KDBG (Kernel Debugger/CheatEngine)

The windows kernel debugger consists of two parts, KMOD which is the kernel driver handling ring3 request and KCLI; the command line interface for the driver. It originated due to insufficient useability with CheatEngine's DBVM driver while debugging games running under certain AntiCheat software. The main goal now is to transform KDBG into a fully functional debugger. Note that BSOD's are not uncommon, one should get familiar with them unless you know what you are doing.

I Don't Know The Future.
I Didn't Come Here To Tell You How This Is Going To End.
I Came Here To Tell You How It's Going To Begin.

- The Matrix

Build

Open the VisualStudio solution and build for Debug or Release bitness x64.

Issues/Pull requests

If you find bugs or got improvements or suggestions, create an issue or pull request with a detailed description why/what and how! 0x616c will merge them as soon as he finished dissecting windows.

Install

You can start or stop the driver via tools like kdu.exe which will turn off Driver Signature Enforcement temporarily.
KDU is available here: https://github.com/hfiref0x/KDU

sc.exe create kmod type=kernel binPath="C:\KMOD.sys" // create system service (has to be done only once)
.\kdu.exe -dse 0                                     // disable DSE
sc.exe start/stop kmod                               // start or stop service
.\kdu.exe -dse 6                                     // enable DSE (some AC's require DSE to be enabled)
.\KCLI.exe                                           // issue a variety of commands

Features

Write API

• WriteMemoryProcess (Write arbitrary bytes into process images)
• WriteMemoryKernel (Write arbitrary bytes into system images)

Read API

• ReadMemoryProcess (Read arbitrary bytes from process images)
• ReadMemoryKernel (Read arbitrary bytes from system images)
• ReadModulesProcess (Read all modules of a specific process)
• ReadModulesKernel (Read all kernel modules)
• ReadThreadsProcess (Read all threads of a specific process)
• ReadScanResults (not implemented)

Trace API

• TraceContextStart (Start a system trace thread which will look for registers which contain certain addresses)
• TraceContextStop (Stop the previously started trace thread)

Debug API

• DebugBreakpointSet (not implemented)
• DebugBreakpointRem (not implemented)

Scan API

• ScanNew (not implemented)
• ScanUndo (not implemented)
• ScanInt (not implemented)
• ScanReal (not implemented)
• ScanBytes (not implemented)
• ScanFilterChanged (not implemented)
• ScanFilterUnchanged (not implemented)
• ScanFilterIncreased (not implemented)
• ScanFilterDecreased (not implemented)

WriteMemoryProcess

Syntax: .\KCLI.exe /WriteMemoryProcess [ProcessName] [ImageName] [Offset(hex)] [Size(dec)] [Bytes(hex)]
Example: .\KCLI.exe /WriteMemoryProcess taskmgr.exe taskmgr.exe 40000 3 909090

WriteMemoryKernel

Syntax: .\KCLI.exe /WriteMemoryKernel [ImageName] [Offset(hex)] [Size(dec)] [Bytes(hex)]
Example: .\KCLI.exe /WriteMemoryKernel ntoskrnl.exe 40000 3 909090

ReadMemoryProcess

Syntax: .\KCLI.exe /ReadMemoryProcess [ProcessName] [ImageName] [Offset(hex)] [Size(dec)]
Example: .\KCLI.exe /ReadMemoryProcess taskmgr.exe taskmgr.exe 40000 32

0x00040000 FD FF 48 FF 15 17 57 09 00 0F 1F 44 00 00 8B 43
0x00040010 3C E9 A1 93 FD FF 4C 89 7D 48 BE 02 00 07 80 E9

0x00040000 FD .. .. .. .. .. .. .. .. .. .. std
0x00040001 FF 48 FF .. .. .. .. .. .. .. .. dec dword ptr [rax - 1]
0x00040004 15 17 57 09 00 .. .. .. .. .. .. adc eax, 0x95717
0x00040009 0F 1F 44 00 00 .. .. .. .. .. .. nop dword ptr [rax + rax]
0x0004000E 8B 43 3C .. .. .. .. .. .. .. .. mov eax, dword ptr [rbx + 0x3c]
0x00040011 E9 A1 93 FD FF .. .. .. .. .. .. jmp 0x193b7
0x00040016 4C 89 7D 48 .. .. .. .. .. .. .. mov qword ptr [rbp + 0x48], r15
0x0004001A BE 02 00 07 80 .. .. .. .. .. .. mov esi, 0x80070002

ReadMemoryKernel

Syntax: .\KCLI.exe /ReadMemoryKernel [ImageName] [Offset(hex)] [Size(dec)]
Example: .\KCLI.exe /ReadMemoryKernel ntoskrnl.exe 40000 32

0x00040000 63 00 74 00 00 00 00 00 5C 00 52 00 45 00 47 00
0x00040010 49 00 53 00 54 00 52 00 59 00 5C 00 55 00 53 00

0x00040000 63 00 .. .. .. .. .. .. .. .. .. movsxd rax, dword ptr [rax]
0x00040002 74 00 .. .. .. .. .. .. .. .. .. je 0x40004
0x00040004 00 00 .. .. .. .. .. .. .. .. .. add byte ptr [rax], al
0x00040006 00 00 .. .. .. .. .. .. .. .. .. add byte ptr [rax], al
0x00040008 5C .. .. .. .. .. .. .. .. .. .. pop rsp
0x00040009 00 52 00 .. .. .. .. .. .. .. .. add byte ptr [rdx], dl
0x0004000C 45 00 47 00 .. .. .. .. .. .. .. add byte ptr [r15], r8b
0x00040010 49 00 53 00 .. .. .. .. .. .. .. add byte ptr [r11], dl
0x00040014 54 .. .. .. .. .. .. .. .. .. .. push rsp
0x00040015 00 52 00 .. .. .. .. .. .. .. .. add byte ptr [rdx], dl
0x00040018 59 .. .. .. .. .. .. .. .. .. .. pop rcx
0x00040019 00 5C 00 55 .. .. .. .. .. .. .. add byte ptr [rax + rax + 0x55], bl
0x0004001D 00 53 00 .. .. .. .. .. .. .. .. add byte ptr [rbx], dl

ReadModulesProcess

Syntax: .\KCLI.exe /ReadModulesProcess [ProcessName] [Size(dec)]
Example: .\KCLI.exe /ReadModulesProcess taskmgr.exe 10

  Start            End                    Size Name
----------------------------------------------------------------
  00007FFAD0740000 00007FFAD07FD000     774144 KERNEL32.DLL
  00007FFACF5B0000 00007FFACF879000    2920448 KERNELBASE.dll
  00007FFACF0A0000 00007FFACF1A0000    1048576 ucrtbase.dll
  00007FFACFBB0000 00007FFACFC7D000     839680 OLEAUT32.dll
  00007FFACF300000 00007FFACF39D000     643072 msvcp_win.dll
  00007FFACFD30000 00007FFAD0085000    3493888 combase.dll
  00007FFAD0D30000 00007FFAD0E5B000    1224704 RPCRT4.dll
  00007FFACF8B0000 00007FFACF8B8000      32768 NSI.dll
  00007FFAD0E60000 00007FFAD0EB5000     348160 SHLWAPI.dll
  00007FFAD1740000 00007FFAD17DE000     647168 msvcrt.dll

ReadModulesKernel

Syntax: .\KCLI.exe /ReadModulesKernel [Size(dec)]
Example: .\KCLI.exe /ReadModulesKernel 10

  Start            End                    Size Name
----------------------------------------------------------------
  FFFFF80457800000 FFFFF80458846000   17063936 ntoskrnl.exe
  FFFFF80454E70000 FFFFF80454E76000      24576 hal.dll
  FFFFF80454E80000 FFFFF80454E8B000      45056 kd.dll
  FFFFF80454BE0000 FFFFF80454E6F000    2682880 mcupdate_GenuineIntel.dll
  FFFFF80454EC0000 FFFFF80454F29000     430080 CLFS.SYS
  FFFFF80454E90000 FFFFF80454EB7000     159744 tm.sys
  FFFFF80454F30000 FFFFF80454F4A000     106496 PSHED.dll
  FFFFF80454F50000 FFFFF80454F5B000      45056 BOOTVID.dll
  FFFFF80454F60000 FFFFF80454FCF000     454656 FLTMGR.SYS
  FFFFF8045A550000 FFFFF8045A5B2000     401408 msrpc.sys

ReadThreadsProcess

Syntax: .\KCLI.exe /ReadThreadsProcess [ProcessName] [Size(dec)]
Example: .\KCLI.exe /ReadThreadsProcess taskmgr.exe 6

         Pid        Tid
----------------------------------------------------------------
        9116       5632
        9116      10704
        9116      10804
        9116      12284
        9116      10096
        9116       4984

ReadScanResults

Syntax: .\KCLI.exe /ReadScanResults

TraceContextStart

Syntax: .\KCLI.exe /TraceContextStart [Address(hex)]

TraceContextStop

Syntax: .\KCLI.exe /TraceContextStop [Id(dec)]

DebugBreakpointSet

Syntax: .\KCLI.exe /DebugBreakpointSet [Base(hex)] [Type(0=Software|1=Hardware)]

DebugBreakpointRem

Syntax: .\KCLI.exe /DebugBreakpointRem [Base(hex)]

ScanNew

Syntax: .\KCLI.exe /ScanNew

ScanUndo

Syntax: .\KCLI.exe /ScanUndo

ScanInt

Syntax: .\KCLI.exe /ScanInt

ScanReal

Syntax: .\KCLI.exe /ScanReal

ScanBytes

Syntax: .\KCLI.exe /ScanBytes

ScanFilterChanged

Syntax: .\KCLI.exe /ScanFilterChanged

ScanFilterUnchanged

Syntax: .\KCLI.exe /ScanFilterUnchanged

ScanFilterIncreased

Syntax: .\KCLI.exe /ScanFilterIncreased

ScanFilterDecreased

Syntax: .\KCLI.exe /ScanFilterDecreased