What?

KMemDriver is a Windows 10 x64 driver designed to manipulate memory (and more) from ring0. It is also possible to bypass existing ring0/ring3 AntiCheat solutions e.g. BE and EAC. It can also be used to manual map a user space DLL to a protected process and hide its occupied memory pages.

Dependencies

• Visual Studio 2017 Community Edition
• Visual C++ MFC for x86 and x64
• Windows 10 x64 1803 (may work on older versions, not verified)
• Windows 10 SDK 10.0.17763.0
• Windows Driver Kit 1803 (10.0.17763.0)
• Windows Universal CRT SDK
• C++/CLI support
• VC++ 2017 tools

The recommended way to install all dependencies is through vs_community.exe.

HowTo

KMemDriver was designed work together with PastDSE as injector. KMemDriver supports manual mapping in terms as it does not use any kernel symbol (with 1 exception) that require a legit loaded driver.

Tests

To make sure that KMemDriver works as expected you can run two different kind of tests to verify it for your OS. There are two different kind of tests: - integration test (TODO) - stress test (TODO)

Features

• communicates to the user space controller program via own written shared memory alike mechanism
• uses Windows events for the kernel space and user space as synchronization
• read all mapped memory pages of a process
• read all mapped modules of process
• read memory of a process (bypass page protections)
• write memory to a process (bypass page protections)
• allocate memory with specified page protection to a process
• free memory of a process
• unlink memory from VAD of a process

Contributors

As you can see, I've used some slightly modified code from BlackBone for VAD routines and manual DLL mapping.