Multi-platform python package for memory editing
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Go to file
xerool 46e9456fd4 linux: wait for process before detach, and send SIGCONT
I had issues with the ptrace call failing because the process had not yet stopped
from SIGSTOP.
From this stackoverflow answer, it seems that you can use waitpid to
wait until the process is actually stopped. In python, this is exposed
as os.waitpid.

https://stackoverflow.com/questions/20510300/ptrace-detach-fails-after-ptrace-cont-with-errno-esrch#20525326

Additionally, the process was left frozen. I send a SIGCONT to continue
the process after the detach, so that it isn't left stopped.
2 years ago
mem_edit linux: wait for process before detach, and send SIGCONT 2 years ago
.gitignore update gitignore 4 years ago
LICENSE.md initial commit 7 years ago
MANIFEST.in Move version number into VERSION file 5 years ago
README.md clean up whitespace 5 years ago
setup.py update email 3 years ago

README.md

mem_edit

mem_edit is a multi-platform memory editing library written in Python.

Homepage: https://mpxd.net/code/jan/mem_edit

Capabilities:

  • Scan all readable memory used by a process.
    • Optionally restrict searches to regions with read + write permissions.
    • Report on address space allocation
  • Read/write using ctypes objects
    • Basic types, e.g. ctypes.c_ulong()
    • Arrays, e.g. (ctypes.c_byte * 4)()
    • Instances of ctypes.Structure or ctypes.Union and subclasses.
  • Run on Windows and Linux

Installation

Dependencies:

  • python 3 (written and tested with 3.7)
  • ctypes
  • typing (for type annotations)

Install with pip, from PyPI (preferred):

pip3 install mem_edit

Install with pip from git repository

pip3 install git+https://mpxd.net/code/jan/mem_edit.git@release

Documentation

Most functions and classes are documented inline. To read the inline help,

import mem_edit
help(mem_edit.Process)

Examples

Increment a magic number (unsigned long 1234567890) found in 'magic.exe':

    import ctypes
    from mem_edit import Process

    magic_number = ctypes.ulong(1234567890)

    pid = Process.get_pid_by_name('magic.exe')
    with Process.open_process(pid) as p:
        addrs = p.search_all_memory(magic_number)

        # We don't want to edit if there's more than one result...
        assert(len(addrs) == 1)

        # We don't actually have to read the value here, but let's do so anyways...
        num_ulong = p.read_memory(addrs[0], ctypes.c_ulong())
        num = num_ulong.value

        p.write_memory(addrs[0], ctypes.c_ulong(num + 1))

Narrow down a search after a value changes:

    import ctypes
    from mem_edit import Process

    initial_value = 40
    final_value = 55

    pid = Process.get_pid_by_name('monitor_me.exe')
    with Process.open_process(pid) as p:
        addrs = p.search_all_memory(ctypes.c_int(initial_value))

        input('Press enter when value has changed to ' + str(final_value))

        filtered_addrs = p.search_addresses(addrs, ctypes.c_int(final_value))

        print('Found addresses:')
        for addr in filtered_addrs:
            print(hex(addr))

Read and alter a structure:

    import ctypes
    from mem_edit import Process

    class MyStruct(ctypes.Structure):
        _fields_ = [
               ('first_member', ctypes.c_ulong),
               ('second_member', ctypes.c_void_p),
               ]

    pid = Process.get_pid_by_name('something.exe')

    with Process.open_process(pid) as p:
        s = MyStruct()
        s.first_member = 1234567890
        s.second_member = 0x1234

        addrs = p.search_all_memory(s)
        print(addrs)

        p.write_memory(0xafbfe0, s)