Skip to content

Experimental binary patching on executables with the keystone library.

Notifications You must be signed in to change notification settings


Folders and files

Last commit message
Last commit date

Latest commit


Repository files navigation


Build Status

Writes a new entry point for a target executable using Keystone as the assembler.

Table of Contents

Why does this exist

I found it difficult to find a portable executable patcher that handles a random base address and doesn't use inline assembly for the copied instructions. It was also difficult to find a patcher that does not store compiled x86 or x86-64 machine code in the source.


Creates a new section marked as executable. The program's entry point is modified with the new section's virtual address. A new entry point is assembled with the original entry point (oep) using Keystone. Consideration is given with address space layout randomisation (ASLR) for the base address.

Two approaches for ASLR base address:

  1. Using the PEB (fs[30h] or gs[60h]) -> loader data structure -> base address + oep. Based on this post.
  2. Add new entries to relocation table.

The newly added section's code jumps to the original oep allowing normal execution of the program.

How to compile

  1. Ensure that you have Cmake installed.
  2. Execute
  3. A directory called "build" will be created that contains the compiled program


Experimental binary patching on executables with the keystone library.






No releases published