-
x86 and x64 support
-
Process interaction
-
Manage PEB32/PEB64
-
Manage process through WOW64 barrier
-
Process Memory
-
Allocate and free virtual memory
-
Change memory protection
-
Read/Write virtual memory
-
Process modules
-
Enumerate all (32/64 bit) modules loaded. Enumerate modules using Loader list/Section objects/PE headers methods.
-
Get exported function address
-
Get the main module
-
Unlink module from loader lists
-
Inject and eject modules (including pure IL images)
-
Inject 64bit modules into WOW64 processes
-
Manually map native PE images
-
Threads
-
Enumerate threads
-
Create and terminate threads. Support for cross-session thread creation.
-
Get thread exit code
-
Get main thread
-
Manage TEB32/TEB64
-
Join threads
-
Suspend and resume threads
-
Set/Remove hardware breakpoints
-
Pattern search
-
Search for arbitrary pattern in local or remote process
-
Remote code execution
-
Execute functions in remote process
-
Assemble own code and execute it remotely
-
Support for cdecl/stdcall/thiscall/fastcall conventions
-
Support for arguments passed by value, pointer or reference, including structures
-
FPU types are supported
-
Execute code in new thread or any existing one
-
Remote hooking
-
Hook functions in remote process using int3 or hardware breakpoints
-
Hook functions upon return
-
Manual map features
-
x86 and x64 image support
-
Mapping into any arbitrary unprotected process
-
Section mapping with proper memory protection flags
-
Image relocations (only 2 types supported. I haven't seen a single PE image with some other relocation types)
-
Imports and Delayed imports are resolved
-
Bound import is resolved as a side effect, I think
-
Module exports
-
Loading of forwarded export images
-
Api schema name redirection
-
SxS redirection and isolation
-
Activation context support
-
Dll path resolving similar to native load order
-
TLS callbacks. Only for one thread and only with PROCESS_ATTACH/PROCESS_DETACH reasons.
-
Static TLS
-
Exception handling support (SEH and C++)
-
Adding module to some native loader structures(for basic module api support: GetModuleHandle, GetProcAdress, etc.)
-
Security cookie initialization
-
C++/CLI images are supported
-
Image unloading
-
Increase reference counter for import libraries in case of manual import mapping
-
Cyclic dependencies are handled properly
-
Driver features
-
Allocate/free/protect user memory
-
Read/write user and kernel memory
-
Disable permanent DEP for WOW64 processes
-
Change process protection flag
-
Change handle access rights
-
Remap process memory
-
Hiding allocated user-mode memory
-
User-mode dll injection and manual mapping
-
Manual mapping of drivers
Blackbone is licensed under the MIT License. Dependencies are under their respective licenses.