Kernel-Bridge icon indicating copy to clipboard operation
Kernel-Bridge copied to clipboard
verified publisher icon HoShiMin

Fastest way to read process memory

Open behzad62 opened this issue 4 years ago • 14 comments

While testing, I noticed reading a process memory using Kernel-Bridge is slower than a small driver I wrote. I checked and it seems KB is mapping MDLs and then copies the memory. While all I need is using a Method_Out_Direct to get a kernel-address space buffer and attach to target process stack, Copy memory and detach. I wonder if such a thing or something close is possible in KB?

behzad62 avatar Aug 10 '21 17:08 behzad62

Sure, in the kb2 that still is in development I already improved read and write performance

HoShiMin avatar Aug 11 '21 18:08 HoShiMin

Sure, in the kb2 that still is in development I already improved read and write performance

Good to know, looking forward to it. Meanwhile I tried to map my driver using KB and while it succeeds, I didn't have any luck communicating with it. CreateFile simply fails to open a handle to driver.

behzad62 avatar Aug 14 '21 19:08 behzad62

Well I fixed the above issue. Now I wonder if calling NtUnloadDriver is enough to free the allocated kernel memory and un map the driver, else it would be nice if you implement this feature in kb2.

behzad62 avatar Aug 15 '21 10:08 behzad62

But you should deallocate the allocated memory manually if your driver was manualmapped. Nobody knows how to deallocate the memory properly. And it is unsafe at all to unload a manualmapped driver.

HoShiMin avatar Aug 15 '21 14:08 HoShiMin

It seems, recent updates to windows prevents your signed driver to load. Well that makes mapping drivers using KB impossible anyway.

behzad62 avatar Aug 17 '21 15:08 behzad62

Sure, in the kb2 that still is in development I already improved read and write performance

hi, when will kb2 be released and will it support vthook?

romanholidaypancakes avatar Dec 29 '21 07:12 romanholidaypancakes

Sure, it will be open-source. But it is the very loooong project that I have been making for about ~2 years. I didn't abandon it: it had two complete refactorings and now I divided it into two parts: the framework Ktl and the Kb itself that built on top of the Ktl. So, I don't think it will be complete soon, but when it's ready - it will be open-source.

HoShiMin avatar Apr 09 '22 09:04 HoShiMin

Sure, it will be, I answered here: Fastest way to read process memory · Issue #37 · HoShiMin/Kernel-Bridge (github.com)09.04.2022, 04:04, "liwei1024" @.***>:

Sure, in the kb2 that still is in development I already improved read and write performance

Will KB2 still open source

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: @.***>

HoShiMin avatar Apr 09 '22 09:04 HoShiMin

当然,在仍在开发中的 kb2 中,我已经提高了读写性能

Can KB1 be updated first

liwei1024 avatar May 07 '22 07:05 liwei1024

Sure, it will be open-source. But it is the very loooong project that I have been making for about ~2 years. I didn't abandon it: it had two complete refactorings and now I divided it into two parts: the framework Ktl and the Kb itself that built on top of the Ktl. So, I don't think it will be complete soon, but when it's ready - it will be open-source.

hi, can we know something about the progress of kb2? thanks😀

romanholidaypancakes avatar Apr 25 '23 16:04 romanholidaypancakes