Multi-platform python package for memory editing
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Go to file
xerool 46e9456fd4 linux: wait for process before detach, and send SIGCONT
I had issues with the ptrace call failing because the process had not yet stopped
From this stackoverflow answer, it seems that you can use waitpid to
wait until the process is actually stopped. In python, this is exposed
as os.waitpid.

Additionally, the process was left frozen. I send a SIGCONT to continue
the process after the detach, so that it isn't left stopped.
2 years ago
mem_edit linux: wait for process before detach, and send SIGCONT 2 years ago
.gitignore update gitignore 5 years ago initial commit 7 years ago Move version number into VERSION file 5 years ago clean up whitespace 5 years ago update email 3 years ago


mem_edit is a multi-platform memory editing library written in Python.



  • Scan all readable memory used by a process.
    • Optionally restrict searches to regions with read + write permissions.
    • Report on address space allocation
  • Read/write using ctypes objects
    • Basic types, e.g. ctypes.c_ulong()
    • Arrays, e.g. (ctypes.c_byte * 4)()
    • Instances of ctypes.Structure or ctypes.Union and subclasses.
  • Run on Windows and Linux



  • python 3 (written and tested with 3.7)
  • ctypes
  • typing (for type annotations)

Install with pip, from PyPI (preferred):

pip3 install mem_edit

Install with pip from git repository

pip3 install git+


Most functions and classes are documented inline. To read the inline help,

import mem_edit


Increment a magic number (unsigned long 1234567890) found in 'magic.exe':

    import ctypes
    from mem_edit import Process

    magic_number = ctypes.ulong(1234567890)

    pid = Process.get_pid_by_name('magic.exe')
    with Process.open_process(pid) as p:
        addrs = p.search_all_memory(magic_number)

        # We don't want to edit if there's more than one result...
        assert(len(addrs) == 1)

        # We don't actually have to read the value here, but let's do so anyways...
        num_ulong = p.read_memory(addrs[0], ctypes.c_ulong())
        num = num_ulong.value

        p.write_memory(addrs[0], ctypes.c_ulong(num + 1))

Narrow down a search after a value changes:

    import ctypes
    from mem_edit import Process

    initial_value = 40
    final_value = 55

    pid = Process.get_pid_by_name('monitor_me.exe')
    with Process.open_process(pid) as p:
        addrs = p.search_all_memory(ctypes.c_int(initial_value))

        input('Press enter when value has changed to ' + str(final_value))

        filtered_addrs = p.search_addresses(addrs, ctypes.c_int(final_value))

        print('Found addresses:')
        for addr in filtered_addrs:

Read and alter a structure:

    import ctypes
    from mem_edit import Process

    class MyStruct(ctypes.Structure):
        _fields_ = [
               ('first_member', ctypes.c_ulong),
               ('second_member', ctypes.c_void_p),

    pid = Process.get_pid_by_name('something.exe')

    with Process.open_process(pid) as p:
        s = MyStruct()
        s.first_member = 1234567890
        s.second_member = 0x1234

        addrs = p.search_all_memory(s)

        p.write_memory(0xafbfe0, s)