3 unstable releases
0.2.1 | Nov 10, 2024 |
---|---|
0.2.0 | Oct 7, 2023 |
0.1.0 | Apr 30, 2023 |
#388 in Command line utilities
23KB
237 lines
PhysPatch 🩹
PhysPatch performs physical memory scans and patches of the entire Windows kernel.
Usage
Scan for "488b??????????48" in the virtual machine named "TargetVM" and write "488b0000" to all matches:
physpatch -t "TargetVM" -p "488b0000" -- "488b??????????48"
Scan for "488b?????48" in the first virtual machine found, without performing any patching:
physpatch -- "488b?????48"
See physpatch --help
for all the available arguments and their descriptions.
Installation
🦀 Cargo
Using Cargo is the easiest way to get started with PhysPatch:
cargo install physpatch
sudo setcap "CAP_SYS_PTRACE=ep" $(which physpatch)
You can now launch the program with the physpatch
command.
🔩 From Source
git clone https://github.com/sonodima/physpatch && cd physpatch
cargo build --release
sudo setcap "CAP_SYS_PTRACE=ep" target/release/physpatch
The compiled binary is located in target/release/physpatch
Requirements
⚠️ THIS TOOL ONLY SUPPORTS X86_64 GUEST SYSTEMS
CAP_SYS_PTRACE is required to use this program without elevation:
sudo setcap "CAP_SYS_PTRACE=ep" physpatch
For more information, refer to the documentation for memflow_qemu
Disclaimer
PhysPatch is an extremely powerful tool, and incorrect usage can (will) lead to unintended consequences, including system crashes and data corruption.
Before using PhysPatch, ensure you fully understand its implications and effects. Proper knowledge of the memory structures and patterns you are searching for is essential.
Those associated with PhysPatch will not be held accountable for any damages, data losses, or system corruptions that arise from the usage of this tool.
Notable Mentions
This project is heavily inspired by Hygieia, which is a scanning tool to find traces of vulnerable drivers.
Dependencies
~15–44MB
~688K SLoC