Blackbone: Windows Memory Hacking Library

Discussion relating to game modding tools
Post Reply
User avatar
Site Admin
Posts: 17
Joined: Sat Sep 15, 2018 5:35 am

Sun Nov 25, 2018 7:38 am

Available here.


x86 and x64 support
Process interaction

Manage PEB32/PEB64
Manage process through WOW64 barrier

Process Memory

Allocate and free virtual memory
Change memory protection
Read/Write virtual memory

Process modules

Enumerate all (32/64 bit) modules loaded. Enumerate modules using Loader list/Section objects/PE headers methods.
Get exported function address
Get the main module
Unlink module from loader lists
Inject and eject modules (including pure IL images)
Inject 64bit modules into WOW64 processes
Manually map native PE images


Enumerate threads
Create and terminate threads. Support for cross-session thread creation.
Get thread exit code
Get main thread
Manage TEB32/TEB64
Join threads
Suspend and resume threads
Set/Remove hardware breakpoints

Pattern search

Search for arbitrary pattern in local or remote process

Remote code execution

Execute functions in remote process
Assemble own code and execute it remotely
Support for cdecl/stdcall/thiscall/fastcall conventions
Support for arguments passed by value, pointer or reference, including structures
FPU types are supported
Execute code in new thread or any existing one

Remote hooking

Hook functions in remote process using int3 or hardware breakpoints
Hook functions upon return

Manual map features

x86 and x64 image support
Mapping into any arbitrary unprotected process
Section mapping with proper memory protection flags
Image relocations (only 2 types supported. I haven't seen a single PE image with some other relocation types)
Imports and Delayed imports are resolved
Bound import is resolved as a side effect, I think
Module exports
Loading of forwarded export images
Api schema name redirection
SxS redirection and isolation
Activation context support
Dll path resolving similar to native load order
TLS callbacks. Only for one thread and only with PROCESS_ATTACH/PROCESS_DETACH reasons.
Static TLS
Exception handling support (SEH and C++)
Adding module to some native loader structures(for basic module api support: GetModuleHandle, GetProcAdress, etc.)
Security cookie initialization
C++/CLI images are supported
Image unloading
Increase reference counter for import libraries in case of manual import mapping
Cyclic dependencies are handled properly

Driver features

Allocate/free/protect user memory
Read/write user and kernel memory
Disable permanent DEP for WOW64 processes
Change process protection flag
Change handle access rights
Remap process memory
Hiding allocated user-mode memory
User-mode dll injection and manual mapping
Manual mapping of drivers

Blackbone is licensed under the MIT License. Dependencies are under their respective licenses.
Post Reply