API

This part of the documentation covers all the methods of Pymem. For parts where Pymem depends on external dlls, we document the most important right here and provide links to the canonical documentation.

Pymem

class pymem.Pymem(process_name: Optional[Union[str, int]] = None, exact_match: bool = False, ignore_case: bool = True)[source]

Initialize the Pymem class. If process_name is given, will open the process and retrieve a handle over it.

Parameters

  • process_name – The name or process id of the process to be opened

  • exact_match – Defaults to False, is the full name match or just part of it expected?

  • ignore_case – Default to True, should ignore process name case?

allocate(size)[source]

Allocate memory into the current opened process.

Parameters

size (int) – The size of the region of memory to allocate, in bytes.

Raises

  • ProcessError – If there is no process opened

  • TypeError – If size is not an integer

Returns

The base address of the current process.

Return type

int

property base_address

Gets the memory address where the main module was loaded (ie address of exe file in memory)

Raises

  • TypeError – If process_id is not an integer

  • ProcessError – Could not find process first module address

Returns

Address of main module

Return type

int

check_wow64()[source]

Check if a process is running under WoW64.

close_process()[source]

Close the current opened process

Raises

ProcessError – If there is no process opened

free(address)[source]

Free memory from the current opened process given an address.

Parameters

address (int) – An address of the region of memory to be freed.

Raises

  • ProcessError – If there is no process opened

  • TypeError – If address is not an integer

inject_python_interpreter(initsigs=1)[source]

Inject python interpreter into target process and call Py_InitializeEx.

inject_python_shellcode(shellcode)[source]

Inject a python shellcode into memory and execute it.

Parameters

shellcode (str) – A string with python instructions.

list_modules()[source]

List a process loaded modules.

Returns

List of process loaded modules

Return type

list(MODULEINFO)

property main_thread

Retrieve ThreadEntry32 of main thread given its creation time.

Raises

ProcessError – If there is no process opened or could not list process thread

Returns

Process main thread

Return type

Thread

property main_thread_id

Retrieve th32ThreadID from main thread

Raises

ProcessError – If there is no process opened or could not list process thread

Returns

Main thread identifier

Return type

int

open_process_from_id(process_id)[source]

Open process given its name and stores the handle into self.process_handle.

Parameters

process_id (int) – The unique process identifier

Raises

  • TypeError – If process identifier is not an integer

  • CouldNotOpenProcess – If process cannot be opened

open_process_from_name(process_name: str, exact_match: bool = False, ignore_case: bool = True)[source]

Open process given its name and stores the handle into process_handle

Parameters

  • process_name – The name of the process to be opened

  • exact_match – Defaults to False, is the full name match or just part of it expected?

  • ignore_case – Default to True, should ignore process name case?

Raises

  • TypeError – If process name is not valid or search parameters are of the wrong type

  • ProcessNotFound – If process name is not found

  • CouldNotOpenProcess – If process cannot be opened

pattern_scan_all(pattern, *, return_multiple=False)[source]

Scan the entire address space of this process for a regex pattern

Parameters

  • pattern (bytes) – The regex pattern to search for

  • return_multiple (bool) – If multiple results should be returned

Returns

Memory address of given pattern, or None if one was not found or a list of found addresses in return_multiple is True

Return type

int, list, optional

pattern_scan_module(pattern, module, *, return_multiple=False)[source]

Scan a module for a regex pattern

Parameters

  • pattern (bytes) – The regex pattern to search for

  • module (str, MODULEINFO) – Name of the module to search for, or a MODULEINFO object

  • return_multiple (bool) – If multiple results should be returned

Returns

Memory address of given pattern, or None if one was not found or a list of found addresses in return_multiple is True

Return type

int, list, optional

property process_base

Lookup process base Module.

Raises

  • TypeError – process_id is not an integer

  • ProcessError – Could not find process first module address

Returns

Base module information

Return type

MODULEINFO

read_bool(address)[source]

Reads 1 byte from an area of memory in a specified process.

Parameters

address (int) – An address of the region of memory to be read.

Raises

  • ProcessError – If there is no opened process

  • MemoryReadError – If ReadProcessMemory failed

  • TypeError – If address is not a valid integer

Returns

returns the value read

Return type

bool

read_bytes(address, length)[source]

Reads bytes from an area of memory in a specified process.

Parameters

  • address (int) – An address of the region of memory to be read.

  • length (int) – Number of bytes to be read

Raises
Returns

the raw value read

Return type

bytes

read_char(address)[source]

Reads 1 byte from an area of memory in a specified process.

Parameters

address (int) – An address of the region of memory to be read.

Raises

  • ProcessError – If there is no opened process

  • MemoryReadError – If ReadProcessMemory failed

  • TypeError – If address is not a valid integer

Returns

returns the value read

Return type

str

read_ctype(address, ctype, *, get_py_value=True, raw_bytes=False)[source]

Read a ctype basic type or structure from <address>

Parameters

  • address (int) – An address of the region of memory to be read.

  • ctype – A simple ctypes type or structure

  • get_py_value (bool) – If the corrosponding python type should be used instead of returning the ctype This is automatically set to False for ctypes.Structure or ctypes.Array instances

  • raw_bytes (bool) – If we should return the raw ctype bytes

Raises

WinAPIError – If ReadProcessMemory failed

Returns

Return will be either the ctype with the read value if get_py_value is false or the corropsonding python type

Return type

Any

read_double(address)[source]

Reads 8 byte from an area of memory in a specified process.

Parameters

address (int) – An address of the region of memory to be read.

Raises

  • ProcessError – If there is no opened process

  • MemoryReadError – If ReadProcessMemory failed

  • TypeError – If address is not a valid integer

Returns

returns the value read

Return type

int

read_float(address)[source]

Reads 4 byte from an area of memory in a specified process.

Parameters

address (int) – An address of the region of memory to be read.

Raises

  • ProcessError – If there is no opened process

  • MemoryReadError – If ReadProcessMemory failed

  • TypeError – If address is not a valid integer

Returns

returns the value read

Return type

float

read_int(address)[source]

Reads 4 byte from an area of memory in a specified process.

Parameters

address (int) – An address of the region of memory to be read.

Raises

  • ProcessError – If there is no opened process

  • MemoryReadError – If ReadProcessMemory failed

  • TypeError – If address is not a valid integer

Returns

returns the value read

Return type

int

read_long(address)[source]

Reads 4 byte from an area of memory in a specified process.

Parameters

address (int) – An address of the region of memory to be read.

Raises

  • ProcessError – If there is no opened process

  • MemoryReadError – If ReadProcessMemory failed

  • TypeError – If address is not a valid integer

Returns

returns the value read

Return type

int

read_longlong(address)[source]

Reads 8 byte from an area of memory in a specified process.

Parameters

address (int) – An address of the region of memory to be read.

Raises

  • ProcessError – If there is no opened process

  • MemoryReadError – If ReadProcessMemory failed

  • TypeError – If address is not a valid integer

Returns

returns the value read

Return type

int

read_short(address)[source]

Reads 2 byte from an area of memory in a specified process.

Parameters

address (int) – An address of the region of memory to be read.

Raises

  • ProcessError – If there is no opened process

  • MemoryReadError – If ReadProcessMemory failed

  • TypeError – If address is not a valid integer

Returns

returns the value read

Return type

int

read_string(address, byte=50)[source]

Reads n byte from an area of memory in a specified process.

Parameters

  • address (int) – An address of the region of memory to be read.

  • byte (int) – Amount of bytes to be read

Raises

  • ProcessError – If there is no opened process

  • MemoryReadError – If ReadProcessMemory failed

  • TypeError – If address is not a valid integer

Returns

returns the value read

Return type

str

read_uchar(address)[source]

Reads 1 byte from an area of memory in a specified process.

Parameters

address (int) – An address of the region of memory to be read.

Raises

  • ProcessError – If there is no opened process

  • MemoryReadError – If ReadProcessMemory failed

  • TypeError – If address is not a valid integer

Returns

returns the value read

Return type

str

read_uint(address)[source]

Reads 4 byte from an area of memory in a specified process.

Parameters

address (int) – An address of the region of memory to be read.

Raises

  • ProcessError – If there is no opened process

  • MemoryReadError – If ReadProcessMemory failed

  • TypeError – If address is not a valid integer

Returns

returns the value read

Return type

int

read_ulong(address)[source]

Reads 4 byte from an area of memory in a specified process.

Parameters

address (int) – An address of the region of memory to be read.

Raises

  • ProcessError – If there is no opened process

  • MemoryReadError – If ReadProcessMemory failed

  • TypeError – If address is not a valid integer

Returns

returns the value read

Return type

int

read_ulonglong(address)[source]

Reads 8 byte from an area of memory in a specified process.

Parameters

address (int) – An address of the region of memory to be read.

Raises

  • ProcessError – If there is no opened process

  • MemoryReadError – If ReadProcessMemory failed

  • TypeError – If address is not a valid integer

Returns

returns the value read

Return type

int

read_ushort(address)[source]

Reads 2 byte from an area of memory in a specified process.

Parameters

address (int) – An address of the region of memory to be read.

Raises

  • ProcessError – If there is no opened process

  • MemoryReadError – If ReadProcessMemory failed

  • TypeError – If address is not a valid integer

Returns

returns the value read

Return type

int

start_thread(address, params=None)[source]

Create a new thread within the current debugged process.

Parameters

  • address (int) – An address from where the thread starts

  • params (int) – An optional address with thread parameters

Returns

The new thread identifier

Return type

int

write_bool(address, value)[source]

Write value to the given address into the current opened process.

Parameters

  • address (int) – An address of the region of memory to be written.

  • value (bool) – the value to be written

Raises

  • ProcessError – If there is no opened process

  • MemoryWriteError – If WriteProcessMemory failed

  • TypeError – If address is not a valid integer

write_bytes(address, value, length)[source]

Write value to the given address into the current opened process.

Parameters

  • address (int) – An address of the region of memory to be written.

  • value (bytes) – the value to be written

  • length (int) – Number of bytes to be written

Raises

  • ProcessError – If there is no opened process

  • MemoryWriteError – If WriteProcessMemory failed

  • TypeError – If address is not a valid integer

write_char(address, value)[source]

Write value to the given address into the current opened process.

Parameters

  • address (int) – An address of the region of memory to be written.

  • value (str) – the value to be written

Raises

  • ProcessError – If there is no opened process

  • MemoryWriteError – If WriteProcessMemory failed

  • TypeError – If address is not a valid integer

write_ctype(address, ctype)[source]

Write a ctype basic type or structure to <address>

Parameters

  • address (int) – An address of the region of memory to be written.

  • ctype – A simple ctypes type or structure

Raises

WinAPIError – If WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

write_double(address, value)[source]

Write value to the given address into the current opened process.

Parameters

  • address (int) – An address of the region of memory to be written.

  • value (float) – the value to be written

Raises

  • ProcessError – If there is no opened process

  • MemoryWriteError – If WriteProcessMemory failed

  • TypeError – If address is not a valid integer

write_float(address, value)[source]

Write value to the given address into the current opened process.

Parameters

  • address (int) – An address of the region of memory to be written.

  • value (float) – the value to be written

Raises

  • ProcessError – If there is no opened process

  • MemoryWriteError – If WriteProcessMemory failed

  • TypeError – If address is not a valid integer

write_int(address, value)[source]

Write value to the given address into the current opened process.

Parameters

  • address (int) – An address of the region of memory to be written.

  • value (int) – the value to be written

Raises

  • ProcessError – If there is no opened process

  • MemoryWriteError – If WriteProcessMemory failed

  • TypeError – If address is not a valid integer

write_long(address, value)[source]

Write value to the given address into the current opened process.

Parameters

  • address (int) – An address of the region of memory to be written.

  • value (int) – the value to be written

Raises

  • ProcessError – If there is no opened process

  • MemoryWriteError – If WriteProcessMemory failed

  • TypeError – If address is not a valid integer

write_longlong(address, value)[source]

Write value to the given address into the current opened process.

Parameters

  • address (int) – An address of the region of memory to be written.

  • value (int) – the value to be written

Raises

  • ProcessError – If there is no opened process

  • MemoryWriteError – If WriteProcessMemory failed

  • TypeError – If address is not a valid integer

write_short(address, value)[source]

Write value to the given address into the current opened process.

Parameters

  • address (int) – An address of the region of memory to be written.

  • value (int) – the value to be written

Raises

  • ProcessError – If there is no opened process

  • MemoryWriteError – If WriteProcessMemory failed

  • TypeError – If address is not a valid integer

write_string(address, value)[source]

Write value to the given address into the current opened process.

Parameters

  • address (int) – An address of the region of memory to be written.

  • value (str) – the value to be written

Raises

  • ProcessError – If there is no opened process

  • MemoryWriteError – If WriteProcessMemory failed

  • TypeError – If address is not a valid integer

write_uchar(address, value)[source]

Write value to the given address into the current opened process.

Parameters

  • address (int) – An address of the region of memory to be written.

  • value (int) – the value to be written

Raises

  • ProcessError – If there is no opened process

  • MemoryWriteError – If WriteProcessMemory failed

  • TypeError – If address is not a valid integer

write_uint(address, value)[source]

Write value to the given address into the current opened process.

Parameters

  • address (int) – An address of the region of memory to be written.

  • value (int) – the value to be written

Raises

  • ProcessError – If there is no opened process

  • MemoryWriteError – If WriteProcessMemory failed

  • TypeError – If address is not a valid integer

write_ulong(address, value)[source]

Write value to the given address into the current opened process.

Parameters

  • address (int) – An address of the region of memory to be written.

  • value (int) – the value to be written

Raises

  • ProcessError – If there is no opened process

  • MemoryWriteError – If WriteProcessMemory failed

  • TypeError – If address is not a valid integer

write_ulonglong(address, value)[source]

Write value to the given address into the current opened process.

Parameters

  • address (int) – An address of the region of memory to be written.

  • value (int) – the value to be written

Raises

  • ProcessError – If there is no opened process

  • MemoryWriteError – If WriteProcessMemory failed

  • TypeError – If address is not a valid integer

write_ushort(address, value)[source]

Write value to the given address into the current opened process.

Parameters

  • address (int) – An address of the region of memory to be written.

  • value (int) – the value to be written

Raises

  • ProcessError – If there is no opened process

  • MemoryWriteError – If WriteProcessMemory failed

  • TypeError – If address is not a valid integer

Structures

class pymem.ressources.structure.CLIENT_ID[source]
class pymem.ressources.structure.EnumProcessModuleEX[source]

The following are the EnumProcessModuleEX flags

https://msdn.microsoft.com/ru-ru/library/windows/desktop/ms682633(v=vs.85).aspx

LIST_MODULES_32BIT = 1

List the 32-bit modules

LIST_MODULES_64BIT = 2

List the 64-bit modules.

LIST_MODULES_ALL = 3

List all modules.

LIST_MODULES_DEFAULT = 0

Use the default behavior.

class pymem.ressources.structure.FILETIME[source]
class pymem.ressources.structure.FLOATING_SAVE_AREA[source]

Undocumented ctypes.Structure used for ThreadContext.

pymem.ressources.structure.LPMODULEENTRY32

alias of pymem.ressources.structure.LP_ModuleEntry32

pymem.ressources.structure.LPSECURITY_ATTRIBUTES

alias of pymem.ressources.structure.LP_SECURITY_ATTRIBUTES

class pymem.ressources.structure.LUID[source]
class pymem.ressources.structure.LUID_AND_ATTRIBUTES[source]
pymem.ressources.structure.MEMORY_BASIC_INFORMATION

alias of pymem.ressources.structure.MEMORY_BASIC_INFORMATION64

class pymem.ressources.structure.MEMORY_BASIC_INFORMATION32[source]

Contains information about a range of pages in the virtual address space of a process. The VirtualQuery and VirtualQueryEx functions use this structure.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366775(v=vs.85).aspx

class pymem.ressources.structure.MEMORY_BASIC_INFORMATION64[source]
class pymem.ressources.structure.MEMORY_PROTECTION(value)[source]

The following are the memory-protection options; you must specify one of the following values when allocating or protecting a page in memory https://msdn.microsoft.com/en-us/library/windows/desktop/aa366786(v=vs.85).aspx

PAGE_EXECUTE_READWRITE = 64

Enables execute, read-only, or read/write access to the committed region of pages.

class pymem.ressources.structure.MEMORY_STATE(value)[source]

The type of memory allocation

MEM_DECOMMIT = 16384

Decommits the specified region of committed pages. After the operation, the pages are in the reserved state. https://msdn.microsoft.com/en-us/library/windows/desktop/aa366894(v=vs.85).aspx

MEM_FREE = 65536

XXX

MEM_RELEASE = 32768

Releases the specified region of pages. After the operation, the pages are in the free state. https://msdn.microsoft.com/en-us/library/windows/desktop/aa366894(v=vs.85).aspx

MEM_RESERVE = 8192

XXX

class pymem.ressources.structure.MEMORY_TYPES(value)[source]

An enumeration.

MEM_IMAGE = 16777216

XXX

MEM_MAPPED = 262144

XXX

MEM_PRIVATE = 131072

XXX

class pymem.ressources.structure.MODULEINFO(handle)[source]

Contains the module load address, size, and entry point.

lpBaseOfDll
SizeOfImage
EntryPoint

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684229(v=vs.85).aspx

class pymem.ressources.structure.ModuleEntry32(*args, **kwds)[source]

Describes an entry from a list of the modules belonging to the specified process.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684225%28v=vs.85%29.aspx

class pymem.ressources.structure.NT_TIB[source]
class pymem.ressources.structure.PROCESS(value)[source]

Process manipulation flags

DELETE = 65536

Required to delete the object.

PROCESS_ALL_ACCESS = 2035711

All possible access rights for a process object.

PROCESS_CREATE_PROCESS = 128

Required to create a process.

PROCESS_CREATE_THREAD = 2

Required to create a thread.

PROCESS_DUP_HANDLE = 64

PROCESS_DUP_HANDLE

PROCESS_SET_INFORMATION = 512

Required to set certain information about a process, such as its priority class (see SetPriorityClass).

PROCESS_SET_QUOTA = 256

Required to set memory limits using SetProcessWorkingSetSize.

PROCESS_SUSPEND_RESUME = 2048

Required to suspend or resume a process.

PROCESS_TERMINATE = 1

Required to terminate a process using TerminateProcess.

PROCESS_VM_OPERATION = 8

Required to perform an operation on the address space of a process (see VirtualProtectEx and WriteProcessMemory).

PROCESS_VM_READ = 16

Required to read memory in a process using ReadProcessMemory.

PROCESS_VM_WRITE = 32

Required to write to memory in a process using WriteProcessMemory.

READ_CONTROL = 131072

Required to read information in the security descriptor for the object, not including the information in the SACL. To read or write the SACL, you must request the ACCESS_SYSTEM_SECURITY access right. For more information see SACL Access Right.

STANDARD_RIGHTS_REQUIRED = 983040

Combines DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER access.

SYNCHRONIZE = 1048576

Required to wait for the process to terminate using the wait functions.

WRITE_DAC = 262144

Required to modify the DACL in the security descriptor for the object.

WRITE_OWNER = 524288

Required to change the owner in the security descriptor for the object.

pymem.ressources.structure.PTOKEN_PRIVILEGES

alias of pymem.ressources.structure.LP_TOKEN_PRIVILEGES

class pymem.ressources.structure.ProcessEntry32(*args, **kwds)[source]

Describes an entry from a list of the processes residing in the system address space when a snapshot was taken.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684839(v=vs.85).aspx

class pymem.ressources.structure.SECURITY_ATTRIBUTES[source]

The SECURITY_ATTRIBUTES structure contains the security descriptor for an object and specifies whether the handle retrieved by specifying this structure is inheritable.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa379560(v=vs.85).aspx

class pymem.ressources.structure.SE_TOKEN_PRIVILEGE(value)[source]

An access token contains the security information for a logon session. The system creates an access token when a user logs on, and every process executed on behalf of the user has a copy of the token.

class pymem.ressources.structure.SMALL_TEB[source]
class pymem.ressources.structure.SYSTEM_INFO[source]

Contains information about the current computer system. This includes the architecture and type of the processor, the number of processors in the system, the page size, and other such information.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms724958(v=vs.85).aspx

class pymem.ressources.structure.THREAD_BASIC_INFORMATION[source]
class pymem.ressources.structure.TIB_UNION[source]
class pymem.ressources.structure.TOKEN(value)[source]

An enumeration.

class pymem.ressources.structure.TOKEN_PRIVILEGES[source]
class pymem.ressources.structure.ThreadContext[source]

Represents a thread context

class pymem.ressources.structure.ThreadEntry32(*args, **kwds)[source]

Describes an entry from a list of the threads executing in the system when a snapshot was taken.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms686735(v=vs.85).aspx

Pattern

pymem.pattern.pattern_scan_all(handle, pattern, *, return_multiple=False)[source]

Scan the entire address space for a given regex pattern

Parameters

  • handle (int) – Handle to an open process

  • pattern (bytes) – A regex bytes pattern to search for

  • return_multiple (bool) – If multiple results should be returned

Returns

Memory address of given pattern, or None if one was not found or a list of found addresses in return_multiple is True

Return type

int, list, optional

pymem.pattern.pattern_scan_module(handle, module, pattern, *, return_multiple=False)[source]

Given a handle over an opened process and a module will scan memory after a byte pattern and return its corresponding memory address.

Parameters

  • handle (int) – Handle to an open object

  • module (MODULEINFO) – An instance of a given module

  • pattern (bytes) – A regex byte pattern to search for

  • return_multiple (bool) – If multiple results should be returned instead of stopping on the first

Returns

Memory address of given pattern, or None if one was not found or a list of found addresses in return_multiple is True

Return type

int, list, optional

Examples

>>> pm = pymem.Pymem("Notepad.exe")
# Here the "." means that the byte can be any byte; a "wildcard"
# also note that this pattern may be outdated
>>> bytes_pattern = b".\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
...                 b"\x00\x00\x00\x00\x00\x00..\x00\x00..\x00\x00\x64\x04"
>>> module_notepad = pymem.process.module_from_name(pm.process_handle, "Notepad.exe")
>>> character_count_address = pymem.pattern.pattern_scan_module(pm.process_handle, module_notepad, bytes_pattern)
pymem.pattern.scan_pattern_page(handle, address, pattern, *, return_multiple=False)[source]

Search a byte pattern given a memory location. Will query memory location information and search over until it reaches the length of the memory page. If nothing is found the function returns the next page location.

Parameters

  • handle (int) – Handle to an open object

  • address (int) – An address to search from

  • pattern (bytes) – A regex byte pattern to search for

  • return_multiple (bool) – If multiple results should be returned instead of stopping on the first

Returns

next_region, found address

found address may be None if one was not found, or we didn’t have permission to scan the region

if return_multiple is True found address will instead be a list of found addresses or an empty list if no results

Return type

tuple

Examples

>>> pm = pymem.Pymem("Notepad.exe")
>>> address_reference = 0x7ABC00001
# Here the "." means that the byte can be any byte; a "wildcard"
# also note that this pattern may be outdated
>>> bytes_pattern = b".\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
...                 b"\x00\x00\x00\x00\x00\x00..\x00\x00..\x00\x00\x64\x04"
>>> character_count_address = pymem.pattern.scan_pattern_page(pm.process_handle, address_reference, bytes_pattern)

Process

pymem.process.base_module(handle)[source]

Returns process base module

Parameters

handle (int) – A valid handle to an open object

Returns

The base module of the process

Return type

MODULEINFO

pymem.process.close_handle(handle)[source]

Closes an open object handle. https://msdn.microsoft.com/en-us/library/windows/desktop/ms724211%28v=vs.85%29.aspx

Parameters

handle (int) – A valid handle to an open object

Returns

If the closure succeeded

Return type

bool

pymem.process.enum_process_module(handle)[source]

List and retrieves the base names of the specified loaded module within a process https://msdn.microsoft.com/en-us/library/windows/desktop/ms682633(v=vs.85).aspx https://msdn.microsoft.com/en-us/library/windows/desktop/ms683196(v=vs.85).aspx

Parameters

handle (int) – Handle of the process to enum the modules of

Returns

The process’s modules

Return type

list[MODULEINFO]

pymem.process.enum_process_thread(process_id)[source]

List all threads of given processes_id

Parameters

process_id (int) – Identifier of the process to enum the threads of

Returns

The process’s threads

Return type

list[ThreadEntry32]

pymem.process.get_luid(name)[source]

Get the LUID for the SeCreateSymbolicLinkPrivilege

pymem.process.get_process_token()[source]

Get the current process token

pymem.process.get_python_dll(version)[source]

Given a python dll version will find its path using the current process as a placeholder

Parameters

version (str) – A string representation of python version as a dll (python38.dll)

Returns

The full path of dll

Return type

str

pymem.process.inject_dll(handle, filepath)[source]

Inject a dll into opened process.

Parameters

  • handle (int) – Handle to an open object

  • filepath (bytes) – Dll to be injected filepath

Returns

The address of injected dll

Return type

DWORD

pymem.process.is_64_bit(handle)[source]

Determines whether the specified process is running under WOW64 (emulation).

Parameters

handle (int) – Handle of the process to check wow64 status of

Returns

If the process is running under wow64

Return type

bool

pymem.process.list_processes()[source]

List all processes https://msdn.microsoft.com/en-us/library/windows/desktop/ms682489%28v=vs.85%29.aspx https://msdn.microsoft.com/en-us/library/windows/desktop/ms684834%28v=vs.85%29.aspx

Returns

A list of open process entries

Return type

list[ProcessEntry32]

pymem.process.module_from_name(process_handle, module_name)[source]

Retrieve a module loaded by given process.

Parameters

  • process_handle (int) – Handle to the process to get the module from

  • module_name (str) – Name of the module to get

Returns

The retrieved module

Return type

MODULEINFO

Examples

>>> d3d9 = module_from_name(process_handle, 'd3d9')
pymem.process.open(process_id, debug=True, process_access=None)[source]

Open a process given its process_id. By default, the process is opened with full access and in debug mode.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684320%28v=vs.85%29.aspx https://msdn.microsoft.com/en-us/library/windows/desktop/aa379588%28v=vs.85%29.aspx

Parameters

  • process_id (int) – The identifier of the process to be opened

  • debug (bool) – If the process should be opened in debug mode

  • process_access (pymem.ressources.structure.PROCESS) – Desired access level, defaulting to all access

Returns

A handle to the opened process

Return type

int

pymem.process.open_main_thread(process_id)[source]

List given process threads and return a handle to first created one.

Parameters

process_id (int) – The identifier of the process

Returns

A handle to the main thread

Return type

int

pymem.process.open_thread(thread_id, thread_access=None)[source]

Opens an existing thread object. https://msdn.microsoft.com/en-us/library/windows/desktop/ms684335%28v=vs.85%29.aspx

Parameters

  • thread_id (int) – The identifier of the thread to be opened

  • thread_access (int) – Desired access level, defaulting to all access

Returns

A handle to the opened thread

Return type

int

pymem.process.process_from_id(process_id)[source]

Open a process given its name.

Parameters

process_id (int) – The identifier of the process to be opened

Returns

The process entry of the opened process

Return type

ProcessEntry32

pymem.process.process_from_name(name: str, exact_match: bool = False, ignore_case: bool = True)[source]

Open a process given its name.

Parameters

  • name – The name of the process to be opened

  • exact_match – Defaults to False, is the full name match or just part of it expected?

  • ignore_case – Default to True, should ignore process name case?

Returns

The process entry of the opened process

Return type

ProcessEntry32

pymem.process.set_debug_privilege(lpszPrivilege, bEnablePrivilege)[source]

Leverage current process privileges.

Parameters

  • lpszPrivilege (str) – Privilege name

  • bEnablePrivilege (bool) – Enable privilege

Returns

If privileges have been leveraged

Return type

bool

Ptypes

class pymem.ptypes.RemotePointer(handle, v, endianess='little-endian')[source]

Pointer capable of reading the value mapped into another process memory.

Parameters

  • handle (int) – Handle to the process

  • v (int, RemotePointer, any ctypes type) – The address value

  • endianess (str) – The endianess of the remote pointer, defaulting to little-endian

Raises

PymemAlignmentError – If endianess is not a valid alignment

Notes

The bool of RemotePointer checks if the internal value is 0

property cvalue

Reads targeted process memory and returns the value pointed by the given address.

Returns

The value pointed at by this remote pointer as a ctypes type instance

Return type

a ctypes type

property value

Reads targeted process memory and returns the value pointed by the given address.

Returns

The value pointed at by this remote pointer

Return type

int

Thread

class pymem.thread.Thread(process_handle, th_entry_32)[source]

Provides basic thread information such as TEB.

Parameters

  • process_handle (int) – A handle to an opened process

  • th_entry_32 (ThreadEntry32) – Target thread’s entry object

Memory

pymem.memory.allocate_memory(handle, size, allocation_type=None, protection_type=None)[source]

Reserves or commits a region of memory within the virtual address space of a specified process. The function initializes the memory it allocates to zero, unless MEM_RESET is used.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • size (int) – The size of the region of memory to allocate, in bytes.

  • allocation_type (MEMORY_STATE) – The type of memory allocation.

  • protection_type (MEMORY_PROTECTION) – The memory protection for the region of pages to be allocated.

Returns

The address of the allocated region of pages.

Return type

int

pymem.memory.free_memory(handle, address, free_type=None)[source]

Releases, decommits, or releases and decommits a region of memory within the virtual address space of a specified process.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366894%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be freed.

  • free_type (MEMORY_PROTECTION) – The type of free operation.

Returns

A boolean indicating if the call was a success.

Return type

int

pymem.memory.read_bool(handle, address)[source]

Reads 1 byte from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be read.

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – If ReadProcessMemory failed

Returns

The raw value read as a bool

Return type

bool

pymem.memory.read_bytes(handle, address, byte)[source]

Reads data from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be read.

  • byte (int) – Number of bytes to be read

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – If ReadProcessMemory failed

Returns

The raw value read as bytes

Return type

bytes

pymem.memory.read_char(handle, address)[source]

Reads 1 byte from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be read.

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – If ReadProcessMemory failed

Returns

The raw value read as a string

Return type

str

pymem.memory.read_ctype(handle, address, ctype, *, get_py_value=True, raw_bytes=False)[source]

Read a ctype basic type or structure from <address>

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be read.

  • ctype – A simple ctypes type or structure

  • get_py_value (bool) – If the corrosponding python type should be used instead of returning the ctype This is automatically set to False for ctypes.Structure or ctypes.Array instances

  • raw_bytes (bool) – If we should return the raw ctype bytes

Raises

WinAPIError – If ReadProcessMemory failed

Returns

Return will be either the ctype with the read value if get_py_value is false or the corropsonding python type

Return type

Any

pymem.memory.read_double(handle, address)[source]

Reads 8 byte from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be read.

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – If ReadProcessMemory failed

Returns

The raw value read as a float

Return type

float

pymem.memory.read_float(handle, address)[source]

Reads 4 byte from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be read.

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – If ReadProcessMemory failed

Returns

The raw value read as a float

Return type

float

pymem.memory.read_int(handle, address)[source]

Reads 4 byte from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be read.

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – If ReadProcessMemory failed

Returns

The raw value read as an int

Return type

int

pymem.memory.read_long(handle, address)[source]

Reads 4 byte from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be read.

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – If ReadProcessMemory failed

Returns

The raw value read as an int

Return type

int

pymem.memory.read_longlong(handle, address)[source]

Reads 8 byte from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be read.

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – If ReadProcessMemory failed

Returns

The raw value read as an int

Return type

int

pymem.memory.read_short(handle, address)[source]

Reads 2 byte from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be read.

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – If ReadProcessMemory failed

Returns

The raw value read as an int

Return type

int

pymem.memory.read_string(handle, address, byte=50)[source]

Reads n byte from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be read.

  • byte (int, default=50) – max number of bytes to check for null terminator, defaults to 50

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – If ReadProcessMemory failed

Returns

The raw value read as a string

Return type

str

pymem.memory.read_uchar(handle, address)[source]

Reads 1 byte from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be read.

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – If ReadProcessMemory failed

Returns

The raw value read as an int

Return type

int

pymem.memory.read_uint(handle, address, is_64=False)[source]

Reads 4 byte from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be read.

  • is_64 (bool) – Should we unpack as big-endian

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – If ReadProcessMemory failed

Returns

The raw value read as an int

Return type

int

pymem.memory.read_ulong(handle, address)[source]

Reads 4 byte from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be read.

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – If ReadProcessMemory failed

Returns

The raw value read as an int

Return type

int

pymem.memory.read_ulonglong(handle, address)[source]

Reads 8 byte from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be read.

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – If ReadProcessMemory failed

Returns

The raw value read as an int

Return type

int

pymem.memory.read_ushort(handle, address)[source]

Reads 2 byte from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be read.

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – If ReadProcessMemory failed

Returns

The raw value read as an int

Return type

int

pymem.memory.virtual_query(handle, address)[source]

Retrieves information about a range of pages within the virtual address space of a specified process.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366775(v=vs.85).aspx https://msdn.microsoft.com/en-us/library/windows/desktop/aa366907(v=vs.85).aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of to be read.

Returns

A memory basic information object

Return type

MEMORY_BASIC_INFORMATION

pymem.memory.write_bool(handle, address, value)[source]

Writes 1 byte to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be written.

  • value (bool) – A boolean representing the value to be written

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – if WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

pymem.memory.write_bytes(handle, address, data, length)[source]

Writes data to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

Casts address using ctypes.c_char_p.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be written.

  • data (void) – A buffer that contains data to be written

  • length (int) – Number of bytes to be written.

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – if WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

pymem.memory.write_char(handle, address, value)[source]

Writes 1 byte to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be written.

  • value (str) – A buffer that contains data to be written

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – if WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

pymem.memory.write_ctype(handle, address, ctype)[source]

Write a ctype basic type or structure to <address>

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be written.

  • ctype – A simple ctypes type or structure

Raises

WinAPIError – If WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

pymem.memory.write_double(handle, address, value)[source]

Writes 8 bytes to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be written.

  • value (float) – A buffer that contains data to be written

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – if WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

pymem.memory.write_float(handle, address, value)[source]

Writes 4 bytes to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be written.

  • value (float) – A buffer that contains data to be written

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – if WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

pymem.memory.write_int(handle, address, value)[source]

Writes 4 bytes to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be written.

  • value (int) – A buffer that contains data to be written

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – if WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

pymem.memory.write_long(handle, address, value)[source]

Writes 4 bytes to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be written.

  • value (int) – A buffer that contains data to be written

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – if WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

pymem.memory.write_longlong(handle, address, value)[source]

Writes 8 bytes to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be written.

  • value (int) – A buffer that contains data to be written

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – if WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

pymem.memory.write_short(handle, address, value)[source]

Writes 2 bytes to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be written.

  • value (int) – A buffer that contains data to be written

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – if WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

pymem.memory.write_string(handle, address, bytecode)[source]

Writes n bytes of len(bytecode) to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be written.

  • bytecode (str, bytes) – A buffer that contains data to be written

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – if WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

pymem.memory.write_uchar(handle, address, value)[source]

Writes 1 byte to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be written.

  • value (str) – A buffer that contains data to be written

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – if WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

pymem.memory.write_uint(handle, address, value)[source]

Writes 4 bytes to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be written.

  • value (int) – A buffer that contains data to be written

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – if WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

pymem.memory.write_ulong(handle, address, value)[source]

Writes 4 bytes to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be written.

  • value (int) – A buffer that contains data to be written

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – if WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

pymem.memory.write_ulonglong(handle, address, value)[source]

Writes 8 bytes to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be written.

  • value (int) – A buffer that contains data to be written

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – if WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

pymem.memory.write_ushort(handle, address, value)[source]

Writes 2 bytes to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Parameters

  • handle (int) – The handle to a process. The function allocates memory within the virtual address space of this process. The handle must have the PROCESS_VM_OPERATION access right.

  • address (int) – An address of the region of memory to be written.

  • value (int) – A buffer that contains data to be written

Raises

  • TypeError – If address is not a valid integer

  • WinAPIError – if WriteProcessMemory failed

Returns

A boolean indicating a successful write.

Return type

bool

Exceptions

exception pymem.exception.CouldNotOpenProcess(process_id)[source]
with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception pymem.exception.MemoryReadError(address, length, error_code=None)[source]
with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception pymem.exception.MemoryWriteError(address, value, error_code=None)[source]
with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception pymem.exception.ProcessError(message)[source]
with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception pymem.exception.ProcessNotFound(process_name)[source]
with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception pymem.exception.PymemAlignmentError(message)[source]
with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception pymem.exception.PymemError(message)[source]
with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception pymem.exception.PymemMemoryError(message)[source]
with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception pymem.exception.PymemTypeError(message)[source]
with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception pymem.exception.WinAPIError(error_code)[source]
with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.