From 164fe76a6957a87e9eb93583d540e0db92c2d4cd Mon Sep 17 00:00:00 2001 From: Nicolas Tremblay Date: Fri, 15 Feb 2019 00:37:25 -0800 Subject: [PATCH 1/3] Create README.md --- README.md | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..2516dd3 --- /dev/null +++ b/README.md @@ -0,0 +1,44 @@ +# KsDumper +![Demo](https://i.imgur.com/6XyMDxa.gif) + +I always had an interest in reverse engineering. A few days ago I wanted to look at some game internals for fun, but it was packed & protected by EAC (EasyAntiCheat). +This means its handle were stripped and I was unable to dump the process from Ring3. I decided to try to make a custom driver that would allow me to copy the process memory without using OpenProcess. +I knew nothing about Windows kernel, PE file structure, so I spent a lot of time reading articles and forums to make this project. + +## Features +- Dump any process main module using a kernel driver (both x86 and x64) +- Rebuild PE32/PE64 header and sections +- Works on protected system processes & processes with stripped handles (anti-cheats) + +**Note**: Import table isn't rebuilt. + +## Usage +Before using KsDumperClient, the KsDumper driver needs to be loaded. + +It is unsigned so you need to load it however you want. I'm using drvmap for Win10. +Everything is provided in this release if you want to use it aswell. + +- Run `Driver/LoadCapcom.bat` as Admin. Don't press any key or close the window yet ! +- Run `Driver/LoadUnsignedDriver.bat` as Admin. +- Press enter in the `LoadCapcop` cmd to unload the driver. +- Run `KsDumperClient.exe`. +- Profit ! + +**Note**: The driver stays loaded until you reboot, so if you close KsDumperClient.exe, you can just reopen it ! +**Note2**: Even though it can dump both x86 & x64 processes, this has to run on x64 Windows. + +## Disclaimer +This project was a way for me to learn about Windows kernel, PE file structure and kernel-user space interactions. It has been made available for informational and educational purposes only. + +Considering the nature of this project, it is highly recommended to run it in a `Virtual Environment`. I am not responsible for any crash or damage that could happen to your system. + +## References +- https://github.com/not-wlan/drvmap +- https://github.com/Zer0Mem0ry/KernelBhop +- http://terminus.rewolf.pl/terminus/ +- https://www.unknowncheats.me/ + +## Compile Yourself +- Requires Visual Studio 2017 +- Requires Windows Driver Kit (WDK) +- Requires .NET 4.6.1 From 855012569d16ed331169d9bf653cbdb444db9280 Mon Sep 17 00:00:00 2001 From: Nicolas Tremblay Date: Fri, 15 Feb 2019 00:41:06 -0800 Subject: [PATCH 2/3] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 2516dd3..137213b 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,8 @@ This project was a way for me to learn about Windows kernel, PE file structure a Considering the nature of this project, it is highly recommended to run it in a `Virtual Environment`. I am not responsible for any crash or damage that could happen to your system. +**Important**: This tool makes no attempt at hiding itself. If you target protected games, the anti-cheat might flag this as a cheat and ban you after a while. Use a `Virtual Environment` ! + ## References - https://github.com/not-wlan/drvmap - https://github.com/Zer0Mem0ry/KernelBhop From 2adc7fe2bc03c581972f45bfb6abaa77f997c15a Mon Sep 17 00:00:00 2001 From: Nicolas Tremblay Date: Fri, 15 Feb 2019 01:05:53 -0800 Subject: [PATCH 3/3] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 137213b..0e03658 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,7 @@ Considering the nature of this project, it is highly recommended to run it in a ## References - https://github.com/not-wlan/drvmap - https://github.com/Zer0Mem0ry/KernelBhop +- https://github.com/NtQuery/Scylla/ - http://terminus.rewolf.pl/terminus/ - https://www.unknowncheats.me/