PyHiew 0.3.0 with process memory editing

PyHiew 0.3.0 has been released with fsPlus integration. It is now possible to edit process memory directly from Hiew.

How to edit process memory with Hiew

– Press F9 to toggle Hiew HEM modules
– Select PyHiew and then the fsPlus script

select_fsPlus

– After successful activation you should get this:

activated_fsPlus

This step is required only once.

– Now press F9 to show the files list (you may want to press Alt-F4 to refresh the files list):
fileselect_fsPlus

Processes and files will be listed along side each other. Processes will have the following format: {ProcessName.extension}.pid|{PID}. The process name and PID will be replaced with the actual process name and ID. Now you’re ready to edit the process in question. Just press ENTER to select the file!

textview_fsPlus

The first few pages (virtual address 0 and on) are not mapped in processes, for this reason fsPlus will provide “virtual” information to Hiew and construct a “special” PE file header describing all the loaded modules and some textual information after that:

textinfo_fsPlus

Pressing ENTER (to switch to Hex view) then F8 then F6 (to view the PE sections) will reveal all the loaded modules:

sections_fsPlus

You may press ENTER to jump to any section in memory. In the following screenshot, we have a view crossing from one page to another. The first page is not mapped thus fsPlus will return “BAD!” whenever it cannot read memory and the following page contains the actual process memory bytes:

procmem_fsPlus

It is possible to copy blocks (for example to copy sections from an unpacked program), edit the process (by pressing F3) and save the changes or even achieve most of the File I/O operations you do on a normal files.

It is possible to configure fsPlus so that a folder if your choice will contain the process list (instead of having the listing showing in the current directory). For this, you need to edit the “fsPlus.ini” file:

; Specify the process hook path. The folder must *EXIST* (but not necessarily empty) and have a trailing backslash
; For example, if it can be: "C:\_processes\" or simply the current directory: ".\"

[ProcessAsFile]
ProcessDir=.\

If another folder is specified, then when you press F9 to toggle the file list in Hiew, make sure you navigate to the folder you just specified in order to get the processes list.

That’s it! If you have questions let me know.

Download the PyHiew 0.3.0 package and get started! 🙂

Advertisements

About 0xeb

I am a programmer and reverse engineer. I like to write software utilities, designing APIs and reverse engineering interesting stuff.
This entry was posted in Programming, Python. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s