https://github.com/lauralex/kdprocdumper

My Personal Kernel-Mode Process dumper
https://github.com/lauralex/kdprocdumper

dumper kernel-driver process-dump

Last synced: 3 months ago
JSON representation

My Personal Kernel-Mode Process dumper

• Host: GitHub
• URL: https://github.com/lauralex/kdprocdumper
• Owner: lauralex
• Created: 2024-02-05T02:30:21.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2024-02-18T19:07:52.000Z (almost 2 years ago)
• Last Synced: 2024-12-04T16:18:58.328Z (about 1 year ago)
• Topics: dumper, kernel-driver, process-dump
• Language: C
• Homepage:
• Size: 32.2 KB
• Stars: 11
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# KDProcDumper

## Overview

KDProcDumper is a tool for kernel-mode process dumping, it is made of a Kernel-mode component and a User-mode component.

The KM component will dump the process memory (only a specific module, provided by the UM component).

The UM component communicates with the KM component in the following way:

- Asks the KM component to get the size of a specific module

- Asks the KM component to dump that module

Finally, the UM component will fix the PE file, adjusting the section headers, optional header and the debug directory.

## Usage

You can load the driver using conventional methods (osr driver loader, sc create...) or by manual mapping (e.g., kdmapper or kdu).

## Note

The `PeFileFixer` VS project is just to experiment with the PE file adjustements, only the `ProcDumper` and `UMProcDumper` are actually needed.

## Features

- Kernel-mode process dumping

- Specific module dumping

- IOCTL communication between UM and KM

- PE file fixes