PhysPatch 🩹

PhysPatch performs physical memory scanning and patching of the entire Windows Kernel using DMA.

PhysPatch uses memflow to access memory of the virtual machine, and AOBscan to perform the multi-threaded memory scanning.

Usage

• Scan for "48 8b ? ? ? ? ? 48" in the virtual machine named "TargetVM" and write "48 8b 00 00" in all the matches.

physpatch -g "TargetVM" -p "48 8b 00 00" -- "48 8b ? ? ? ? ? 48"

• Scan for "488b?????48" in the first virtual machine found, without performing any patching.

physpatch -- "488b?????48"

See physpatch --help for all the available arguments and their descriptions.

Installation

🦀 Cargo

Who doesn't love Cargo? You can install PhysPatch with it, by running:

cargo install physpatch

You can now launch the program with the physpatch command.

🔩 From Source

Rust is required to build from source. If you don't have it installed, you can install it using rustup.

git clone https://github.com/sonodima/physpatch
cd physpatch
cargo build --release

The compiled binary will be located at target/release/physpatch

Other Information

PhysPatch comes with the memflow_qemu and memflow_win32 libraries embedded, so you will not need any setup in your host machine to use it.

⚠️ THIS TOOL ONLY SUPPORTS AMD64 GUEST SYSTEMS

Notable Mentions

This project is heavily inspired by Hygieia, which is a scanning tool to find traces of vulnerable drivers.