Skip to content

qiaohang/Blackbone

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Blackbone

Windows memory hacking library

Features

  • x86 and x64 support

  • Process interaction

  • Manage PEB32/PEB64

  • Manage process through WOW64 barrier

  • Process Memory

  • Allocate and free virtual memory

  • Change memory protection

  • Read/Write virtual memory

  • Process modules

  • Enumerate all (32/64 bit) modules loaded. Enumerate modules using Loader list/Section objects/PE headers methods.

  • Get exported function address

  • Get the main module

  • Unlink module from loader lists

  • Inject and eject modules (including pure IL images)

  • Inject 64bit modules into WOW64 processes

  • Manually map native PE images

  • Threads

  • Enumerate threads

  • Create and terminate threads. Support for cross-session thread creation.

  • Get thread exit code

  • Get main thread

  • Manage TEB32/TEB64

  • Join threads

  • Suspend and resume threads

  • Set/Remove hardware breakpoints

  • Pattern search

  • Search for arbitrary pattern in local or remote process

  • Remote code execution

  • Execute functions in remote process

  • Assemble own code and execute it remotely

  • Support for cdecl/stdcall/thiscall/fastcall conventions

  • Support for arguments passed by value, pointer or reference, including structures

  • FPU types are supported

  • Execute code in new thread or any existing one

  • Remote hooking

  • Hook functions in remote process using int3 or hardware breakpoints

  • Hook functions upon return

  • Manual map features

  • x86 and x64 image support

  • Mapping into any arbitrary unprotected process

  • Section mapping with proper memory protection flags

  • Image relocations (only 2 types supported. I haven't seen a single PE image with some other relocation types)

  • Imports and Delayed imports are resolved

  • Bound import is resolved as a side effect, I think

  • Module exports

  • Loading of forwarded export images

  • Api schema name redirection

  • SxS redirection and isolation

  • Activation context support

  • Dll path resolving similar to native load order

  • TLS callbacks. Only for one thread and only with PROCESS_ATTACH/PROCESS_DETACH reasons.

  • Static TLS

  • Exception handling support (SEH and C++)

  • Adding module to some native loader structures(for basic module api support: GetModuleHandle, GetProcAdress, etc.)

  • Security cookie initialization

  • C++/CLI images are supported

  • Image unloading

  • Increase reference counter for import libraries in case of manual import mapping

  • Cyclic dependencies are handled properly

License

Blackbone is licensed under the MIT License. Dependencies are under their respective licenses.

About

Windows memory hacking library

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published