search

Windows

A simple and safe-ish memory reading and writing utility made in pure c and a small portion of assembly for syscalls.

As said before the utility uses syscalls for:

  • Opening and Closing the handle

  • Reading and Writing memory

  • Allocating memory

  • Querying memory

Note: This does not mean it's "undetected" it still calls functions like CreateToolhelp32Snapshotwhich can easily be detected

hashtag
Getting started

This memory library revolves around one main struct called Process. Now when creating a new process the process is manually allocated and returned as a pointer so you will also need to free it. The Process struct inherits the handle, pid, baseAddress and baseSize.

struct Process {
    HANDLE handle;
    DWORD pid;
    uintptr_t baseAddress;
    uintptr_t baseSize;
}

But with a specific macro you can as well choose if the functions that you are gonna use are inside the struct or just a global variable

#define FUNCS // remove if you don't want the functions in the Process struct

struct Process {
    HANDLE handle;
    DWORD pid;
    uintptr_t baseAddress;
    uintptr_t baseSize;

    #ifdef FUNCS
        bool (*ReadMemory)(Process* process, uintptr_t address, void* out_buffer, size_t size);
        bool (*WriteMemory)(Process* process, uintptr_t address, void* data, size_t size);
        uintptr_t (*Rebase)(Process* process, uintptr_t address);
        uintptr_t (*PatternScan)(Process* proc, const char* pattern);
        Module* (*Module)(Process* process, const char* name);
        void* (*Allocate)(Process* process, SIZE_T size);
        void (*Terminate)(Process* process);
    #endif
};

#ifndef FUNCS
    uintptr_t rebase(Process* proc, uintptr_t address);
    bool write_memory(Process* proc, uintptr_t address, const void* data, size_t size);
    bool read_memory(Process* proc, uintptr_t address, void* out_buffer, size_t size);
    void terminate(Process* proc)
    uintptr_t find_pattern(Process* process, const char* pattern);
    Module* get_module(Process* process, const char* name);
    void* allocate_memory(Process* process, SIZE_T size);
#endif

In this example I will be focusing on the option where it is within the struct and not just a normal function.

hashtag
Creating a new process

Creating a new process only requires it's name and the library will do the rest of it itself

Note that the program will automatically close if the program is not found

hashtag
Reading memory

Reading memory using this library is fairly simple as it requires 4 main variables, the process pointer, the address you want to read, the buffer you want to read into, and the size of the type that you want to read.

hashtag
Writing memory

Writing memory is just as easy as reading memory ans it also just requires the same 4 variables, but in this cause there is no out buffer there is a data "buffer" which need to hold a valid value.

hashtag
Rebase

Now as you have seen in ReadMemory there is also a function that lets you rebase a address.

hashtag
Pattern scanning

Pattern scanning as well is pretty straight forward since you only need the process pointer and just the pattern you want to scan for

To get the offset from the output address just do it like this

hashtag
Getting a module

Getting a loaded (e.g RobloxPlayerBeta.dll) is really simple and it returns a Module struct which contains the entry data itself (MODULEENTRY32arrow-up-right) and the baseAddress of the loaded module directly.

hashtag
Allocating memory

Allocating memory requires the size given in and that was about it

hashtag
Terminating the process

Terminating the process can be done using the Terminate method

PreviousHashmapNextLinux

Last updated