 |
Automation - Macro - Bot - Scripting system. |
Processes Support:
Direct process support.
Note: Returned handles will automatically be closed when they loose scope.
HANDLE = process.Open(pid) Get handle to a process by process ID (with forced access rights when needed).
Get a targets pid by using the window functions, or process.List().
Should call process.Close() (below) when done with the opened handle.
HANDLE, PID = process.Create(szName, [szCmdLine], [szStartPath], [szDLLToInjectName])
Create a new process given by szName. With optional command line, starting path, and optionally load/inject a DLL into it, specified by szDLLToInjectName.
process.Close(HANDLE) Close a process handle returned by Open() or Create().
bResult = process.InjectDLL(HANDLE, szFileName) Inject/load a DLL into a process and return bool result.
Can not inject into “exclusive” processes.
process.SetPriority(HANDLE, Priority) Set base priority for process.
Priority types:
process.HIGH_PRIORITY, process.NORMAL_PRIORITY, process.BELOW_NORMAL_PRIORITY, process.IDLE_PRIORITY
process.Terminate(HANDLE) Terminate process. Should use win.Close() or some other method if
at all possible, as process.Terminate() can possibly cause memory, and, or, resource leaks.
table = process.List() Get a current list of processes by PID, and name.
Table format:
pid, name
Example:
-- Print process list
proclist = process.List()
for i,v in ipairs(proclist) do
printf("[%02d] 0x%04X, \"%s\n", i, v.pid, v.name)
end
HWND = process.GetHWND() Get the main HWND for a process, or nil if it doesn’t have one that MM can see.
Read process memory support:
| number = process.MemReadU8(HANDLE, Address) | Read 8bits unsigned. |
| number = process.MemReadS8(HANDLE, Address) | Read 8bits signed. |
| number = process.MemReadU16(HANDLE, Address) | Read 16bits unsigned. |
| number = process.MemReadS16(HANDLE, Address) | Read 16bits signed. |
| number = process.MemReadU32(HANDLE, Address) | Read 32bits unsigned. |
| number = process.MemReadS32(HANDLE, Address) | Read 32bits signed. |
| number = process.MemReadU64(HANDLE, Address) | Read 64bits unsigned. |
| number = process.MemReadS64(HANDLE, Address) | Read 64bits signed. |
| number = process.MemReadf32(HANDLE, Address) | Read 32bit float. |
| number = process.MemReadf64(HANDLE, Address) | Read double float. |
| string = process.MemReadString(HANDLE, Address, Size) | Read string/bytes from process memory. |
Write process memory support:
| process.MemWriteU8(HANDLE, Address, Number) | Write 8bits unsigned. |
| process.MemWriteS8(HANDLE, Address, Number) | Write 8bits signed. |
| process.MemWriteU16(HANDLE, Address, Number) | Write 16bits unsigned. |
| process.MemWriteS16(HANDLE, Address, Number) | Write 16bits signed. |
| process.MemWriteU32(HANDLE, Address, Number) | Write 32bits unsigned. |
| process.MemWriteS32(HANDLE, Address, Number) | Write 32bits signed. |
| process.MemWriteU64(HANDLE, Address, Number) | Write 64bits unsigned. |
| process.MemWriteS64(HANDLE, Address, Number) | Write 64bits signed. |
| process.MemWritef32(HANDLE, Address, Number) | Write 32bit float. |
| process.MemWritef64(HANDLE, Address, Number) | Write double float. |
| process.MemWriteString(HANDLE, Address, String) | Write string/bytes to process memory. |
process.MemFullAccess(HANDLE, Address, Size) Sets full access rights (read, write, and execute) for a region of
process memory.
address = process.MemAlloc(HANDLE, Size) Allocates memory in process with full access rights (
read, write, and execute) and initializes it to zero.
process.MemFree(HANDLE, Address) Frees memory allocated previously by process.MemAlloc()
Patch in a relative offset jump instruction (two to five bytes) at SourceAddress to DestinationAddress.
process.CodeJump(HANDLE, SourceAddress, DestinationAddress)
process.CodeNops(HANDLE, Address, Size) Write “Size” count of NOP instructions at Address in process memory.
Example:
-- Write NOPs to target process at 0x851235 to patch out a JMP instruction.
process.CodeNops(hTarget, 0x851235, 5)
addresslist = process.FindPattern(HANDLE, ByteString, [MaxMatch], [flags])
Locate code, and, or, data patterns inside a process by scanning it’s memory redions.
Returns a table of matching address(es), or nil if none found.
Arguments:
ByteString: Is the text search string. For direct binary searches the format is two hex digits, wild card character ‘?’, or
white space (spaces or tabs). Same type of format used by IDA Pro, and popular debuggers for hex binary
searches. Or, using the process.STRING the search string will be a literal ASCII search.
MaxMatch: (default one) is the maximum times to look for a pattern.
flags: Search option flags.
Search option flags:
| process.STRING | ByteString is a literal ASCII search string. |
| process.EXECUTABLE | Search only memory regions marked with an executable flag. |
| process.NONEXECUTABLE | Search only memory regions not marked with an executable flag. |
| process.IMAGEMAPPED | Search memory regions that have a image mapped name (the source process file, DLLs, etc). |
| process.SOURCEMAPPED | Search only memory regions that belong to the mapped in parts of the main process. |
| process.NO_PRIVATE | Skip scanning memory regions marked private. |
Other then process.STRING, the rest of the options are to help tweak the search process.
The default is to search all memory regions. Normally the scan will be fast enough, but when searching a large process for multiple patterns, the flags might help speed scans up by narrowing down memory regions.
Also can be used to eliminate redundant matches. You might for example run into a pattern that hits in both a code and data region. By using process.EXECUTABLE the data match might be filtered out.
Examples:
-- Search for a code pattern that has wild cards to skip over mutable bytes
local aMatches = process.FindPattern(hProcess, "8B 45 10 50 8D 4D C0 E8 ? ? ? ? C7 45 E0 00 00 00 00")
if aMatches then
for i,v in ipairs(aMatches) do
printf("[%d] %08X\n", i, v)
end
end
-- Search for a code pattern for up to ten matches. And only in the executable space(s) of the main process.
process.FindPattern(hProcess, "55 8B EC 81 EC 18 03 00 00", 10, bit.OR(process.EXECUTABLE, process.SOURCEMAPPED))
-- Search for up to one occurrence of the ASCII sting “MyHealth” inside the target process.
local address = process.FindPattern(hProcess, “MyHealth:", 1, process.STRING)
print(address)