# KDBG (Kernel Debugger/CheatEngine) The windows kernel debugger consists of two parts, KMOD which is the kernel driver handling ring3 request and KCLI; the command line interface for the driver. It originated due to insufficient useability with CheatEngine's DBVM driver while debugging games running under certain AntiCheat software. The main goal now is to transform KDBG into a fully functional debugger. Note that BSOD's are not uncommon, one should get familiar with them unless you know what you are doing. >*I Don't Know The Future.* >*I Didn't Come Here To Tell You How This Is Going To End.* >*I Came Here To Tell You How It's Going To Begin.* \- The Matrix ![](image/showcase.png) ## Build Open the VisualStudio solution and build for `Debug` or `Release` bitness `x64`. ## Issues/Pull requests If you find bugs or got improvements or suggestions, create an issue or pull request with a detailed description why/what and how! 0x616c will merge them as soon as he finished dissecting windows. ## Install You can start or stop the driver via tools like `kdu.exe` which will turn off `Driver Signature Enforcement` temporarily. KDU is available here: https://github.com/hfiref0x/KDU ``` sc.exe create kmod type=kernel binPath="C:\KMOD.sys" // create system service (has to be done only once) .\kdu.exe -dse 0 // disable DSE sc.exe start/stop kmod // start or stop service .\kdu.exe -dse 6 // enable DSE (some AC's require DSE to be enabled) .\KCLI.exe // issue a variety of commands ``` ## Features #### Write API * `WriteMemoryProcess` (Write arbitrary bytes into process images) * `WriteMemoryKernel` (Write arbitrary bytes into system images) #### Read API * `ReadMemoryProcess` (Read arbitrary bytes from process images) * `ReadMemoryKernel` (Read arbitrary bytes from system images) * `ReadModulesProcess` (Read all modules of a specific process) * `ReadModulesKernel` (Read all kernel modules) * `ReadThreadsProcess` (Read all threads of a specific process) * `ReadScanResults` (not implemented) #### Trace API * `TraceContextStart` (Start a system trace thread which will look for registers which contain certain addresses) * `TraceContextStop` (Stop the previously started trace thread) #### Debug API * `DebugBreakpointSet` (not implemented) * `DebugBreakpointRem` (not implemented) #### Scan API * `ScanNew` (not implemented) * `ScanUndo` (not implemented) * `ScanInt` (not implemented) * `ScanReal` (not implemented) * `ScanBytes` (not implemented) * `ScanFilterChanged` (not implemented) * `ScanFilterUnchanged` (not implemented) * `ScanFilterIncreased` (not implemented) * `ScanFilterDecreased` (not implemented) ## WriteMemoryProcess Syntax: `.\KCLI.exe /WriteMemoryProcess [ProcessName] [ImageName] [Offset(hex)] [Size(dec)] [Bytes(hex)]` Example: `.\KCLI.exe /WriteMemoryProcess taskmgr.exe taskmgr.exe 40000 3 909090` ## WriteMemoryKernel Syntax: `.\KCLI.exe /WriteMemoryKernel [ImageName] [Offset(hex)] [Size(dec)] [Bytes(hex)]` Example: `.\KCLI.exe /WriteMemoryKernel ntoskrnl.exe 40000 3 909090` ## ReadMemoryProcess Syntax: `.\KCLI.exe /ReadMemoryProcess [ProcessName] [ImageName] [Offset(hex)] [Size(dec)]` Example: `.\KCLI.exe /ReadMemoryProcess taskmgr.exe taskmgr.exe 40000 32` ``` 0x00040000 FD FF 48 FF 15 17 57 09 00 0F 1F 44 00 00 8B 43 0x00040010 3C E9 A1 93 FD FF 4C 89 7D 48 BE 02 00 07 80 E9 0x00040000 FD .. .. .. .. .. .. .. .. .. .. std 0x00040001 FF 48 FF .. .. .. .. .. .. .. .. dec dword ptr [rax - 1] 0x00040004 15 17 57 09 00 .. .. .. .. .. .. adc eax, 0x95717 0x00040009 0F 1F 44 00 00 .. .. .. .. .. .. nop dword ptr [rax + rax] 0x0004000E 8B 43 3C .. .. .. .. .. .. .. .. mov eax, dword ptr [rbx + 0x3c] 0x00040011 E9 A1 93 FD FF .. .. .. .. .. .. jmp 0x193b7 0x00040016 4C 89 7D 48 .. .. .. .. .. .. .. mov qword ptr [rbp + 0x48], r15 0x0004001A BE 02 00 07 80 .. .. .. .. .. .. mov esi, 0x80070002 ``` ## ReadMemoryKernel Syntax: `.\KCLI.exe /ReadMemoryKernel [ImageName] [Offset(hex)] [Size(dec)]` Example: `.\KCLI.exe /ReadMemoryKernel ntoskrnl.exe 40000 32` ``` 0x00040000 63 00 74 00 00 00 00 00 5C 00 52 00 45 00 47 00 0x00040010 49 00 53 00 54 00 52 00 59 00 5C 00 55 00 53 00 0x00040000 63 00 .. .. .. .. .. .. .. .. .. movsxd rax, dword ptr [rax] 0x00040002 74 00 .. .. .. .. .. .. .. .. .. je 0x40004 0x00040004 00 00 .. .. .. .. .. .. .. .. .. add byte ptr [rax], al 0x00040006 00 00 .. .. .. .. .. .. .. .. .. add byte ptr [rax], al 0x00040008 5C .. .. .. .. .. .. .. .. .. .. pop rsp 0x00040009 00 52 00 .. .. .. .. .. .. .. .. add byte ptr [rdx], dl 0x0004000C 45 00 47 00 .. .. .. .. .. .. .. add byte ptr [r15], r8b 0x00040010 49 00 53 00 .. .. .. .. .. .. .. add byte ptr [r11], dl 0x00040014 54 .. .. .. .. .. .. .. .. .. .. push rsp 0x00040015 00 52 00 .. .. .. .. .. .. .. .. add byte ptr [rdx], dl 0x00040018 59 .. .. .. .. .. .. .. .. .. .. pop rcx 0x00040019 00 5C 00 55 .. .. .. .. .. .. .. add byte ptr [rax + rax + 0x55], bl 0x0004001D 00 53 00 .. .. .. .. .. .. .. .. add byte ptr [rbx], dl ``` ## ReadModulesProcess Syntax: `.\KCLI.exe /ReadModulesProcess [ProcessName] [Size(dec)]` Example: `.\KCLI.exe /ReadModulesProcess taskmgr.exe 10` ``` Start End Size Name ---------------------------------------------------------------- 00007FFAD0740000 00007FFAD07FD000 774144 KERNEL32.DLL 00007FFACF5B0000 00007FFACF879000 2920448 KERNELBASE.dll 00007FFACF0A0000 00007FFACF1A0000 1048576 ucrtbase.dll 00007FFACFBB0000 00007FFACFC7D000 839680 OLEAUT32.dll 00007FFACF300000 00007FFACF39D000 643072 msvcp_win.dll 00007FFACFD30000 00007FFAD0085000 3493888 combase.dll 00007FFAD0D30000 00007FFAD0E5B000 1224704 RPCRT4.dll 00007FFACF8B0000 00007FFACF8B8000 32768 NSI.dll 00007FFAD0E60000 00007FFAD0EB5000 348160 SHLWAPI.dll 00007FFAD1740000 00007FFAD17DE000 647168 msvcrt.dll ``` ## ReadModulesKernel Syntax: `.\KCLI.exe /ReadModulesKernel [Size(dec)]` Example: `.\KCLI.exe /ReadModulesKernel 10` ``` Start End Size Name ---------------------------------------------------------------- FFFFF80457800000 FFFFF80458846000 17063936 ntoskrnl.exe FFFFF80454E70000 FFFFF80454E76000 24576 hal.dll FFFFF80454E80000 FFFFF80454E8B000 45056 kd.dll FFFFF80454BE0000 FFFFF80454E6F000 2682880 mcupdate_GenuineIntel.dll FFFFF80454EC0000 FFFFF80454F29000 430080 CLFS.SYS FFFFF80454E90000 FFFFF80454EB7000 159744 tm.sys FFFFF80454F30000 FFFFF80454F4A000 106496 PSHED.dll FFFFF80454F50000 FFFFF80454F5B000 45056 BOOTVID.dll FFFFF80454F60000 FFFFF80454FCF000 454656 FLTMGR.SYS FFFFF8045A550000 FFFFF8045A5B2000 401408 msrpc.sys ``` ## ReadThreadsProcess Syntax: `.\KCLI.exe /ReadThreadsProcess [ProcessName] [Size(dec)]` Example: `.\KCLI.exe /ReadThreadsProcess taskmgr.exe 6` ``` Pid Tid ---------------------------------------------------------------- 9116 5632 9116 10704 9116 10804 9116 12284 9116 10096 9116 4984 ``` ## ReadScanResults Syntax: `.\KCLI.exe /ReadScanResults` ## TraceContextStart Syntax: `.\KCLI.exe /TraceContextStart [Address(hex)]` ## TraceContextStop Syntax: `.\KCLI.exe /TraceContextStop [Id(dec)]` ## DebugBreakpointSet Syntax: `.\KCLI.exe /DebugBreakpointSet [Base(hex)] [Type(0=Software|1=Hardware)]` ## DebugBreakpointRem Syntax: `.\KCLI.exe /DebugBreakpointRem [Base(hex)]` ## ScanNew Syntax: `.\KCLI.exe /ScanNew` ## ScanUndo Syntax: `.\KCLI.exe /ScanUndo` ## ScanInt Syntax: `.\KCLI.exe /ScanInt` ## ScanReal Syntax: `.\KCLI.exe /ScanReal` ## ScanBytes Syntax: `.\KCLI.exe /ScanBytes` ## ScanFilterChanged Syntax: `.\KCLI.exe /ScanFilterChanged` ## ScanFilterUnchanged Syntax: `.\KCLI.exe /ScanFilterUnchanged` ## ScanFilterIncreased Syntax: `.\KCLI.exe /ScanFilterIncreased` ## ScanFilterDecreased Syntax: `.\KCLI.exe /ScanFilterDecreased`