/yclass

Inspect and recreate in-memory data structures

Primary LanguageRustMIT LicenseMIT

YClass

A program that allows you to inspect and recreate data structures of other processes.

Installation

To compile YClass you will need Rust.

git clone https://github.com/ItsEthra/yclass
cd yclass
cargo r --release

Features

  • Preserving fields' offsets when other fields are replaced.
  • Different variable types:
    • I8, I16, I32, I64
    • U8, U16, U32, U64
    • F32, F64
    • Pointer, String Pointer
    • Bool
  • Generating Rust/C++ code out of classes.
  • Saving/Opening project files.
  • Plugin API to customize reading behavior.
  • Preview of the memory pointer is pointing to.
  • Structure spider: tool that can search through multilevel pointers for specific values.

Hotkeys

  • Ctrl-C - Copies selected field's address (in hex) to the clipboard.
  • Ctrl-Shift-C - Copies selected field's value as 8 byte (in hex) to the clipboard.
  • Alt-A - Open a window to select a process to attach.
  • Alt-Ctrl-A - Attach to the most recent process.
  • Alt-D - Detach from the process.

Planned features

  • - Writing values.
  • - Save/Open project files.
  • - Pointer preview on hover with unknown fields.
  • - Show in which module pointer address falls.
  • - Disassembly of function pointers.

Plugin API

You can write a plugin to change the way YClass reads memory. To do that you will need a shared library(.dll or .so) that exports following functions specified below. u32 return value should be treated as status code. If it's 0 then no error is displayed. Otherwise return value is displayed in the notification. Required functions:

  • fn yc_attach(process_id: u32) -> u32 - Called when attaching to a process.
  • fn yc_read(address: usize, buffer: *mut u8, buffer_size: usize) -> u32 - Called(very frequently) when reading memory.
    • address is in attached process address space.
    • buffer is in current process address space.
  • fn yc_write(address: usize, buffer: *const u8, buffer_size: usize) -> u32 - Called(rarely) when writing memory.
    • address is in attached process address space.
    • buffer is in current process address space.
  • fn yc_can_read(address: usize) -> bool - Called(mildly frequently) to check if address is "readable", i.e. a pointer.
    • address is in attached process address space.
  • fn yc_detach() - Called when detaching from a process.

After its done, put your library at ./plugin.ycpl or specify the path under plugin_path key in your config.

Config path:

  • Windows - C:\Users\%USER%\AppData\Roaming\yclass\config.toml
  • Unix - ~/.config/yclass/config.toml($XDG_CONFIG_HOME)