|
BlackBone
Windows memory hacking library
|
|
BlackBone
Windows memory hacking library
|
Functions | |
| NTSTATUS | BBBuildProcessRegionListForRange (IN PLIST_ENTRY pList, IN ULONG_PTR start, IN ULONG_PTR end, IN BOOLEAN mapSections) |
| Enumerate committed, accessible, non-guarded memory regions More... | |
| NTSTATUS | BBPrepareMDLList (IN PLIST_ENTRY pList) |
| Walk region list and create MDL for each region More... | |
| NTSTATUS | BBPrepareMDLListEntry (IN PMAP_ENTRY pEntry) |
| Build MDL for memory region More... | |
| NTSTATUS | BBMapRegionListIntoCurrentProcess (IN PLIST_ENTRY pList, IN BOOLEAN noWarning) |
| Map locked physical pages into caller process More... | |
| NTSTATUS | BBMapRegionIntoCurrentProcess (IN PMAP_ENTRY pEntry, IN PMAP_ENTRY pPrevEntry) |
| Map locked physical pages into caller process More... | |
| NTSTATUS | BBAllocateSharedPage (OUT PVOID *pPage, OUT PMDL *pResultMDL) |
| Allocate kernel page from NonPaged pool and build MDL for it More... | |
| NTSTATUS | BBMapSharedPage (IN PMDL pMDL, OUT PVOID *pResult) |
| Map kernel page into current process address space More... | |
| NTSTATUS | BBConsolidateRegionList (IN PLIST_ENTRY pList) |
| Consolidate adjacent memory regions More... | |
| NTSTATUS | BBHandleSharedRegion (IN PMAP_ENTRY pEntry) |
| Process section object pages Function will attempt to trigger copy-on-write for underlying pages to convert them into private If copy-on-write fails, region will be then mapped as read-only More... | |
| NTSTATUS | BBUnmapRegionEntry (IN PMAP_ENTRY pPageEntry, IN PPROCESS_MAP_ENTRY pFoundEntry) |
| Unmap memory region, release corresponding MDL, and remove region form list More... | |
| PMAP_ENTRY | BBFindPageEntry (IN PLIST_ENTRY pList, IN ULONG_PTR baseAddress, IN ULONG_PTR size) |
| Find memory region containing at least one byte from specific region More... | |
| VOID | BBCleanupPageList (IN BOOLEAN attached, IN PLIST_ENTRY pList) |
| Unmap pages, destroy MDLs, remove entry from list More... | |
| NTSTATUS | BBSafeHandleClose (IN PEPROCESS pProcess, IN HANDLE handle, IN KPROCESSOR_MODE mode) |
| Close handle if process isn't in signaled state More... | |
| RTL_GENERIC_COMPARE_RESULTS | AvlCompare (IN RTL_AVL_TABLE *Table, IN PVOID FirstStruct, IN PVOID SecondStruct) |
| PVOID | AvlAllocate (IN RTL_AVL_TABLE *Table, IN CLONG ByteSize) |
| VOID | AvlFree (IN RTL_AVL_TABLE *Table, IN PVOID Buffer) |
| NTSTATUS | BBPrepareMDLListEntry (IN OUT PMAP_ENTRY pEntry) |
| Build MDL for memory region More... | |
| NTSTATUS | BBMapMemory (IN PMAP_MEMORY pRemap, OUT PPROCESS_MAP_ENTRY *ppEntry) |
| Map entire address space of target process into current Subsequent calls won't map any additional regions, only return info about existing mapping More... | |
| NTSTATUS | BBMapMemoryRegion (IN PMAP_MEMORY_REGION pRegion, OUT PMAP_MEMORY_REGION_RESULT pResult) |
| Map specific memory region More... | |
| NTSTATUS | BBUnmapMemory (IN PUNMAP_MEMORY pUnmap) |
| Unmap any mapped memory from host and target processes More... | |
| NTSTATUS | BBUnmapMemoryRegion (IN PUNMAP_MEMORY_REGION pRegion) |
| Unmap specific memory region More... | |
| VOID | BBCleanupProcessEntry (IN PPROCESS_MAP_ENTRY pProcessEntry) |
| Unmap all regions, delete MDLs, close handles, remove entry from table More... | |
| VOID | BBCleanupHostProcess (IN PPROCESS_MAP_ENTRY pProcessEntry) |
| Unmap any mapped pages from host process More... | |
| VOID | BBCleanupProcessTable () |
| Clear global process map table More... | |
| PPROCESS_MAP_ENTRY | BBLookupProcessEntry (IN HANDLE pid, IN BOOLEAN asHost) |
| Search process entry in list by PID More... | |
| NTSTATUS | BBGetRequiredRemapOutputSize (IN PLIST_ENTRY pList, OUT PULONG_PTR pSize) |
| Calculate size required to store mapping info More... | |
Variables | |
| RTL_AVL_TABLE | g_ProcessPageTables |
| KGUARDED_MUTEX | g_globalLock |
| PVOID AvlAllocate | ( | IN RTL_AVL_TABLE * | Table, |
| IN CLONG | ByteSize | ||
| ) |
| RTL_GENERIC_COMPARE_RESULTS AvlCompare | ( | IN RTL_AVL_TABLE * | Table, |
| IN PVOID | FirstStruct, | ||
| IN PVOID | SecondStruct | ||
| ) |
| VOID AvlFree | ( | IN RTL_AVL_TABLE * | Table, |
| IN PVOID | Buffer | ||
| ) |
| NTSTATUS BBAllocateSharedPage | ( | OUT PVOID * | pPage, |
| OUT PMDL * | pResultMDL | ||
| ) |
Allocate kernel page from NonPaged pool and build MDL for it
| pPage | Resulting address |
| pResultMDL | Resulting MDL |
| NTSTATUS BBBuildProcessRegionListForRange | ( | IN PLIST_ENTRY | pList, |
| IN ULONG_PTR | start, | ||
| IN ULONG_PTR | end, | ||
| IN BOOLEAN | mapSections | ||
| ) |
Enumerate committed, accessible, non-guarded memory regions
| pList | Region list |
| start | Region start |
| end | Region end |
| mapSections | If set to FALSE, section objects will be excluded from list |
| VOID BBCleanupHostProcess | ( | IN PPROCESS_MAP_ENTRY | pProcessEntry | ) |
Unmap any mapped pages from host process
| pProcessEntry | Process entry |
| VOID BBCleanupPageList | ( | IN BOOLEAN | attached, |
| IN PLIST_ENTRY | pList | ||
| ) |
Unmap pages, destroy MDLs, remove entry from list
| attached | TRUE indicates that function is executed in the context of host process and pages can be safely unmapped |
| pList | Region list |
| VOID BBCleanupProcessEntry | ( | IN PPROCESS_MAP_ENTRY | pProcessEntry | ) |
Unmap all regions, delete MDLs, close handles, remove entry from table
| pProcessEntry | Process entry |
| VOID BBCleanupProcessTable | ( | ) |
Clear global process map table
| NTSTATUS BBConsolidateRegionList | ( | IN PLIST_ENTRY | pList | ) |
Consolidate adjacent memory regions
| pList | Region list |
| PMAP_ENTRY BBFindPageEntry | ( | IN PLIST_ENTRY | pList, |
| IN ULONG_PTR | baseAddress, | ||
| IN ULONG_PTR | size | ||
| ) |
Find memory region containing at least one byte from specific region
| pList | Region list to search in |
| baseAddress | Base of region to find |
| size | Size of the region to find |
| NTSTATUS BBGetRequiredRemapOutputSize | ( | IN PLIST_ENTRY | pList, |
| OUT PULONG_PTR | pSize | ||
| ) |
Calculate size required to store mapping info
| pList | Mapped regions list |
| pSize | Resulting size |
| NTSTATUS BBHandleSharedRegion | ( | IN PMAP_ENTRY | pEntry | ) |
Process section object pages Function will attempt to trigger copy-on-write for underlying pages to convert them into private If copy-on-write fails, region will be then mapped as read-only
| pEntry | Region data |
| PPROCESS_MAP_ENTRY BBLookupProcessEntry | ( | IN HANDLE | pid, |
| IN BOOLEAN | asHost | ||
| ) |
Search process entry in list by PID
| pid | PID. |
| asHost | If set to TRUE, pid is treated as host PID |
| NTSTATUS BBMapMemory | ( | IN PMAP_MEMORY | pRemap, |
| OUT PPROCESS_MAP_ENTRY * | ppEntry | ||
| ) |
Map entire address space of target process into current Subsequent calls won't map any additional regions, only return info about existing mapping
Map entire address space of target process into current
| pRemap | Mapping params |
| ppEntry | Mapped context |
| NTSTATUS BBMapMemoryRegion | ( | IN PMAP_MEMORY_REGION | pRegion, |
| OUT PMAP_MEMORY_REGION_RESULT | pResult | ||
| ) |
Map specific memory region
| pRegion | Region data |
| pResult | Mapping results |
| NTSTATUS BBMapRegionIntoCurrentProcess | ( | IN PMAP_ENTRY | pEntry, |
| IN PMAP_ENTRY | pPrevEntry | ||
| ) |
Map locked physical pages into caller process
| pEntry | Memory region |
| pPrevEntry | Last mapped region |
| NTSTATUS BBMapRegionListIntoCurrentProcess | ( | IN PLIST_ENTRY | pList, |
| IN BOOLEAN | noWarning | ||
| ) |
Map locked physical pages into caller process
Map memory regions into caller process
| pList | Region list |
| noWarning | If set to FALSE, warning will be printed if region is already mapped |
| NTSTATUS BBMapSharedPage | ( | IN PMDL | pMDL, |
| OUT PVOID * | pResult | ||
| ) |
Map kernel page into current process address space
| pMDL | Page MDL |
| pResult | Mapped address |
| NTSTATUS BBPrepareMDLList | ( | IN PLIST_ENTRY | pList | ) |
Walk region list and create MDL for each region
| pList | Region list |
| NTSTATUS BBPrepareMDLListEntry | ( | IN PMAP_ENTRY | pEntry | ) |
Build MDL for memory region
| pEntry | Region data |
| NTSTATUS BBPrepareMDLListEntry | ( | IN OUT PMAP_ENTRY | pEntry | ) |
Build MDL for memory region
| pEntry | Region data |
| NTSTATUS BBSafeHandleClose | ( | IN PEPROCESS | pProcess, |
| IN HANDLE | handle, | ||
| IN KPROCESSOR_MODE | mode | ||
| ) |
Close handle if process isn't in signaled state
| pProcess | Process object |
| handle | Handle |
| mode | KernelMode or UserMode handle |
| NTSTATUS BBUnmapMemory | ( | IN PUNMAP_MEMORY | pUnmap | ) |
Unmap any mapped memory from host and target processes
| pUnmap | Request params |
| NTSTATUS BBUnmapMemoryRegion | ( | IN PUNMAP_MEMORY_REGION | pRegion | ) |
Unmap specific memory region
| pRegion | Region info |
| NTSTATUS BBUnmapRegionEntry | ( | IN PMAP_ENTRY | pPageEntry, |
| IN PPROCESS_MAP_ENTRY | pFoundEntry | ||
| ) |
Unmap memory region, release corresponding MDL, and remove region form list
| pPageEntry | Region data |
| pFoundEntry | Process data |
| KGUARDED_MUTEX g_globalLock |
| RTL_AVL_TABLE g_ProcessPageTables |
1.8.8 
