Pyjectify v0.7

New features

Inject

• Memory loader: added call_entry_point parameter to allow loading a module from memory without calling its entry point

Bug fix

Core

• PE: fix change_base() (fix relocations parsing and update ImageBase in NT headers)

Others

• Prevent empty memory allocations in injet & pythonlib modules

PyJectify v0.6

New features

Core

• Process: added run_funcs() to run multiple functions in the same thread (removed start_join_thread_x64())

Bug fix

PythonLib

• Fix PythonLib for Python >= 3.12

PyJectify v0.5

New features

Core

• Process: added start_join_thread_x64() to get the 64-bits return value of a remote thread

Bug fix

PythonLib

• Fix PythonLib module for Python 3.6-3.9 (still does not work with Python >= 3.12)

Improvements

Core

• Process: join_thread() now returns integer instead of ctypes.c_ulong

PyJectify v0.4

Bug fix

Syscall

• Fix x86 direct syscalls

Improvements

• Remove ctypes wintypes in core
• ApiSetSchema: use VirtualSize instead of SizeOfRawData

PyJectify v0.3

Improvements

Core

• move injectorx86, injectorwow64, windowsx86 from pyjectify.windows.core.process to pyjectify.windows (named respectively x86, wow64, windowsx86)

PE

• PE are automatically mapped to memory at initialization
• PyJectify automatically detects if a PE is from raw file or if it's already mapped (removed the mapped parameter)
• PyJectify automatically parse imports and exports at initialization, unless we specify to PyJectify that we try to parse only PE headers (removed parse_imports() and parse_exports() public method & added headers_only parameter)
• sections now use VirtualSize instead of SizeOfRawData

Inject

• improved injection without headers (do not copy them instead of filling the memory range with null bytes)
• allow to use a random address instead of the base address for memory loader, using the new prefer_base_addr parameter

PyJectify v0.2

Improvements

Process

• ntdll attribute can be updated dynamically to modify how basic calls are made (kernel32 calls, ntapi calls, direct Syscalls)

Syscall

• added get_common to retrieve common syscalls used by the core
• process attribute of the Syscall utils (which is pyjectify's process) is not public anymore

Fixes

Defines

• Hardcode ctypes.wintypes data types

PythonLib

• Fix GIL issues : fix python hooks deadlocks

Doc

• Update README and doc

Known issues

PythonLib

• PythonLib does not work anymore with Python 3.6 - 3.9 (Python 3.12 still unsupported). Issue is investigated to be fixed in upcoming releases

PyJectify v0.1

Initial release (v0.1)

PyJectify v0.1 features:

Windows

PyJectify supports Windows (x86 & x64)

Core

• Allocate / Free / Read / Write memory
• Create threads
• List loaded modules
• PE parser
• Use kernel32 or ntdll functions

Modules

• MemScan: scan memory using regex patterns
• Inject: load library, from disk (remote LoadLibrary) or from memory (fully map the DLL into the remote process)
• Hook: set up inline hooks in the target process
• PythonLib: embed python into a remote process

Utils

• Syscall: Parse syscall codes from ntdll.dll (from the loaded library or from the disk), and produce a ntdll-like object which can be used by the Inject module to use direct syscalls
• ApiSetSchema: parse Windows ApiSet

PyJectify's documentation is complete

PyJectify v0.1 is available on Pypi