{"id":21919538,"url":"https://github.com/allogic/kdbg","last_synced_at":"2025-10-06T14:45:32.604Z","repository":{"id":155605435,"uuid":"344139433","full_name":"allogic/KDBG","owner":"allogic","description":"The windows kernel debugger consists of two parts, KMOD which is the kernel driver handling ring3 request and KCLI, the command line interface for the driver. It originated due to insufficient useability with CheatEngine's DBVM driver while debugging games running under certain AntiCheat software.","archived":false,"fork":false,"pushed_at":"2022-09-12T23:01:55.000Z","size":7305,"stargazers_count":94,"open_issues_count":0,"forks_count":31,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-04-19T16:39:34.075Z","etag":null,"topics":["anticheat","assembly","bypass","cheat","debugger","driver","engine","engineering","kcli","kctl","kdbg","kdu","kernel","kmod","memory","reverse","scanner","windows","x64","x86"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/allogic.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-03-03T13:39:32.000Z","updated_at":"2025-03-10T05:03:43.000Z","dependencies_parsed_at":null,"dependency_job_id":"d5f3f8b5-271d-476b-9eab-fcbd61f91061","html_url":"https://github.com/allogic/KDBG","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/allogic/KDBG","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/allogic%2FKDBG","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/allogic%2FKDBG/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/allogic%2FKDBG/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/allogic%2FKDBG/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/allogic","download_url":"https://codeload.github.com/allogic/KDBG/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/allogic%2FKDBG/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278628715,"owners_count":26018476,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-06T02:00:05.630Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anticheat","assembly","bypass","cheat","debugger","driver","engine","engineering","kcli","kctl","kdbg","kdu","kernel","kmod","memory","reverse","scanner","windows","x64","x86"],"created_at":"2024-11-28T20:08:37.128Z","updated_at":"2025-10-06T14:45:32.599Z","avatar_url":"https://github.com/allogic.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# KDBG (Kernel Debugger/CheatEngine)\nThe windows kernel debugger consists of two parts, KMOD which is the kernel driver handling ring3 request and KCLI; the command line interface for the driver.\nIt originated due to insufficient useability with CheatEngine's DBVM driver while debugging games running under certain AntiCheat software.\nThe main goal now is to transform KDBG into a fully functional debugger. Note that BSOD's are not uncommon, one should get familiar with them unless you know what you are doing.\n\n\u003e*I Don't Know The Future.* \n\u003e*I Didn't Come Here To Tell You How This Is Going To End.* \n\u003e*I Came Here To Tell You How It's Going To Begin.* \n\n\\- The Matrix\n\n![](image/showcase.png)\n## Build\nOpen the VisualStudio solution and build for `Debug` or `Release` bitness `x64`.\n\n## Issues/Pull requests\nIf you find bugs or got improvements or suggestions, create an issue or pull request with a detailed description why/what and how!\n0x616c will merge them as soon as he finished dissecting windows.\n\n## Install\nYou can start or stop the driver via tools like `kdu.exe` which will turn off `Driver Signature Enforcement` temporarily. \nKDU is available here: https://github.com/hfiref0x/KDU\n```\nsc.exe create kmod type=kernel binPath=\"C:\\KMOD.sys\" // create system service (has to be done only once)\n.\\kdu.exe -dse 0 // disable DSE\nsc.exe start/stop kmod // start or stop service\n.\\kdu.exe -dse 6 // enable DSE (some AC's require DSE to be enabled)\n.\\KCLI.exe // issue a variety of commands\n```\n\n## Features\n#### Write API\n * `WriteMemoryProcess` (Write arbitrary bytes into process images)\n * `WriteMemoryKernel` (Write arbitrary bytes into system images)\n#### Read API\n * `ReadMemoryProcess` (Read arbitrary bytes from process images)\n * `ReadMemoryKernel` (Read arbitrary bytes from system images)\n * `ReadModulesProcess` (Read all modules of a specific process)\n * `ReadModulesKernel` (Read all kernel modules)\n * `ReadThreadsProcess` (Read all threads of a specific process)\n * `ReadScanResults` (not implemented)\n#### Trace API\n * `TraceContextStart` (Start a system trace thread which will look for registers which contain certain addresses)\n * `TraceContextStop` (Stop the previously started trace thread)\n#### Debug API\n * `DebugBreakpointSet` (not implemented)\n * `DebugBreakpointRem` (not implemented)\n#### Scan API\n * `ScanNew` (not implemented)\n * `ScanUndo` (not implemented)\n * `ScanInt` (not implemented)\n * `ScanReal` (not implemented)\n * `ScanBytes` (not implemented)\n * `ScanFilterChanged` (not implemented)\n * `ScanFilterUnchanged` (not implemented)\n * `ScanFilterIncreased` (not implemented)\n * `ScanFilterDecreased` (not implemented)\n\n## WriteMemoryProcess\nSyntax: `.\\KCLI.exe /WriteMemoryProcess [ProcessName] [ImageName] [Offset(hex)] [Size(dec)] [Bytes(hex)]` \nExample: `.\\KCLI.exe /WriteMemoryProcess taskmgr.exe taskmgr.exe 40000 3 909090`\n\n## WriteMemoryKernel\nSyntax: `.\\KCLI.exe /WriteMemoryKernel [ImageName] [Offset(hex)] [Size(dec)] [Bytes(hex)]` \nExample: `.\\KCLI.exe /WriteMemoryKernel ntoskrnl.exe 40000 3 909090`\n\n## ReadMemoryProcess\nSyntax: `.\\KCLI.exe /ReadMemoryProcess [ProcessName] [ImageName] [Offset(hex)] [Size(dec)]` \nExample: `.\\KCLI.exe /ReadMemoryProcess taskmgr.exe taskmgr.exe 40000 32`\n```\n0x00040000 FD FF 48 FF 15 17 57 09 00 0F 1F 44 00 00 8B 43\n0x00040010 3C E9 A1 93 FD FF 4C 89 7D 48 BE 02 00 07 80 E9\n\n0x00040000 FD .. .. .. .. .. .. .. .. .. .. std\n0x00040001 FF 48 FF .. .. .. .. .. .. .. .. dec dword ptr [rax - 1]\n0x00040004 15 17 57 09 00 .. .. .. .. .. .. adc eax, 0x95717\n0x00040009 0F 1F 44 00 00 .. .. .. .. .. .. nop dword ptr [rax + rax]\n0x0004000E 8B 43 3C .. .. .. .. .. .. .. .. mov eax, dword ptr [rbx + 0x3c]\n0x00040011 E9 A1 93 FD FF .. .. .. .. .. .. jmp 0x193b7\n0x00040016 4C 89 7D 48 .. .. .. .. .. .. .. mov qword ptr [rbp + 0x48], r15\n0x0004001A BE 02 00 07 80 .. .. .. .. .. .. mov esi, 0x80070002\n```\n## ReadMemoryKernel\nSyntax: `.\\KCLI.exe /ReadMemoryKernel [ImageName] [Offset(hex)] [Size(dec)]` \nExample: `.\\KCLI.exe /ReadMemoryKernel ntoskrnl.exe 40000 32`\n```\n0x00040000 63 00 74 00 00 00 00 00 5C 00 52 00 45 00 47 00\n0x00040010 49 00 53 00 54 00 52 00 59 00 5C 00 55 00 53 00\n\n0x00040000 63 00 .. .. .. .. .. .. .. .. .. movsxd rax, dword ptr [rax]\n0x00040002 74 00 .. .. .. .. .. .. .. .. .. je 0x40004\n0x00040004 00 00 .. .. .. .. .. .. .. .. .. add byte ptr [rax], al\n0x00040006 00 00 .. .. .. .. .. .. .. .. .. add byte ptr [rax], al\n0x00040008 5C .. .. .. .. .. .. .. .. .. .. pop rsp\n0x00040009 00 52 00 .. .. .. .. .. .. .. .. add byte ptr [rdx], dl\n0x0004000C 45 00 47 00 .. .. .. .. .. .. .. add byte ptr [r15], r8b\n0x00040010 49 00 53 00 .. .. .. .. .. .. .. add byte ptr [r11], dl\n0x00040014 54 .. .. .. .. .. .. .. .. .. .. push rsp\n0x00040015 00 52 00 .. .. .. .. .. .. .. .. add byte ptr [rdx], dl\n0x00040018 59 .. .. .. .. .. .. .. .. .. .. pop rcx\n0x00040019 00 5C 00 55 .. .. .. .. .. .. .. add byte ptr [rax + rax + 0x55], bl\n0x0004001D 00 53 00 .. .. .. .. .. .. .. .. add byte ptr [rbx], dl\n```\n## ReadModulesProcess\nSyntax: `.\\KCLI.exe /ReadModulesProcess [ProcessName] [Size(dec)]` \nExample: `.\\KCLI.exe /ReadModulesProcess taskmgr.exe 10`\n```\n Start End Size Name\n----------------------------------------------------------------\n 00007FFAD0740000 00007FFAD07FD000 774144 KERNEL32.DLL\n 00007FFACF5B0000 00007FFACF879000 2920448 KERNELBASE.dll\n 00007FFACF0A0000 00007FFACF1A0000 1048576 ucrtbase.dll\n 00007FFACFBB0000 00007FFACFC7D000 839680 OLEAUT32.dll\n 00007FFACF300000 00007FFACF39D000 643072 msvcp_win.dll\n 00007FFACFD30000 00007FFAD0085000 3493888 combase.dll\n 00007FFAD0D30000 00007FFAD0E5B000 1224704 RPCRT4.dll\n 00007FFACF8B0000 00007FFACF8B8000 32768 NSI.dll\n 00007FFAD0E60000 00007FFAD0EB5000 348160 SHLWAPI.dll\n 00007FFAD1740000 00007FFAD17DE000 647168 msvcrt.dll\n```\n## ReadModulesKernel\nSyntax: `.\\KCLI.exe /ReadModulesKernel [Size(dec)]` \nExample: `.\\KCLI.exe /ReadModulesKernel 10`\n```\n Start End Size Name\n----------------------------------------------------------------\n FFFFF80457800000 FFFFF80458846000 17063936 ntoskrnl.exe\n FFFFF80454E70000 FFFFF80454E76000 24576 hal.dll\n FFFFF80454E80000 FFFFF80454E8B000 45056 kd.dll\n FFFFF80454BE0000 FFFFF80454E6F000 2682880 mcupdate_GenuineIntel.dll\n FFFFF80454EC0000 FFFFF80454F29000 430080 CLFS.SYS\n FFFFF80454E90000 FFFFF80454EB7000 159744 tm.sys\n FFFFF80454F30000 FFFFF80454F4A000 106496 PSHED.dll\n FFFFF80454F50000 FFFFF80454F5B000 45056 BOOTVID.dll\n FFFFF80454F60000 FFFFF80454FCF000 454656 FLTMGR.SYS\n FFFFF8045A550000 FFFFF8045A5B2000 401408 msrpc.sys\n```\n## ReadThreadsProcess\nSyntax: `.\\KCLI.exe /ReadThreadsProcess [ProcessName] [Size(dec)]` \nExample: `.\\KCLI.exe /ReadThreadsProcess taskmgr.exe 6`\n```\n Pid Tid\n----------------------------------------------------------------\n 9116 5632\n 9116 10704\n 9116 10804\n 9116 12284\n 9116 10096\n 9116 4984\n```\n## ReadScanResults\nSyntax: `.\\KCLI.exe /ReadScanResults`\n\n## TraceContextStart\nSyntax: `.\\KCLI.exe /TraceContextStart [Address(hex)]`\n\n## TraceContextStop\nSyntax: `.\\KCLI.exe /TraceContextStop [Id(dec)]`\n\n## DebugBreakpointSet\nSyntax: `.\\KCLI.exe /DebugBreakpointSet [Base(hex)] [Type(0=Software|1=Hardware)]`\n\n## DebugBreakpointRem\nSyntax: `.\\KCLI.exe /DebugBreakpointRem [Base(hex)]`\n\n## ScanNew\nSyntax: `.\\KCLI.exe /ScanNew`\n\n## ScanUndo\nSyntax: `.\\KCLI.exe /ScanUndo`\n\n## ScanInt\nSyntax: `.\\KCLI.exe /ScanInt`\n\n## ScanReal\nSyntax: `.\\KCLI.exe /ScanReal`\n\n## ScanBytes\nSyntax: `.\\KCLI.exe /ScanBytes`\n\n## ScanFilterChanged\nSyntax: `.\\KCLI.exe /ScanFilterChanged`\n\n## ScanFilterUnchanged\nSyntax: `.\\KCLI.exe /ScanFilterUnchanged`\n\n## ScanFilterIncreased\nSyntax: `.\\KCLI.exe /ScanFilterIncreased`\n\n## ScanFilterDecreased\nSyntax: `.\\KCLI.exe /ScanFilterDecreased`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fallogic%2Fkdbg","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fallogic%2Fkdbg","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fallogic%2Fkdbg/lists"}