diff options
| -rw-r--r-- | README.md | 35 |
1 files changed, 19 insertions, 16 deletions
@@ -1,34 +1,38 @@ # What? -*KMemDriver* is a **Windows 10 x64 driver** designed to manipulate memory (and more) -from ring0. It is also possible to bypass existing ring0/ring3 AntiCheat solutions e.g. BE and EAC. +*KMemDriver* is a **Windows 10 x64 driver** designed to manipulate memory from ring0. It can also be used to manual map a user space DLL to a protected process. -Communication is done through virtual memory. +Communication is done through shared memory. # Dependencies -- Visual Studio 2017 Community Edition +- Visual Studio 2017/2019 Community Edition - Visual C++ MFC for x86 and x64 -- Windows 10 x64 1803 (may work on older versions, not verified) -- Windows 10 SDK 10.0.17763.0 -- Windows Driver Kit 1803 (10.0.17763.0) +- Windows 10 x64 +- Windows 10 SDK (>=10.0.17763.0) +- Windows Driver Kit 1803 (>=10.0.17763.0) - Windows Universal CRT SDK - C++/CLI support -- VC++ 2017 tools +- VC++ 2017/2019 tools The recommended way to install all dependencies is through [vs_community.exe](https://visualstudio.microsoft.com/). # HowTo *KMemDriver* was designed work together with *PastDSE* as injector. -*KMemDriver* supports manual mapping in terms as it does not use any kernel symbol (with 1 exception) that require a legit loaded driver. +*KMemDriver* supports manual mapping in terms as it does not use any kernel API that requires a legit loaded driver. For the use with *PastDSE*: -Make sure that *KMemDriver* and *PastDSE* are in the same folder. +Make sure that *KMemDriver* and *PastDSE* have the same parent folder. With that you can just inject by executing PastDSE-Manual-Map-\*.bat as Administrator. +Remember that the driver detects possible clients by their basename suffix "kmem" e.g. `some-fancy-app-kmem.exe` +and waits until it maps the memory pages into it's address space (and responds to the handshake via mentioned shared memory). +Together with a kernel EVENT and user EVENT this builds the shared memory w/ bidirectional synchronisation. +Running multiple clients is not supported. + # Tests -To make sure that KMemDriver works as expected you can run an integration test. +To make sure that KMemDriver works as expected you can run an integration test after injection. # Features @@ -40,16 +44,15 @@ To make sure that KMemDriver works as expected you can run an integration test. - write memory to a process (bypass page protections) - allocate memory with specified page protection to a process - free memory of a process -- unlink memory from VAD of a process (requires PatchGuard to be disabled) # AntiCheat status -I've used it only for EAC protected games. -If you are using only RPM and WPM (e.g. don't inject any DLL into an EAC protected processes) it may (or may not, depending on the game) more or less safe. -But keep in mind that manual mapped drivers (that start a system thread) and windows events (leaving traces in form of handles) is a detection vector that does not even require advanced anti cheat software for successful detection. +I've used it for EAC protected games only. +If you are using only RPM and WPM (e.g. don't inject any DLL into an EAC protected processes) it may (or may not, depending on the game) not get detected (at the time of writing this). +But keep in mind that manual mapped drivers (e.g. that start a system thread) and windows events (leaving traces in form of handles) is a detection vector that does not even require advanced anti cheat software for successful detection. Injecting DLL's into EAC protected processes (w/o other countermeasures) will get you banned very soon. # Contributors -As you can see, I've used some slightly modified code from [BlackBone](https://github.com/DarthTon/Blackbone) for VAD routines and manual DLL mapping. +As you may see, I've used some slightly modified code from [BlackBone](https://github.com/DarthTon/Blackbone) for manual DLL mapping. |