Skip to content

lauralex/kdprocdumper

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
PeFileFixer
PeFileFixer
 
 
ProcDumper
ProcDumper
 
 
UMProcDumper
UMProcDumper
 
 
.gitignore
.gitignore
 
 
ProcDumper.sln
ProcDumper.sln
 
 
README.md
README.md
 
 

Repository files navigation

KDProcDumper

Overview

KDProcDumper is a tool for kernel-mode process dumping, it is made of a Kernel-mode component and a User-mode component. The KM component will dump the process memory (only a specific module, provided by the UM component). The UM component communicates with the KM component in the following way:

  • Asks the KM component to get the size of a specific module
  • Asks the KM component to dump that module

Finally, the UM component will fix the PE file, adjusting the section headers, optional header and the debug directory.

Usage

You can load the driver using conventional methods (osr driver loader, sc create...) or by manual mapping (e.g., kdmapper or kdu).

Note

The PeFileFixer VS project is just to experiment with the PE file adjustements, only the ProcDumper and UMProcDumper are actually needed.

Features

  • Kernel-mode process dumping
  • Specific module dumping
  • IOCTL communication between UM and KM
  • PE file fixes

About

My Personal Kernel-Mode Process dumper

Topics

kernel-driver dumper process-dump

Resources

Readme
Activity

Stars

11 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages