Skip to main content

Multi-platform library for memory editing

Project description

mem_edit

mem_edit is a multi-platform memory editing library written in Python.

Homepage: https://mpxd.net/code/jan/mem_edit

Capabilities:

  • Scan all readable memory used by a process.
    • Optionally restrict searches to regions with read + write permissions.
    • Report on address space allocation
  • Read/write using ctypes objects
    • Basic types, e.g. ctypes.c_ulong()
    • Arrays, e.g. (ctypes.c_byte * 4)()
    • Instances of ctypes.Structure or ctypes.Union and subclasses.
  • Run on Windows and Linux

Installation

Dependencies:

  • python 3 (written and tested with 3.7)
  • ctypes
  • typing (for type annotations)

Install with pip, from PyPI (preferred):

pip3 install mem_edit

Install with pip from git repository

pip3 install git+https://mpxd.net/code/jan/mem_edit.git@release

Documentation

Most functions and classes are documented inline. To read the inline help,

import mem_edit
help(mem_edit.Process)

Examples

Increment a magic number (unsigned long 1234567890) found in 'magic.exe':

    import ctypes
    from mem_edit import Process

    magic_number = ctypes.ulong(1234567890)

    pid = Process.get_pid_by_name('magic.exe')
    with Process.open_process(pid) as p:
        addrs = p.search_all_memory(magic_number)

        # We don't want to edit if there's more than one result...
        assert(len(addrs) == 1)

        # We don't actually have to read the value here, but let's do so anyways...
        num_ulong = p.read_memory(addrs[0], ctypes.c_ulong())
        num = num_ulong.value

        p.write_memory(addrs[0], ctypes.c_ulong(num + 1))

Narrow down a search after a value changes:

    import ctypes
    from mem_edit import Process

    initial_value = 40
    final_value = 55

    pid = Process.get_pid_by_name('monitor_me.exe')
    with Process.open_process(pid) as p:
        addrs = p.search_all_memory(ctypes.c_int(initial_value))

        input('Press enter when value has changed to ' + str(final_value))

        filtered_addrs = p.search_addresses(addrs, ctypes.c_int(final_value))

        print('Found addresses:')
        for addr in filtered_addrs:
            print(hex(addr))

Read and alter a structure:

    import ctypes
    from mem_edit import Process

    class MyStruct(ctypes.Structure):
        _fields_ = [
               ('first_member', ctypes.c_ulong),
               ('second_member', ctypes.c_void_p),
               ]

    pid = Process.get_pid_by_name('something.exe')

    with Process.open_process(pid) as p:
        s = MyStruct()
        s.first_member = 1234567890
        s.second_member = 0x1234

        addrs = p.search_all_memory(s)
        print(addrs)

        p.write_memory(0xafbfe0, s)

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for mem-edit, version 0.2
Filename, size & hash File type Python version Upload date
mem_edit-0.2-py3-none-any.whl (23.6 kB) View hashes Wheel py3
mem_edit-0.2.tar.gz (22.7 kB) View hashes Source None

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page