-
-
Notifications
You must be signed in to change notification settings - Fork 92
Device_LiveKd
The LeechCore library supports reading live memory by using Sysinternals LiveKd.
Facts in short:
- Is supported on 64-bit Windows.
- Acquires memory in read-only mode.
- May acquires memory from Hyper-V guest VM from Hyper-V host.
- Is slow (2MB/s) due to current inefficiencies in LiveKd driver.
- Acquired memory is assumed to be volatile.
- Have additional requirements.
The LeechCore process must be started from LiveKd in elevated administrator mode for LiveKd to be able to capture live memory.
LeechCore API:
Please specify the acquisition device type in LC_CONFIG.szDevice when calling LcCreate. The acquisition device type is livekd.
PCILeech / MemProcFS:
Please specify the device type in the -device option or start from LiveKd directly
Examples:
-device livekd -remote rpc://<spn>:<somehost>
LiveKd.exe -k MemProcFS.exe
Depends on LiveKd.exe. Please download the latest version of Sysinternals LiveKd from Microsoft.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖