Windows Kernel Memory Dump

dump process modules from kernel

How it works

You send a process ID and module name (e.g. notepad.exe, ntdll.dll) to the driver via DeviceIoControl. The driver dumps the module's memory and returns it. The app saves to processdumpcnt.bin and fixes the PE headers.

Demo

Loading the driver

Option 1 — Test Mode (sc create / sc start)
Option 2 — KDMapper

MAKE SURE TO ENABLE TEST MODE TO TEST THIS PROJECT. IF YOU WISH TO USE IT OUTSIDE TEST MODE, USE YOUR CUSTOM DRIVER LOADER OR SIGN THE DRIVER.

NOTE: THIS IS FOR EDUCATIONAL PURPOSES ONLY.

Name		Name	Last commit message	Last commit date
Latest commit History 4 Commits
kernel_mode		kernel_mode
user_mode		user_mode
.gitignore		.gitignore
README.md		README.md
demo.png		demo.png
kernel_mode.sln		kernel_mode.sln

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Windows Kernel Memory Dump

How it works

Demo

Loading the driver

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

Windows Kernel Memory Dump

How it works

Demo

Loading the driver

About

Topics

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages