|
BlackBone
Windows memory hacking library
|
Public Member Functions | |
| BLACKBONE_API NTSTATUS | EnsureLoaded (const std::wstring &path=L"") |
| Try to load driver if it isn't loaded More... | |
| BLACKBONE_API NTSTATUS | Reload (std::wstring path=L"") |
| Reload driver More... | |
| BLACKBONE_API NTSTATUS | Unload () |
| Unload driver More... | |
| BLACKBONE_API NTSTATUS | DisableDEP (DWORD pid) |
| Disable DEP for process Has no effect on native x64 processes More... | |
| BLACKBONE_API NTSTATUS | ProtectProcess (DWORD pid, bool enable) |
| Change process protection flag More... | |
| BLACKBONE_API NTSTATUS | PromoteHandle (DWORD pid, HANDLE handle, DWORD access) |
| Change handle access rights More... | |
| BLACKBONE_API NTSTATUS | AllocateMem (DWORD pid, ptr_t &base, ptr_t &size, DWORD type, DWORD protection, bool physical=false) |
| Allocate virtual memory More... | |
| BLACKBONE_API NTSTATUS | FreeMem (DWORD pid, ptr_t base, ptr_t size, DWORD type) |
| Free virtual memory More... | |
| BLACKBONE_API NTSTATUS | ReadMem (DWORD pid, ptr_t base, ptr_t size, PVOID buffer) |
| Read process memory More... | |
| BLACKBONE_API NTSTATUS | WriteMem (DWORD pid, ptr_t base, ptr_t size, PVOID buffer) |
| Write process memory More... | |
| BLACKBONE_API NTSTATUS | ProtectMem (DWORD pid, ptr_t base, ptr_t size, DWORD protection) |
| Change memory protection More... | |
| BLACKBONE_API NTSTATUS | MapMemory (DWORD pid, const std::wstring &pipeName, bool mapSections, MapMemoryResult &result) |
| Maps target process memory into current process More... | |
| BLACKBONE_API NTSTATUS | MapMemoryRegion (DWORD pid, ptr_t base, uint32_t size, MapMemoryRegionResult &result) |
| Maps single memory region into current process More... | |
| BLACKBONE_API NTSTATUS | UnmapMemory (DWORD pid) |
| Unmap memory of the target process from current More... | |
| BLACKBONE_API NTSTATUS | UnmapMemoryRegion (DWORD pid, ptr_t base, uint32_t size) |
| Unmap single memory region If unmapped region size is smaller than the size specified during map, function will return info about 2 regions that emerged after unmap More... | |
| BLACKBONE_API NTSTATUS | InjectDll (DWORD pid, const std::wstring &path, InjectType itype, uint32_t initRVA=0, const std::wstring &initArg=L"", bool wait=true) |
| Inject DLL into arbitrary process More... | |
| BLACKBONE_API NTSTATUS | MMapDriver (const std::wstring &path) |
| Manually map another system driver into system space More... | |
| BLACKBONE_API NTSTATUS | ConcealVAD (DWORD pid, ptr_t base, uint32_t size) |
| Make VAD region appear as PAGE_NO_ACESS to NtQueryVirtualMemory More... | |
| BLACKBONE_API bool | loaded () const |
| Check if driver is loaded More... | |
Static Public Member Functions | |
|
static BLACKBONE_API DriverControl & | Instance () |
| NTSTATUS blackbone::DriverControl::AllocateMem | ( | DWORD | pid, |
| ptr_t & | base, | ||
| ptr_t & | size, | ||
| DWORD | type, | ||
| DWORD | protection, | ||
| bool | physical = false |
||
| ) |
Allocate virtual memory
| pid | Tarhet PID |
| base | Desired base. If 0 address is chosed by the system |
| size | Region size |
| type | Allocation type - MEM_RESERVE/MEM_COMMIT |
| protection | Memory protection |
| NTSTATUS blackbone::DriverControl::ConcealVAD | ( | DWORD | pid, |
| ptr_t | base, | ||
| uint32_t | size | ||
| ) |
Make VAD region appear as PAGE_NO_ACESS to NtQueryVirtualMemory
| pid | Target process ID |
| base | Region base |
| size | Region size |
| NTSTATUS blackbone::DriverControl::DisableDEP | ( | DWORD | pid | ) |
Disable DEP for process Has no effect on native x64 processes
| pid | Target PID |
| NTSTATUS blackbone::DriverControl::EnsureLoaded | ( | const std::wstring & | path = L"" | ) |
Try to load driver if it isn't loaded
| path | Path to the driver file |
| NTSTATUS blackbone::DriverControl::FreeMem | ( | DWORD | pid, |
| ptr_t | base, | ||
| ptr_t | size, | ||
| DWORD | type | ||
| ) |
Free virtual memory
| pid | Tarhet PID |
| base | Desired base. If 0 address is chosed by the system |
| size | Region size |
| type | Free type - MEM_RELEASE/MEM_DECOMMIT |
| NTSTATUS blackbone::DriverControl::InjectDll | ( | DWORD | pid, |
| const std::wstring & | path, | ||
| InjectType | itype, | ||
| uint32_t | initRVA = 0, |
||
| const std::wstring & | initArg = L"", |
||
| bool | wait = true |
||
| ) |
Inject DLL into arbitrary process
| pid | Target PID. |
| path | Full qualified dll path. |
| itype | Injection type |
| initRVA | Init routine RVA |
| initArg | Init routine argument |
| wait | Wait for injection |
|
inline |
Check if driver is loaded
| NTSTATUS blackbone::DriverControl::MapMemory | ( | DWORD | pid, |
| const std::wstring & | pipeName, | ||
| bool | mapSections, | ||
| MapMemoryResult & | result | ||
| ) |
Maps target process memory into current process
| pid | Target PID |
| pipeName | Pipe name to use for hook data transfer |
| mapSections | The map sections. |
| result | Results |
| NTSTATUS blackbone::DriverControl::MapMemoryRegion | ( | DWORD | pid, |
| ptr_t | base, | ||
| uint32_t | size, | ||
| MapMemoryRegionResult & | result | ||
| ) |
Maps single memory region into current process
| pid | Target PID |
| base | Region base address |
| size | Region size |
| result | Mapped region info |
| NTSTATUS blackbone::DriverControl::MMapDriver | ( | const std::wstring & | path | ) |
Manually map another system driver into system space
| path | Fully quialified path to the drver |
| NTSTATUS blackbone::DriverControl::PromoteHandle | ( | DWORD | pid, |
| HANDLE | handle, | ||
| DWORD | access | ||
| ) |
Change handle access rights
| pid | Target PID. |
| handle | Handle |
| access | New access |
| NTSTATUS blackbone::DriverControl::ProtectMem | ( | DWORD | pid, |
| ptr_t | base, | ||
| ptr_t | size, | ||
| DWORD | protection | ||
| ) |
Change memory protection
| pid | Target PID. |
| base | Regiod base address |
| size | Region size |
| protection | New protection |
| NTSTATUS blackbone::DriverControl::ProtectProcess | ( | DWORD | pid, |
| bool | enable | ||
| ) |
Change process protection flag
| pid | Target PID |
| enable | true to enable protection, false to disable |
| NTSTATUS blackbone::DriverControl::ReadMem | ( | DWORD | pid, |
| ptr_t | base, | ||
| ptr_t | size, | ||
| PVOID | buffer | ||
| ) |
Read process memory
| pid | Target PID |
| base | Target base |
| size | Data size |
| buffer | Buffer address |
| NTSTATUS blackbone::DriverControl::Reload | ( | std::wstring | path = L"" | ) |
Reload driver
| path | Path to the driver file |
| NTSTATUS blackbone::DriverControl::Unload | ( | ) |
Unload driver
| NTSTATUS blackbone::DriverControl::UnmapMemory | ( | DWORD | pid | ) |
Unmap memory of the target process from current
| pid | Target PID |
| NTSTATUS blackbone::DriverControl::UnmapMemoryRegion | ( | DWORD | pid, |
| ptr_t | base, | ||
| uint32_t | size | ||
| ) |
Unmap single memory region If unmapped region size is smaller than the size specified during map, function will return info about 2 regions that emerged after unmap
| pid | Target PID |
| base | Region base |
| size | Region size |
| result | Unampped region info |
| NTSTATUS blackbone::DriverControl::WriteMem | ( | DWORD | pid, |
| ptr_t | base, | ||
| ptr_t | size, | ||
| PVOID | buffer | ||
| ) |
Write process memory
| pid | Target PID |
| base | Target base |
| size | Data size |
| buffer | Buffer address |
1.8.8 
