depends on what's crashing and why.

[DarthTon]

Thanks for reports. I'm investigating this right now. Verifier crash most likely has something to do with APC mechanism. Will do more research myself.

The TestApp seems to always stop at "Trying to map C:\windows\system32\calc.exe into current process" for me. Does anyone else have this issue?

What is your OS version?

[wtblife]

What is your OS version?

Windows 7 v6.1 x64

Just to be clear, the program runs and doesn't crash or anything, it just seems to get stuck at that point.

[DarthTon]

Just to be clear, the program runs and doesn't crash or anything, it just seems to get stuck at that point.

It's OK. Main thread awaits completion of loaded image entry routine. Because calc is an .exe and not a .dll, TestApp will wait until calc main thread is terminated.

[NiKitos_]

How do you compile BlackBoneDrv? I compile in VS 2013 (Professional), and WDK 8.1 SDK install . Writes a lot of mistakes on the type mismatch, etc, although nothing stresses. Please tell me, what else should I do? Thank


http://savepic.su/5115369.png