Skip to content
Daniel Tischner edited this page Apr 21, 2017 · 21 revisions

Getting started

  • Integrate Mem-Eater-Bug into your project.
  • Ensure the libraries are correctly loaded to the APIs build path.
  • Create an instance of the API by using new MemEaterBug(...)
    • There are several ways to access a process, like the exeFileName or a windowName.
    • Take a look into the example package for more hints on how to use Mem-Eater-Bug.

General procedure

  • Create an instance of a Mem-Eater-Bug that is linked to the process you are trying to interact with. There are several methods to find a process.
    • The process id
    • The name of the process exe-File
    • A window name of the process
    • The process window class name
  • Hook up to the process by using hookProcess()
  • Interact with the process
  • Unhook from the process by using unhookProcess()

Memory manipulation

Mem-Eater-Bug is able to read from and write to the memory of a hooked process. An example can be found in examples/SoliScorer.java.

SoliScorer

For reading and writing process memory you need to know an address and its offsets to the base address.

  • Those are found using a Memory Reader like CheatEngine

The procedure then is as follows.

  • Get the MemManipulator using memEaterBug.getMemManipulator()
  • Find the base address using memManipulator.getBaseAddress()
  • Add your base offset and find your dynamic address using memManipulator.findDynAddress(offsets, startingAddress)
  • Then simply read or write using the provided methods, for example memManipulator.readInt(dynamicAddress) or memManipulator.writeInt(dynamicAddress, value)

Code Injection

Mem-Eater-Bug is able to inject code into its hooked process, for example a jar- or dll-File. Injected code shares the same heap as the target process as it gets loaded into the targets context at runtime. Thus it is able to also manipulate the targets code, for example hooking a custom subroutine to a method of the target. An example can be found in examples/SpaceInvadersInjector.java.

SpaceInvadersInjection

The procedure is as follows.

  • Get the Injector using memEaterBug.getInjector()
  • Inject your agent into the hooked process by using the provided methods, for example injector.injectJarIntoJar(pathToAgent)

So all in all you need a target process to inject code into, for example a jar-File. Then the code to inject, known as agent, for example a jar-File. And a program that injects, i.e. hooks the Mem-Eater-Bug to the target and uses the Injector to inject the agent into the target.

If injecting a jar-File into a process, the jar must specify the Agent-Class key in its manifest. This key points to a class that implements an agentmain-method. This method is the entry point for classes that are loaded at runtime by the Injector. An example jar-File can be seen in res/examples/SpaceInvadersInjection.jar while the targeted process is res/examples/SpaceInvaders.jar, taken from spaceinvaders-101-java.

At this point you can either specify your own agentmain-method or use our class Injection. This class is such an Agent-Class and it is able to create an instance of a given custom Thread object. The procedure is as follows.

  • Create a class which extends from Thread, its constructor will be called by Injection. If you also pass arguments then it will try to call a constructor which accepts a String.
  • Pack your custom Thread and the Injection-Class into a jar and point the Agent-Class key in its manifest to the Injection-Class.
  • Inject the jar into the hooked process by injector.injectJarIntoJar(pathToAgent, threadClassName)
  • The Injector calls the agentmain-method of Injection. Injection creates an instance of your Thread object and starts it.

The mentioned example res/examples/SpaceInvadersInjection.jar makes use of our Injection-Class. After injection, it adds an Overlay-Panel to the Swing-Game SpaceInvaders. The overlay displays information about remaining aliens, which is not accessible by default. The routine makes the private game value accessible by using the Reflection API.

SpaceInvadersInjectionShowcase

Remarks

Mem-Eater-Bug only works on Windows operating systems as it uses the Windows API. It should easily handle 32-bit and 64-bit architectures, however there may be some issues when accessing 32-bit processes on 64-bit architectures. For proper execution one should use a 32-bit Java Runtime Environment in this case. It can be installed in parallel to a 64-bit JRE.

Troubleshooting

If you are unable to built the project, make sure you have loaded the libraries correct.

  • The JNA library can be found in our folder lib. It consists of two jar-files that both need to be in the build path.
  • The Tool library is part of the JDK, but not in the build path by default. You can either use the original tool.jar or ours from the folder lib.
  • The Injector needs to load the Attach library at runtime. You need to ensure that it is located inside a path contained by the system property java.library.path. In general you can just copy the attach.dll to /Windows/System32 as this folder is contained in the property. The library attach.dll is part of the JDK, you can either use the original file or ours from the folder lib.

If you get IllegalArgumentException at construction of Mem-Eater-Bug, make sure that you are trying to access the process with the correct names, for example the correct exeFileName. You may check this using the TaskManager, a WindowSpy or similar tools.

When encountering Win32Exceptions the Windows API has thrown an exception. Most of the time they are related to wrong file type conversions and wrong byte computations. Make sure that you have the correct addresses, offsets and are running on a JRE with the same architecture than the process you are interacting with.

Clone this wiki locally