I always had an interest in reverse engineering. A few days ago I wanted to look at some game internals for fun, but it was packed & protected by EAC (EasyAntiCheat). This means its handle were stripped and I was unable to dump the process from Ring3. I decided to try to make a custom driver that would allow me to copy the process memory without using OpenProcess. I knew nothing about Windows kernel, PE file structure, so I spent a lot of time reading articles and forums to make this project.
- Dump any process main module using a kernel driver (both x86 and x64)
- Rebuild PE32/PE64 header and sections
- Works on protected system processes & processes with stripped handles (anti-cheats)
Note: Import table isn’t rebuilt.
Before using KsDumperClient, the KsDumper driver needs to be loaded.
It is unsigned so you need to load it however you want. I’m using drvmap for Win10. Everything is provided in this release if you want to use it aswell.
Driver/LoadCapcom.batas Admin. Don’t press any key or close the window yet !
- Press enter in the
LoadCapcomcmd to unload the driver.
- Profit !
Note: The driver stays loaded until you reboot, so if you close KsDumperClient.exe, you can just reopen it !
Note2: Even though it can dump both x86 & x64 processes, this has to run on x64 Windows.
- Requires Visual Studio 2017
- Requires Windows Driver Kit (WDK)
- Requires .NET 4.6.1