Examples ======================= Memory search & basic operations ------- .. code-block:: python import pyjectify # Open notepad process (only the first found if multiple instances of notepad are running) notepad = pyjectify.open('notepad.exe')[0] # Use the pattern "secret( is)?: (.){10}", but encoded in utf-16-le because Notepad uses wchar_t words = ['secret', ' is', ': ', '.'] pattern = b'%b(%b)?%b(%b){10}' % tuple(e.encode('utf-16-le') for e in words) # Search for the secret in notepad's memory addrs = notepad.memscan.scan(pattern) # Process found addresses for addr in addrs: secret = notepad.process.read(addr, 50).decode('utf-16-le') print('[+] Found secret:', secret) notepad.process.write(addr, ('*'*len(secret)).encode('utf-16-le')) # let's hide the secret! # Reset memscan to discard found addresses and perform a new search notepad.memscan.reset() Python code injection ------- .. code-block:: python import pyjectify # Open notepad process notepad = pyjectify.open('notepad.exe')[0] # Inject Python DLL notepad.pythonlib.python_mod = notepad.inject.load_library("C:\\path\\to\\python-embed\\python311.dll") # Run some Python code from notepad notepad.pythonlib.initialize() notepad.pythonlib.exec('import os; os.system("calc.exe")') # Undo all initializations notepad.pythonlib.finalize() Setup an inline hook written in Python ------- .. code-block:: python import pyjectify # Open notepad process & inject Python DLL notepad = pyjectify.open('notepad.exe')[0] notepad.pythonlib.python_mod = notepad.inject.load_library("C:\\path\\to\\python-embed\\python311.dll") notepad.pythonlib.initialize() # Let's hook GetClipboardData! # Step 1: define our new function pycode = """ import ctypes def GetClipboardData(uFormat:ctypes.c_uint) -> ctypes.c_void_p: ctypes.windll.user32.MessageBoxW(0, "I hooked you :D", "MyNewGetClipboardData", 0) return o_GetClipboardData(uFormat) """ notepad.pythonlib.exec(pycode) # Step 2: get original function address and setup a trampoline (of 15 bytes size) user32 = notepad.process.get_module('user32.dll') oaddr = user32.exports['GetClipboardData'] + user32.base_addr trampoline_addr = notepad.hook.trampoline(oaddr, 15) # Step 3: prepare Python function hooking, ie create o_GetClipboardData and get ou Python GetClipboardData address hook_addr = notepad.pythonlib.prepare_hook('GetClipboardData', trampoline_addr) # Step 4: inline hook notepad.hook.inline(oaddr, hook_addr) Advanced DLL injection ------- .. code-block:: python import pyjectify # Open processes proc1 = pyjectify.open('proc1.exe')[0] proc2 = pyjectify.open('proc2.exe')[0] # Extract a library from proc1's memory module = proc1.process.get_module('module.dll') # Extract common syscalls from ntdll.dll and wrap them into a ntdll-like object syscall = pyjectify.windows.Syscall() syscall.get_common(from_disk=True) # Use direct syscalls to operate on proc2 (memory read / write / protect, thread creation...) proc2.process.ntdll = syscall # Inject the module directly from memory into proc2, at a random location, without PE headers, and do not call DLL entry point injected_mod = proc2.inject.memory_loader(module, prefer_base_addr=False, copy_headers=False, call_entry_point=False) # Run a function from the injected module proc2.process.start_thread(injected_mod.base_addr + injected_mod.exports['SomeExportedFunction'])