Blackbone – Memory Hacking Library For Windows

Blackbone is a tool used to hack windows memory library. Blackbone is licensed under the MIT License. 

Features Of Blackbone

Process interaction
  1. Manage PEB32/PEB64
  2. Manage process through WOW64 barrier
Process Memory
  1. Allocate and free virtual memory
  2. Change memory protection
  3. Read/Write virtual memory

Also Read BLEAH – A BLE Scanner For SMART Devices Hacking

Process modules
  1. Enumerate all (32/64 bit) modules loaded. Enumerate modules using Loader list/Section objects/PE headers methods.
  2. Get exported function address
  3. Get the main module
  4. Unlink module from loader lists
  5. Inject and eject modules (including pure IL images)
  6. Inject 64bit modules into WOW64 processes
  7. Manually map native PE images
Threads
  1. Enumerate threads
  2. Create and terminate threads. Support for cross-session thread creation.
  3. Get thread exit code
  4. Get main thread
  5. Manage TEB32/TEB64
  6. Join threads
  7. Suspend and resume threads
  8. Set/Remove hardware breakpoints
Pattern search
  1. Search for arbitrary pattern in local or remote process
Remote code execution
  1. Execute functions in remote process
  2. Assemble own code and execute it remotely
  3. Support for cdecl/stdcall/thiscall/fastcall conventions
  4. Support for arguments passed by value, pointer or reference, including structures
  5. FPU types are supported
  6. Execute code in new thread or any existing one
Remote hooking
  1. Hook functions in remote process using int3 or hardware breakpoints
  2. Hook functions upon return
Manual map features
  1. x86 and x64 image support
  2. Mapping into any arbitrary unprotected process
  3. Section mapping with proper memory protection flags
  4. Image relocations (only 2 types supported. I haven’t seen a single PE image with some other relocation types)
  5. Imports and Delayed imports are resolved
  6. Bound import is resolved as a side effect, I think
  7. Module exports
  8. Loading of forwarded export images
  9. Api schema name redirection
  10. SxS redirection and isolation
  11. Activation context support
  12. Dll path resolving similar to native load order
  13. TLS callbacks. Only for one thread and only with PROCESS_ATTACH/PROCESS_DETACH reasons.
  14. Static TLS
  15. Exception handling support (SEH and C++)
  16. Adding module to some native loader structures(for basic module api support: GetModuleHandle, GetProcAdress, etc.)
  17. Security cookie initialization
  18. C++/CLI images are supported
  19. Image unloading
  20. Increase reference counter for import libraries in case of manual import mapping
  21. Cyclic dependencies are handled properly
Driver features
  1. Allocate/free/protect user memory
  2. Read/write user and kernel memory
  3. Disable permanent DEP for WOW64 processes
  4. Change process protection flag
  5. Change handle access rights
  6. Remap process memory
  7. Hiding allocated user-mode memory
  8. User-mode dll injection and manual mapping
  9. Manual mapping of drivers

 

R K

Recent Posts

Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…

36 minutes ago

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…

45 minutes ago

Exploit Street – Navigating The New Terrain Of Windows LPEs

Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…

2 days ago

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

3 days ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago