KsDumper : Dumping Processes Using The Power Of Kernel Space

KsDumper is a dumping processes using the power of kernel space. It is a custom driver that would allow me to copy the process memory without using OpenProcess.

Features

  • Dump any process main module using a kernel driver (both x86 and x64)
  • Rebuild PE32/PE64 header and sections
  • Works on protected system processes & processes with stripped handles (anti-cheats)

Note: Import table isn’t rebuilt.

Also Read – Corsy : CORS Misconfiguration Scanner

Usage

Before using KsDumperClient, the KsDumper driver needs to be loaded.

It is unsigned so you need to load it however you want. I’m using drvmap for Win10. Everything is provided in this release if you want to use it as well.

  1. Run Driver/LoadCapcom.bat as Admin. Don’t press any key or close the window yet !
  2. Run Driver/LoadUnsignedDriver.bat as Admin.
  3. Press enter in the LoadCapcom cmd to unload the driver.
  4. Run KsDumperClient.exe.
  5. Profit !
  • Note1: The driver stays loaded until you reboot, so if you close KsDumperClient.exe, you can just reopen it !
  • Note2: Even though it can dump both x86 & x64 processes, this has to run on x64 Windows.

Disclaimer

This project is been made available for informational and educational purposes only. Considering the nature of this project, it is highly recommended to run it in a Virtual Environment. We are not responsible for any crash or damage that could happen to your system.

Important: This tool makes no attempt at hiding itself. If you target protected games, the anti-cheat might flag this as a cheat and ban you after a while. Use a Virtual Environment !

Compile Yourself

  • Requires Visual Studio 2017
  • Requires Windows Driver Kit (WDK)
  • Requires .NET 4.6.1
R K

Recent Posts

Cybersecurity – Tools And Their Function

Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…

7 hours ago

MODeflattener – Miasm’s OLLVM Deflattener

MODeflattener is a specialized tool designed to reverse OLLVM's control flow flattening obfuscation through static…

7 hours ago

My Awesome List : Tools And Their Functions

"My Awesome List" is a curated collection of tools, libraries, and resources spanning various domains…

7 hours ago

Chrome Browser Exploitation, Part 3 : Analyzing And Exploiting CVE-2018-17463

CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary…

7 hours ago

Chrome Browser Exploitation, Part 1 : Introduction To V8 And JavaScript Internals

The blog post "Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals" provides…

8 hours ago

Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463

The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on…

10 hours ago