Skip to content
This repository has been archived by the owner on Jun 27, 2024. It is now read-only.

KethoMemoryToolKit is a set of tools used by me to change OPCODES of the memory of any process running in the operating system of specific offsets(RVA) from an ImageBase.

License

Notifications You must be signed in to change notification settings

MCBEDOC/KethoMemoryToolKit

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 

Repository files navigation

KethoMemoryToolKit

KethoMemoryToolKit is a set of tools used by me to change OPCODES of the memory of any process running in the operating system of specific offsets(RVA) from an ImageBase.

Examples of use:

Let's create an instance for KethoLib

    /// <summary>
    ///    Create a new instance for KethoLib
    /// </summary>
    KethoLib* ketholib = new KethoLib();

Let's open a process running on the operating system so that we can freely modify it:

  • You need to enter the name of the process
  • A Handle will be returned for the process
    /// <summary>
    ///     Opens a process
    /// </summary>
    /// <returns>Returns the Process Handle</returns>
    HANDLE hProcess = ketholib->abrirProcessoPeloNome(L"myprocess.exe");

We will obtain the moduleBase of the module in which we want to modify the process, for that it is enough that it is loaded in memory, in this case we will obtain the basis of the process in question:

  • Use the KethoLib method (getProcessInfo) it will return a DWORD with the process PID
  • Finally pass the name of the base you want to load, if it is the base of the process, repeat the name again.
    /// <summary>
    ///     Obtains the base module of any defined module of the process, even of itself
    /// </summary>
    /// <returns>An uintptr_t containing the Module Base</returns>
    uintptr_t modulebase = ketholib->getModuleBaseAddress(ketholib->getProcessInfo(L"myprocess.exe"),
        L"myprocess.exe");

We will prepare the vectors containing the addresses (RVA) and the modified Opcodes to modify in the process memory:

  • Prefer to use the unsigned int data type for the vector.
    /// <summary>
    ///     We define the Offsets (RVA), where the Assembly instructions (Opcodes) that we want to modify are present
    /// </summary>
    std::vector<unsigned int> x64PatchAddress = { 0x8E953E, 0x8E953F, 0x8E9540,
                                                  0x8E9541, 0x937565, 0xBBD333,
                                                  0xBBD334, 0xBBD335, 0x1929EF6 };

    
    /// <summary>
    ///     We define the Opcodes that will be modified in memory, one for each equivalent RVA address position.
    /// </summary>
    std::vector<unsigned int>x64AssemblyOpcodes = {
                                                     0xE9, 0x07, 0x01,
                                                     0x00, 0xEB, 0xE9,
                                                     0x8C, 0x00, 0xEB };

Let's prepare an array to read the Opcodes from the process memory:

    /// <summary>
    ///     Vector to store OPCODES (Hex) read from process memory
    /// </summary>
    std::vector<uint8_t>bbyte;

Let's call the method responsible for reading the opcodes for each RVA in memory individually and retrieving the OPCODES:

    /// <summary>
    ///     This method will read opcodes for a given RVA from the process memory
    ///     the result will be stored in std :: vector <uint8_t> passed as a pointer
    /// </summary>
    ketholib->readMemoryOpcodes(hProcess, modulebase, x64PatchAddress, &bbyte);

We will replace the opcodes for the RVA addresses in question with our new modified Opcodes:

    /// <summary>
    ///     This method will replace opcodes for a given RVA from process memory
    ///     addresses must be passed together with their respective opcode patches for each position
    /// </summary>
    ketholib->writeMemoryOpcodes(hProcess, modulebase, x64PatchAddress, x64AssemblyOpcodes);

Example showing the contents of the OPCODES read from the process memory:

    /// <summary>
    ///     We will write on the screen the contents (OPCODES) read from the process memory
    /// </summary>
    std::cout << "\nAssembly Original: \n";

    std::cout << "Byte:: " << std::endl;

    for (int i = 0; i < bbyte.size(); ++i) {
        std::cout << std::hex << unsigned(bbyte.at(i)) << " ";
    }

For more examples

See the source file: KethoLibraryCodeExemple.cpp

Or watch the following video tutorial: COMING SOON!

Copyright (C) Keowu | KethoLib OpenSource | please leave a like in the repository if this library is useful for you

About

KethoMemoryToolKit is a set of tools used by me to change OPCODES of the memory of any process running in the operating system of specific offsets(RVA) from an ImageBase.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C++ 67.7%
  • C 32.3%