KsDumper : Dumping Processes Using The Power Of Kernel Space

KsDumper is a dumping processes using the power of kernel space. It is a custom driver that would allow me to copy the process memory without using OpenProcess.

Features

• Dump any process main module using a kernel driver (both x86 and x64)
• Rebuild PE32/PE64 header and sections
• Works on protected system processes & processes with stripped handles (anti-cheats)

Note: Import table isn’t rebuilt.

Also Read – Corsy : CORS Misconfiguration Scanner

Usage

Before using KsDumperClient, the KsDumper driver needs to be loaded.

It is unsigned so you need to load it however you want. I’m using drvmap for Win10. Everything is provided in this release if you want to use it as well.

1. Run Driver/LoadCapcom.bat as Admin. Don’t press any key or close the window yet !
2. Run Driver/LoadUnsignedDriver.bat as Admin.
3. Press enter in the LoadCapcom cmd to unload the driver.
4. Run KsDumperClient.exe.
5. Profit !

• Note1: The driver stays loaded until you reboot, so if you close KsDumperClient.exe, you can just reopen it !
• Note2: Even though it can dump both x86 & x64 processes, this has to run on x64 Windows.

Disclaimer

This project is been made available for informational and educational purposes only. Considering the nature of this project, it is highly recommended to run it in a Virtual Environment. We are not responsible for any crash or damage that could happen to your system.

Important: This tool makes no attempt at hiding itself. If you target protected games, the anti-cheat might flag this as a cheat and ban you after a while. Use a Virtual Environment !

Compile Yourself

• Requires Visual Studio 2017
• Requires Windows Driver Kit (WDK)
• Requires .NET 4.6.1