A toolkit for interacting with Windows process memory
Project description
Invade
Invade is a Python 3 toolkit for interacting with the memory of Windows processes. Common uses include demonstrating software vulnerability proof of concepts, testing data exfiltration, software interoperability, malware research, aiding with debugging and reverse engineering, and computer game modifications.
https://github.com/cgio/invade
There are four main classes inside main.py:
- Me: Contains information about the operating environment.
- Scout: Contains information about active processes.
- Target: Contains information about the target process.
- Tool: Contains common and miscellaneous methods.
Common use case overview:
- Create an instance of Me and check the operating environment for compatibility.
- Use Scout to get a list of active processes and the desired PID (process identifier).
- Instantiate Target using the PID obtained by Scout.
- Check Target instance properties for information about the target process.
- Interact with the target process using Tool methods.
Another common use case is Invade's fast (for Python at least) byte pattern search with wildcard support. Operation is similar to IDA's "sequence of bytes" search. Use Tool.search_file_pattern() to search through a file on disk.
Tool.memory_read_pointers() is another useful method. With it, you can read through a series of dynamically allocated memory pointers in another process. The method accepts a string containing a start address and relative pointers with common arithmetic operators.
Static methods are frequently used to increase versatility.
Refer to main.py for additional information and usage instructions.
Installation
Python 3.6+ is required
pip install invade
Keystone Engine for Python must be installed separately. Use the desired installer under Python module for Windows - Binaries.
Credits
Thanks to authors and contributors of the following projects:
- Python for Windows
- Keystone Engine (used to translate assembly into opcodes; often for injection or comparative purposes)
- Cuckoo Sandbox (debug privilege granting code has been adapted)
- pefile (used for gathering information about PE files)
Examples
See TODO for an example of KeePass password exfiltration.
Authors
- Chad Gosselin - https://github.com/cgio
License
This project is licensed under the MIT License. See the LICENSE.md file for details.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.