diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2021-04-18 16:57:18 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2021-04-18 16:57:18 +0200 |
| commit | 0c0143fbfacbfc2c62eb8180fa3de2e5debff724 (patch) | |
| tree | c32c06314bbf5fc821654e8494fded7cbb82c6f4 | |
| parent | 791a8c5475e2291ff2c2526a1468ff42fc0328c8 (diff) | |
update README.md
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | README.md | 26 |
1 files changed, 18 insertions, 8 deletions
@@ -1,7 +1,8 @@ # What? *KMemDriver* is a **Windows 10 x64 driver** designed to manipulate memory (and more) from ring0. It is also possible to bypass existing ring0/ring3 AntiCheat solutions e.g. BE and EAC. -It can also be used to manual map a user space DLL to a protected process and hide its occupied memory pages. +It can also be used to manual map a user space DLL to a protected process. +Communication is done through virtual memory. # Dependencies @@ -21,24 +22,33 @@ The recommended way to install all dependencies is through [vs_community.exe](ht *KMemDriver* was designed work together with *PastDSE* as injector. *KMemDriver* supports manual mapping in terms as it does not use any kernel symbol (with 1 exception) that require a legit loaded driver. +For the use with *PastDSE*: +Make sure that *KMemDriver* and *PastDSE* are in the same folder. +With that you can just inject by executing PastDSE-Manual-Map-\*.bat as Administrator. + # Tests -To make sure that KMemDriver works as expected you can run two different kind of tests to verify it for your OS. -There are two different kind of tests: -- integration test (TODO) -- stress test (TODO) +To make sure that KMemDriver works as expected you can run an integration test. # Features -- communicates to the user space controller program via own written shared memory alike mechanism -- uses Windows events for the kernel space and user space as synchronization +- communicates to the user space controller program via a shared memory alike mechanism +- uses (unnamed) Windows events for kernel space and user space as synchronization - read all mapped memory pages of a process - read all mapped modules of process - read memory of a process (bypass page protections) - write memory to a process (bypass page protections) - allocate memory with specified page protection to a process - free memory of a process -- unlink memory from VAD of a process +- unlink memory from VAD of a process (requires PatchGuard to be disabled) + + +# AntiCheat status + +I've used it only for EAC protected games. +If you are using only RPM and WPM (e.g. don't inject any DLL into an EAC protected processes) it may (or may not, depending on the game) more or less safe. +But keep in mind that manual mapped drivers (that start a system thread) and windows events (leaving traces in form of handles) is a detection vector that does not even require advanced anti cheat software for successful detection. +Injecting DLL's into EAC protected processes (w/o other countermeasures) will get you banned very soon. # Contributors |