I had issues with the ptrace call failing because the process had not yet stopped from SIGSTOP. From this stackoverflow answer, it seems that you can use waitpid to wait until the process is actually stopped. In python, this is exposed as os.waitpid. https://stackoverflow.com/questions/20510300/ptrace-detach-fails-after-ptrace-cont-with-errno-esrch#20525326 Additionally, the process was left frozen. I send a SIGCONT to continue the process after the detach, so that it isn't left stopped.
|5 months ago|
|mem_edit||5 months ago|
|.gitignore||3 years ago|
|LICENSE.md||5 years ago|
|MANIFEST.in||3 years ago|
|README.md||3 years ago|
|setup.py||1 year ago|
mem_edit is a multi-platform memory editing library written in Python.
- Scan all readable memory used by a process.
- Optionally restrict searches to regions with read + write permissions.
- Report on address space allocation
- Read/write using ctypes objects
- Basic types, e.g.
- Arrays, e.g.
(ctypes.c_byte * 4)()
- Instances of
ctypes.Structure or ctypes.Unionand subclasses.
- Basic types, e.g.
- Run on Windows and Linux
- python 3 (written and tested with 3.7)
- typing (for type annotations)
Install with pip, from PyPI (preferred):
pip3 install mem_edit
Install with pip from git repository
pip3 install git+https://mpxd.net/code/jan/mem_edit.git@release
Most functions and classes are documented inline. To read the inline help,
import mem_edit help(mem_edit.Process)
Increment a magic number (unsigned long 1234567890) found in 'magic.exe':
import ctypes from mem_edit import Process magic_number = ctypes.ulong(1234567890) pid = Process.get_pid_by_name('magic.exe') with Process.open_process(pid) as p: addrs = p.search_all_memory(magic_number) # We don't want to edit if there's more than one result... assert(len(addrs) == 1) # We don't actually have to read the value here, but let's do so anyways... num_ulong = p.read_memory(addrs, ctypes.c_ulong()) num = num_ulong.value p.write_memory(addrs, ctypes.c_ulong(num + 1))
Narrow down a search after a value changes:
import ctypes from mem_edit import Process initial_value = 40 final_value = 55 pid = Process.get_pid_by_name('monitor_me.exe') with Process.open_process(pid) as p: addrs = p.search_all_memory(ctypes.c_int(initial_value)) input('Press enter when value has changed to ' + str(final_value)) filtered_addrs = p.search_addresses(addrs, ctypes.c_int(final_value)) print('Found addresses:') for addr in filtered_addrs: print(hex(addr))
Read and alter a structure:
import ctypes from mem_edit import Process class MyStruct(ctypes.Structure): _fields_ = [ ('first_member', ctypes.c_ulong), ('second_member', ctypes.c_void_p), ] pid = Process.get_pid_by_name('something.exe') with Process.open_process(pid) as p: s = MyStruct() s.first_member = 1234567890 s.second_member = 0x1234 addrs = p.search_all_memory(s) print(addrs) p.write_memory(0xafbfe0, s)