1 unstable release
0.1.0 | Apr 30, 2023 |
---|
#1008 in Command line utilities
21KB
275 lines
PhysPatch 🩹
PhysPatch performs physical memory scanning and patching of the entire Windows Kernel using DMA.
PhysPatch uses memflow to access memory of the virtual machine, and AOBscan to perform the multi-threaded memory scanning.
Usage
- Scan for "48 8b ? ? ? ? ? 48" in the virtual machine named "TargetVM" and write "48 8b 00 00" in all the matches.
physpatch -g "TargetVM" -p "48 8b 00 00" -- "48 8b ? ? ? ? ? 48"
- Scan for "488b?????48" in the first virtual machine found, without performing any patching.
physpatch -- "488b?????48"
See physpatch --help
for all the available arguments and their descriptions.
Installation
🦀 Cargo
Who doesn't love Cargo? You can install PhysPatch with it, by running:
cargo install physpatch
You can now launch the program with the physpatch
command.
🔩 From Source
Rust is required to build from source. If you don't have it installed, you can install it using rustup.
git clone https://github.com/sonodima/physpatch
cd physpatch
cargo build --release
The compiled binary will be located at target/release/physpatch
Other Information
PhysPatch comes with the memflow_qemu and memflow_win32 libraries embedded, so you will not need any setup in your host machine to use it.
⚠️ THIS TOOL ONLY SUPPORTS AMD64 GUEST SYSTEMS
Notable Mentions
This project is heavily inspired by Hygieia, which is a scanning tool to find traces of vulnerable drivers.
Dependencies
~13–52MB
~786K SLoC