This project was a way for me to learn about Windows kernel, PE file structure and kernel-user space interactions. Note2: Even though it can dump both x86 & 圆4 processes, this has to run on 圆4 Windows. Note: The driver stays loaded until you reboot, so if you close KsDumperClient.exe, you can just reopen it ! Press enter in the LoadCapcom cmd to unload the driver.Run Driver/LoadUnsignedDriver.bat as Admin.Don't press any key or close the window yet ! I'm using drvmap for Win10.Įverything is provided in this release if you want to use it aswell. It is unsigned so you need to load it however you want. Works on protected system processes & processes with stripped handles (anti-cheats)īefore using KsDumperClient, the KsDumper driver needs to be loaded.Dump any process main module using a kernel driver (both x86 and 圆4).I knew nothing about Windows kernel, PE file structure, so I spent a lot of time reading articles and forums to make this project. I decided to try to make a custom driver that would allow me to copy the process memory without using OpenProcess. This means its handle were stripped and I was unable to dump the process from Ring3. A few days ago I wanted to look at some game internals for fun, but it was packed & protected by EAC (EasyAntiCheat). I always had an interest in reverse engineering.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |