Hey Guys,
I have been working at my memory class aswell as a few other small misc applications, I just wanted to share my work with you as im pretty proud of it now
I have included a ReadMe.txt it shows you everything you need to know. Please Leave Feedback <3
Features:
Read & Write Memory (Pointer Support)
AOB Scan - Scan An Area Of Memory For An Address With Specific Bytes
Patch - Patch OpCodes
Code Injection - Allocate A Random Area Of Memory To Write A Jmp/Call (Codecave)
I have been working at my memory class aswell as a few other small misc applications, I just wanted to share my work with you as im pretty proud of it now
I have included a ReadMe.txt it shows you everything you need to know. Please Leave Feedback <3
Features:
Read & Write Memory (Pointer Support)
AOB Scan - Scan An Area Of Memory For An Address With Specific Bytes
Patch - Patch OpCodes
Code Injection - Allocate A Random Area Of Memory To Write A Jmp/Call (Codecave)
About Class V1.3:
This Class Was Created By Nether For guidedhacking.com And Was Designed For Use Via Console
Applications, You Can Adapt The Ideology Of Many Of These Functions To Forms And Dll's.
I Have Tried My Best To Comment As Much Code As Possible, I Will Continue To Comment More
And Re-Comment Functions I May Have Explained Incorrectly - Please Let Me Know If You Have Any Ideas.
If You Find Any Bugs, Or Code That Could Be Improved To Be More Efficient Please Contact Me
Via GuidedHacking.com (Profile Nether).
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Credits:
Fleep - Provided Method For Hotkeys To Activate Only Once When Pushed.
AgentSmith - Opened My Eyes To A Lot Of Things I Was Doing Wrong And Steered Me In The Right Direction.
NTValk - Helped Me When I Posted For Help On GH (Was Awhile Ago, Still Deserves Credit As This Has Been A Journey Of Learning And Everything Helps).
Random Posts On GuidedHacking From Members, I Was Able To Pick Up A Few Things From These Threads/Posts.
Everyone At GuidedHacking Who Supported Me.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Features:
Read & Write Memory (Pointer Support)
AOB Scan - Scan An Area Of Memory For An Address With Specific Bytes
Patch - Patch OpCodes
Code Injection - Allocate A Random Area Of Memory To Write A Jmp/Call (Codecave)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Usage:
//Declarations
ProcMem mem("Process.exe"); //Declare Class Constructor With Process Name
DWORD Base = mem.dwBase; //Define Process Base
//Basic Memory Functions
mem.read<int>(0x76999A1); //Basic Read Memory (You Must Declare What Type/Size Of Data You Are Reading <short> | <2> etc)
mem.read<int>(Base+0x3699B); //Process.exe+0x3699B (Using Base)
mem.write<int>(0x76999A1, 1337); //Basic Write
mem.write<float>(Base+0x3699B, 13.37); //Example Of Writing A <float>
//Pointer Memory Functions (readP - Returns The Address)
mem.readP<int>(0x76999A1, "\x2C\x5B\?", true); //Input Offsets In Order As Char* | ATTENTION: MUST ALWAYS Put '?' At The End Of Your Array (true)RETURNS THE VALUE
mem.readP<int>(Base+0x3699B, "\x2C\x5B\?", false); //(false)RETURNS THE ADDRESS
//Patch Memory Function
mem.Patch(0x76999A1, "\x90\x90\x90\?", "\x4B\x0\x8F\?"); //Input The Bytes You Want To Patch And Also The Default Bytes
mem.Patch(Base+0x3699B, "\x90\x90\x90\?", "\x4B\x0\x8F\?"); //Process.exe+0x3699B (Using Base)
//AOB Scan Function - DO NOT USE '?' At The End Of This Array
DWORD AOBAddress = mem.AOBscan(0x76999A1, 0x76999C1, "\x8B\x3C\x28\xDD", 4); //Start Scan At Address 0x76999A1 And Read Every Byte From There To 0x76999C1, Looking For Char* Array (Returns Address)
DWORD AOBAddress1 = mem.AOBscan(Base+0x6999A1, Base+0x6999C1, "\x8B\x3C\x28\xDD", 4); //Declare How Many Bytes Your Searching For (4)
mem.write<int>(AOBAddress, 1337); //Example Of Usage
mem.write<int>(AOBAddress1, 1337); //Example Of Usage
//AOB Scan With Pointers
DWORD StartAddy = mem.readP<int>(0x76999A1, "\x2C\x5B\?", false);
DWORD EndAddy = mem.readP<int>(0x76999A1, "\xB2\x68\x8B\?", false);
DWORD AOBAddress = mem.AOBscan(StartAddy, EndAddy, "\x8B\x3C\x28\xDD", 4);
//Code Injection Function (Codecave)
mem.Inject(Base+0x1C8B39, "\xC7\x86\x84\x1\x0\x0\x0\x0\x0\x0\?", "\x89\xBE\x84\x1\x0\x0\?", true); //Input Bytes To Write/Inject Followed By The Default Bytes At The Address (Use CE AA Script To Get Bytes) (true = JMP)
mem.Inject(0x38B39, "\xC7\x86\x84\x1\x0\x0\x0\x0\x0\x0\?", "\x89\xBE\x84\x1\x0\x0\?", false); //Call Jmp Function (false) [Has Not Been Fully Tested]
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Notes:
Compile As Release
When Compiling Check You Are Building The Correct Build (x64 | x32) For The Target Process.
Do Not Have 2x Inject Functions In A Row (They Will Conflict), Have Them In Seperate Statements.
When Using The Patch Or Inject Function, Have Them Set To A Hotkey So You Can Turn On/Off.
You Can Use Pointers With The AOB Scan/Patch/Inject Functions, Adapt The AOB Scan Example For Others.
I Aim To Release A Tutorial For Creating A Memory Class Before Moving Onto Creating Dll's - Still Have Few More Updates For This Class (Mainly Comments + Code Improvments).
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Error Exit Codes:
1 = The Process Could Not Be Found, Make Sure You Have Correctly Name The Process In The Constructor In Source.cpp [ProcMem mem("Process.exe");] Names Are Case Sensitive.
2 = You Are Trying To Grab Information From A (32|64) Bit Application With The Wrong Build - Double Check Your Build.
3 = AOB Scan Failure, You Have Either Got The Wrong Start/End Address Or Bytes Double Check All.
4 = Code Injection Failure - The Default Bytes Must Be More Than 5 [E.G Address Has 2 Bytes, You Must Use The Bytes Of The Next Insctruction(Address) 5 Bytes Away].
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Updates To Come V1.4:
Cleaner Code + More Efficient.
More Comments + Improved Explanations.
Add Some Sort Of Memory Integrity Check Function.
Hopefully Get Feedback And Ideas For New Functions.
Freeze Value Function Using WatchPoint(Breakpoints) If Possible, I Think Breakpointing Addresses Are Only Viable In A Dll.
Advanced Error Handeling.
Support For Reading & Writing Strings In ASCII (Plain Text - String).
This Class Was Created By Nether For guidedhacking.com And Was Designed For Use Via Console
Applications, You Can Adapt The Ideology Of Many Of These Functions To Forms And Dll's.
I Have Tried My Best To Comment As Much Code As Possible, I Will Continue To Comment More
And Re-Comment Functions I May Have Explained Incorrectly - Please Let Me Know If You Have Any Ideas.
If You Find Any Bugs, Or Code That Could Be Improved To Be More Efficient Please Contact Me
Via GuidedHacking.com (Profile Nether).
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Credits:
Fleep - Provided Method For Hotkeys To Activate Only Once When Pushed.
AgentSmith - Opened My Eyes To A Lot Of Things I Was Doing Wrong And Steered Me In The Right Direction.
NTValk - Helped Me When I Posted For Help On GH (Was Awhile Ago, Still Deserves Credit As This Has Been A Journey Of Learning And Everything Helps).
Random Posts On GuidedHacking From Members, I Was Able To Pick Up A Few Things From These Threads/Posts.
Everyone At GuidedHacking Who Supported Me.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Features:
Read & Write Memory (Pointer Support)
AOB Scan - Scan An Area Of Memory For An Address With Specific Bytes
Patch - Patch OpCodes
Code Injection - Allocate A Random Area Of Memory To Write A Jmp/Call (Codecave)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Usage:
//Declarations
ProcMem mem("Process.exe"); //Declare Class Constructor With Process Name
DWORD Base = mem.dwBase; //Define Process Base
//Basic Memory Functions
mem.read<int>(0x76999A1); //Basic Read Memory (You Must Declare What Type/Size Of Data You Are Reading <short> | <2> etc)
mem.read<int>(Base+0x3699B); //Process.exe+0x3699B (Using Base)
mem.write<int>(0x76999A1, 1337); //Basic Write
mem.write<float>(Base+0x3699B, 13.37); //Example Of Writing A <float>
//Pointer Memory Functions (readP - Returns The Address)
mem.readP<int>(0x76999A1, "\x2C\x5B\?", true); //Input Offsets In Order As Char* | ATTENTION: MUST ALWAYS Put '?' At The End Of Your Array (true)RETURNS THE VALUE
mem.readP<int>(Base+0x3699B, "\x2C\x5B\?", false); //(false)RETURNS THE ADDRESS
//Patch Memory Function
mem.Patch(0x76999A1, "\x90\x90\x90\?", "\x4B\x0\x8F\?"); //Input The Bytes You Want To Patch And Also The Default Bytes
mem.Patch(Base+0x3699B, "\x90\x90\x90\?", "\x4B\x0\x8F\?"); //Process.exe+0x3699B (Using Base)
//AOB Scan Function - DO NOT USE '?' At The End Of This Array
DWORD AOBAddress = mem.AOBscan(0x76999A1, 0x76999C1, "\x8B\x3C\x28\xDD", 4); //Start Scan At Address 0x76999A1 And Read Every Byte From There To 0x76999C1, Looking For Char* Array (Returns Address)
DWORD AOBAddress1 = mem.AOBscan(Base+0x6999A1, Base+0x6999C1, "\x8B\x3C\x28\xDD", 4); //Declare How Many Bytes Your Searching For (4)
mem.write<int>(AOBAddress, 1337); //Example Of Usage
mem.write<int>(AOBAddress1, 1337); //Example Of Usage
//AOB Scan With Pointers
DWORD StartAddy = mem.readP<int>(0x76999A1, "\x2C\x5B\?", false);
DWORD EndAddy = mem.readP<int>(0x76999A1, "\xB2\x68\x8B\?", false);
DWORD AOBAddress = mem.AOBscan(StartAddy, EndAddy, "\x8B\x3C\x28\xDD", 4);
//Code Injection Function (Codecave)
mem.Inject(Base+0x1C8B39, "\xC7\x86\x84\x1\x0\x0\x0\x0\x0\x0\?", "\x89\xBE\x84\x1\x0\x0\?", true); //Input Bytes To Write/Inject Followed By The Default Bytes At The Address (Use CE AA Script To Get Bytes) (true = JMP)
mem.Inject(0x38B39, "\xC7\x86\x84\x1\x0\x0\x0\x0\x0\x0\?", "\x89\xBE\x84\x1\x0\x0\?", false); //Call Jmp Function (false) [Has Not Been Fully Tested]
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Notes:
Compile As Release
When Compiling Check You Are Building The Correct Build (x64 | x32) For The Target Process.
Do Not Have 2x Inject Functions In A Row (They Will Conflict), Have Them In Seperate Statements.
When Using The Patch Or Inject Function, Have Them Set To A Hotkey So You Can Turn On/Off.
You Can Use Pointers With The AOB Scan/Patch/Inject Functions, Adapt The AOB Scan Example For Others.
I Aim To Release A Tutorial For Creating A Memory Class Before Moving Onto Creating Dll's - Still Have Few More Updates For This Class (Mainly Comments + Code Improvments).
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Error Exit Codes:
1 = The Process Could Not Be Found, Make Sure You Have Correctly Name The Process In The Constructor In Source.cpp [ProcMem mem("Process.exe");] Names Are Case Sensitive.
2 = You Are Trying To Grab Information From A (32|64) Bit Application With The Wrong Build - Double Check Your Build.
3 = AOB Scan Failure, You Have Either Got The Wrong Start/End Address Or Bytes Double Check All.
4 = Code Injection Failure - The Default Bytes Must Be More Than 5 [E.G Address Has 2 Bytes, You Must Use The Bytes Of The Next Insctruction(Address) 5 Bytes Away].
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Updates To Come V1.4:
Cleaner Code + More Efficient.
More Comments + Improved Explanations.
Add Some Sort Of Memory Integrity Check Function.
Hopefully Get Feedback And Ideas For New Functions.
Freeze Value Function Using WatchPoint(Breakpoints) If Possible, I Think Breakpointing Addresses Are Only Viable In A Dll.
Advanced Error Handeling.
Support For Reading & Writing Strings In ASCII (Plain Text - String).
C++:
#ifndef INCLUDES_H //If Not Defined
#define INCLUDES_H //Define Now
#pragma once //Define Once
#include <iostream> //Constains Input/Output Functions (cin/cout etc..)
#include <windows.h> //Standard Windows Header
#include <TlHelp32.h> //Contains Read/Write Functions
#include <string> //Support For Strings
#include <ctime> //Time Information (Create Timers etc..)
#include "ProcMem.h" //Memory Class Header
#endif
C++:
#ifndef PROCMEM_H
#define PROCMEM_H
#include "Includes.h" //Include External Header Containing Global Includes
class ProcMem{
private:
//HANDLES
HANDLE hProcess; //Main Handle
//ENTRY POINTS
MODULEENTRY32 mEntry; //Declare Module Entry Structure
PROCESSENTRY32 pEntry; //Declare Process Entry Structure
//STORAGE
DWORD dwPID; //Storage For Process ID
DWORD dwProt; //Storage For VirtualProtectEx
DWORD dwProt2; //Storage For VirtualProtectEx
DWORD dwCaveAddress; //Storage For Codecave Address
//MISC
BOOL On; //Boolean For Patch Function (On/Off)
BOOL iOn; //Boolean For Inject Function (On/Off)
public:
//PUBLIC STORAGE
DWORD dwBase; //Storage For Process Base Address
//FUNCTION PROTOTYPES
ProcMem(char* ProcessName);
DWORD AOBscan(DWORD dwStart, DWORD dwEnd, char *Bytes, int ilength);
BOOL Inject(DWORD dwAddress, char *Inj_Bts, char *Def_Bts, BOOL Type);
#pragma region MEMORY FUNCTIONS
//Get Length Of Array's
int iLength(char *Array){
int length = NULL;
for(int i = 1; i < 100; i++)
{
length++; //Increase length Until We See '?'
if(Array[i] == '?') //Use '?' At The End Of An Array So It Knows When To Stop Counting
{
break;
}
}
return length;
}
//READ MEMORY
template <class cData>
cData read(DWORD dwAddress)
{
cData Read; //Generic Variable To Store Data
VirtualProtectEx(hProcess, (LPVOID)dwAddress, sizeof(cData), PAGE_EXECUTE_READWRITE, &dwProt); //Remove Read/Write Protection By Giving It New Permissions
ReadProcessMemory(hProcess, (LPVOID)dwAddress, &Read, sizeof(cData), NULL); //Win API - Reads Data At Specified Location
VirtualProtectEx(hProcess, (LPVOID)dwAddress, sizeof(cData), dwProt, &dwProt2); //Restore The Old Permissions After You Have Red The dwAddress
return Read; //Returns Value At Specified dwAddress
}
//WRITE MEMORY
template <class cData>
void write(DWORD dwAddress, cData ValueToWrite)
{
VirtualProtectEx(hProcess, (LPVOID)dwAddress, sizeof(cData), PAGE_EXECUTE_READWRITE, &dwProt);
WriteProcessMemory(hProcess, (LPVOID)dwAddress, &ValueToWrite, sizeof(cData), NULL);
VirtualProtectEx(hProcess, (LPVOID)dwAddress, sizeof(cData), dwProt, &dwProt2);
}
//READ MEMORY - Pointer
template <class cData>
cData readP(DWORD dwAddress, char *Offset, BOOL Type){
int iSize = iLength(Offset); //Get Size Of *Array
cData ReadP;
DWORD dwTMP; //Storage For Address + Red Bytes
ReadP = read<cData>((DWORD)dwAddress); //Store The Value At 'dwAddress' In ReadP (cData Var)
for(int i = 0; i < iSize; i++) //Loop/Count From 0 (First Array Element) To Array Size End
{
dwTMP = ReadP + Offset[i]; //Store 'ReadP' Value (hex) + Offsett[i] As Hex Value (Pointer dwAddress)
ReadP = read<cData>((DWORD)dwTMP); //Read The New Value And Store Inside ReadP (Hex Value = Pointer dwAddress)
}
if(!Type)
{
return dwTMP; //Return Address
}else
{
return ReadP; //Return Value
}
}
//WRITE MEMORY - Pointer
template <class cData>
void writeP(DWORD dwAddress, char *Offset, cData Val){
int iSize = iLength(Offset);
DWORD dwTMP;
cData ReadP;
ReadP = read<cData>((DWORD)dwAddress);
for(int i = 0; i < iSize; i++) //Scan For Offsets
{
dwTMP = ReadP + Offset[i]; //Declaring Address For Each Byte To Read
ReadP = read<cData>((DWORD)dwTMP); //Read Offsets So You Can Calculate Next Address
}
write<cData>(dwTMP, Val); //Identical To Read Pointer, But Instead We Write To The Address Instead Of Reading It
}
//PATCH MEMORY
void Patch(DWORD dwAddress, char *Patch_Bts, char *Default_Bts){
int iSize = iLength(Default_Bts);
if(!On){
for(int i = 0; i < iSize; i++)
{
DWORD dwTMP = dwAddress + i;
write<BYTE>(dwTMP, Patch_Bts[i]); //Write Inject_Bts (Bytes) To The Address
}
}else{
for(int i = 0; i < iSize; i++)
{
DWORD dwTMP = dwAddress + i;
write<BYTE>(dwTMP, Default_Bts[i]); //Re-Write Original(Default) Bytes Back To The Address
}
}
On = !On;
}
#pragma endregion
};
#endif
Last edited: