Examples

Memory search & basic operations

import pyjectify

# Open notepad process (only the first found if multiple instances of notepad are running)
notepad = pyjectify.open('notepad.exe')[0]

# Use the pattern "secret( is)?: (.){10}", but encoded in utf-16-le because Notepad uses wchar_t
words = ['secret', ' is', ': ', '.']
pattern = b'%b(%b)?%b(%b){10}' % tuple(e.encode('utf-16-le') for e in words)

# Search for the secret in notepad's memory
addrs = notepad.memscan.scan(pattern)

# Process found addresses
for addr in addrs:
    secret = notepad.process.read(addr, 50).decode('utf-16-le')
    print('[+] Found secret:', secret)
    notepad.process.write(addr, ('*'*len(secret)).encode('utf-16-le')) # let's hide the secret!

# Reset memscan to discard found addresses and perform a new search
notepad.memscan.reset()

Python code injection

import pyjectify

# Open notepad process
notepad = pyjectify.open('notepad.exe')[0]

# Inject Python DLL
notepad.pythonlib.python_mod = notepad.inject.load_library("C:\\path\\to\\python-embed\\python311.dll")

# Run some Python code from notepad
notepad.pythonlib.initialize()
notepad.pythonlib.exec('import os; os.system("calc.exe")')

# Undo all initializations
notepad.pythonlib.finalize()

Setup an inline hook written in Python

import pyjectify

# Open notepad process & inject Python DLL
notepad = pyjectify.open('notepad.exe')[0]
notepad.pythonlib.python_mod = notepad.inject.load_library("C:\\path\\to\\python-embed\\python311.dll")
notepad.pythonlib.initialize()

# Let's hook GetClipboardData!
# Step 1: define our new function
pycode = """
import ctypes
def GetClipboardData(uFormat:ctypes.c_uint) -> ctypes.c_void_p:
  ctypes.windll.user32.MessageBoxW(0, "I hooked you :D", "MyNewGetClipboardData", 0)
  return o_GetClipboardData(uFormat)
"""
notepad.pythonlib.exec(pycode)

# Step 2: get original function address and setup a trampoline (of 15 bytes size)
user32 = notepad.process.get_module('user32.dll')
oaddr = user32.exports['GetClipboardData'] + user32.base_addr
trampoline_addr = notepad.hook.trampoline(oaddr, 15)

# Step 3: prepare Python function hooking, ie create o_GetClipboardData and get ou Python GetClipboardData address
hook_addr = notepad.pythonlib.prepare_hook('GetClipboardData', trampoline_addr)

# Step 4: inline hook
notepad.hook.inline(oaddr, hook_addr)

Advanced DLL injection

import pyjectify

# Open processes
proc1 = pyjectify.open('proc1.exe')[0]
proc2 = pyjectify.open('proc2.exe')[0]

# Extract a library from proc1's memory
module = proc1.process.get_module('module.dll')

# Extract common syscalls from ntdll.dll and wrap them into a ntdll-like object
syscall = pyjectify.windows.Syscall()
syscall.get_common(from_disk=True)

# Use direct syscalls to operate on proc2 (memory read / write / protect, thread creation...)
proc2.process.ntdll = syscall

# Inject the module directly from memory into proc2, at a random location, without PE headers, and do not call DLL entry point
injected_mod = proc2.inject.memory_loader(module, prefer_base_addr=False, copy_headers=False, call_entry_point=False)

# Run a function from the injected module
proc2.process.start_thread(injected_mod.base_addr + injected_mod.exports['SomeExportedFunction'])