Windows-Substrate

(Currently being rewritten in C# for maintainability and feature purposes) (https://github.com/evilexecutable/Windows-Substrate)

Windows process memory hacking framework created in Python and winappdbg.

This was originally a project called hackManager by SirFroweey (https://github.com/SirFroweey/hackManager).

Installation

Not available on pip yet. Drop the "Substrate" folder in C:\Python27\Libs and call it as below.

Documentation

http://hackmanager.readthedocs.io/en/latest/

Examples

To update the windows Registry to change the Windows 10 title bar color:

from Substrate.hack import Hack

color = 0xFF0000

Hack.change_reg_key('HKEY_CURRENT_USER', "Software\\Microsoft\\Windows\\DWM", "REG_SZ", "AccentColor", color)

To create a simple Python file to renames Notepad.exe into something else, you could achieve that via:

from Substrate.hack import Hack

Hack.change_window_title("Notepad.exe", "Changed Notepad.exe")

To create a hack for a game, you should be able to do something similar to:

from Substrate.hack import Hack

FAKE_HEALTH_ADDRESS = 0x01123123 # memory address found using Cheat Engine or your preferred Debugger (Olly, Immunity).
h = Hack("Game.exe")
h.write_int(FAKE_HEALTH_ADDRESS, 100)

Internal (main process) function hooking

You can hook onto the processes internal functions following this method. add_internal_hook takes three parameters, the third being optional: function_memory_address, function_handle, signatures. The signatures parameter allows you to parse values related to this function directly from the stack.

from Substrate.hack import Hack
 
 
def function_handle(event, ra, **kwargs):
    print "Function hit!"
 
    
h = Hack("mb_warband.exe")
h.add_internal_hook(0x004961FC, function_handle)
h.hook()
h.safe_exit()

External library (DLL) hooking

You can hook onto Kernel and DLL functions within' a process. In this example, we hook onto RUST's(game) Dedicated Server and hook onto its WinSock SendTo DLL function calls. This allows us to sniff(analyze) process-specific traffic. This requires a little research on your part though. For example, you need to know what parameters the DLL functions require. You can easily pull this up on Google Search by typing something like, i.e: "WinSock sendto msdn". The Microsoft Developer Network is fulled with tons of documentation for its DLLs like Winsock. You can add as many hooks as you want, for the same DLL or different ones. Simply call the class-method add_hook(DLL_Name, DLL_Function, function_handler).

from Substrate.hack import Hack
 
def sendto(event, ra, s, buf, length, flags, to, tolength):     
    data = event.get_process().peek(buf, length)
    print "Send: " + data + "\n" 
 
h = Hack("rust_server.exe") 
h.add_hook("ws2_32.dll", "sendto", sendto) 
h.hook() 
h.safe_exit()

Call of Duty: Black Ops 2 - No recoil hack

Singleplayer & Multiplayer hack that removes every weapons recoil effect.

from Substrate.hack import Hack  # Absolute memory address 
 
 
BLACKOPS_RECOIL_ADDRESS = 0x004AF328 # You can also supply the base address and a offset like, i.e.:
# BLACKOPS_RECOIL_ADDRESS = instance.base_address + 0xAF328  
 
# No recoil value 
BLACKOPS_NO_RECOIL_VALUE = 117 
target = "t6mp.exe" 
 
instance = Hack(target) 
print instance.base_address # main modules base address (0x400000) 
 
print instance.read_char(BLACKOPS_RECOIL_ADDRESS) # returns the following:  ( value, label ) 
# label is: t6mp.exe(base address) + offset print 
# instance.read_char(BLACKOPS_RECOIL_ADDRESS) 
 
# update value with 117(NO RECOIL VALUE) 
instance.write_char(BLACKOPS_RECOIL_ADDRESS, BLACKOPS_NO_RECOIL_VALUE)

Accessing and modifying data structures within' an application (or game)

In this example we are hooking on the game's Winsock sendto DLL function and accessing its Structure directly via ctypes. We are also accessing the data directly via peek. Both methods work great, however, if you want to access Structure fields in a clean manner, the ctypes approach is preferred.

from Substrate.hack import Hack 
import ctypes 
 
# Winsock sockaddr structure.
class sockaddr(ctypes.Structure): 
    _fields_ = [         
        ("sa_family", ctypes.c_ushort),
        ("sa_data", ctypes.c_char * 14), 
    ]  
 
 
def sendto(event, ra, s, buf, length, flags, to, tolength):     
    p = event.get_process()     
    data = p.peek(buf, length)
    to_struct = p.read_structure(to, sockaddr) 
    print "BUFFER DATA: " + repr(data) + "\n"     
    print "ACCESSING SPECIFIC STRUCTURE sa_data field:", repr(to_struct.sa_data) 
    print "PEEKING WHOLE STRUCTURE DATA:", repr(p.peek(to, tolength))
 
 game = Hack("game.exe") 
 h.add_hook("ws2_32.dll", "sendto", sendto) 
 h.hook() 
 h.safe_exit()

Retrieving and interacting with running threads

You can retrieve the list of the processes running threads with the Hack.get_threads() class-method. You can use this to your advantage to supervise the amount of threads your processes currently has running and to analyze them individually. Remember that Substrate is built on top of winappdbg, thus you are able to execute thread-related class-methods like, i.e: thread_instance.set_name(), thread_instance.is_hidden(), thread_instance.set_process(), thread_instance.kill(), thread_instance.name(), thread_instance.resume(), thread_instance.suspend(), to name a few. When you call Hack.get_threads(), the list of threads are stored on your Hack() instances thread global variable. Thus you can access it with Hack_instance.threads. It's stored as a dictionary. The thread id's being the keys for the dictionary. Check the winappdbg documentation for more information regarding iteraction with threads. Remember: Substrate returns winappdbg.Thread instances.

from Substrate.hack import Hack 
h = Hack("game.exe") 
h.get_threads() 
print h.threads # returns dictionary, with the keys being the individual threads id's.

Retrieving the list of imported DLLs(libraries).

You can retrieve the list of loaded(imported) DLLs(libraries) within' the process by accessing the module_base_dict global variable. The module_base_dict is a dictionary with the keys being the module names and the values being their base addresses.

from Substrate.hack import Hack  
h = Hack("game.exe") 
print h.module_base_dict

Retrieving list of running processes

You can retrieve the list of currently running processes by not supplying a target process name within' your Hack() instance. Then you access the list by calling Hack().running.

from Substrate.hack import Hack 
h = Hack() 
print h.running

Hack() instance variables overview

Hack.module_base_dict

The module_base_dict is a dictionary with the keys being the module names and the values being their base addresses.

Hack.threads

Python dictionary containing lists of running threads on the target process defined in Hack("PROCESSNAME"). Keys are thread id's, the value being the thread object itself. Refer to the python winappdbg documentation for more information on what type of functionality you can perform on threads.

Hack.base_address

Base address of target process defined in Hack("PROCESSNAME").