Skip to content

BigUint64Array/Hyper_rw

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
Hyper_rw
Hyper_rw
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
Hyper_rw.slnx
Hyper_rw.slnx
 
 
README.md
README.md
 
 
README.zh.md
README.zh.md
 
 

Repository files navigation

Hyper_rw

This document introduces the GuestMemory virtual memory access class, based on noahware/hyper-reV, as well as four kernel utility functions used for locating the target process CR3, EPROCESS, PEB, and module base addresses.

This project depends on a specific Windows version (Windows 11 25H2). If the version does not match, this project will not run; please modify the Offsets in GetM &PsActiveProcessHead offset:0xF05790 in Hyper_rw.cpp.

中文

1. Core Utility Functions

These functions rely on PsActiveProcessHead to locate key process structures from the kernel side.

GetProcessCr3

Parameters: target_pid, ps_active_process_head
Returns: CR3 (DirectoryTableBase)
Traverses ActiveProcessLinks and returns the page table base address for the process based on the PID.

FindProcessEProcessBase

Parameters: Same as above
Returns: EPROCESS kernel virtual address
Suitable for use when accessing fields like Token, HandleTable, etc.

FindPebByCr3_Raw

Parameters: target_cr3, ps_active_process_head
Returns: PEB user-mode virtual address
Reverse lookups EPROCESS via CR3, then reads the Peb field; does not rely on PID.

GetModuleBase_Raw

Parameters: target_cr3, peb_address, module_name
Returns: DllBase
Traverses the PEB Ldr module list to find the target DLL.

2. GuestMemory

GuestMemory encapsulates VA→PA translation and cross-page handling, serving as the primary interface for accessing target process virtual memory from user mode.

Construction

GuestMemory mem(target_cr3);  // 绑定页表

2. ReadValue / WriteValue

int hp = 0;
mem.ReadValue<int>(0x7FF70010, hp);

3. Call Flow Overview

Get PsActiveProcessHead

Get target CR3

Initialize GuestMemory

Find PEB

Find target DLL

Use GuestMemory to read/write target address

BSD 2-Clause License (Clear Attribution Required)

Copyright (c) [2025], [wz5200]
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Source code redistributions must retain the above copyright notice, this list of conditions, and the following disclaimer.
  2. Binary redistributions must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.
  3. All redistributions must clearly attribute the original author ([wz5200]) in any public or private use of this software.

About

hypervisor with memory introspection capabilities

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • C++ 99.8%
  • Assembly 0.2%