This is a fork of LiveCloudKd, which was early developed by Matt Suiche (www.msuiche.com): https://github.com/msuiche/LiveCloudKd.
LiveCloudKd is a tool, that allows you to connect to a Hyper-V guest VM with kd.exe and WinDBG (classic) or WinDBG using EXDI plugin.
You can use LiveCloudKd EXDI plugin for attaching to Hyper-V VM with kd.exe and WinDBG (classic).
The tool uses Hyper-V Memory Manager plugin for operations with Hyper-V memory. The tool has additional options in comparison with LiveKd from Microsoft Sysinternals Suite:
- Write capabilities (you can write to Hyper-V VM or local OS virtual and physical address space using native WinDBG commands or hvlib API)
- More performance
- Support Hyper-V VM with nested virtualization option enabled on Intel-based CPU
- Support multilingual Windows
LiveCloudKd. Download
Contains EXDI plugin for static dump view:
LiveCloudKd is based on the hvlib.dll library (Hyper-V Memory Manager plugin). Other tools, that were developed using this library:
LiveCloudKd EXDI live debugger. Download. Readme
Hyper-V Virtual Machine plugin for MemProcFS. Download
Hyper-V Memory Manager plugin for volatility. Download
HyperViews. Download
Also SDK for working with Hyper-V VM memory is available
Hyper-V Memory Manager module for Powershell. Link
Hyper-V Memory Manager module for Python. Link
Hyper-V Memory Manager module for C#. Link
Hyper-V Memory Manager library API for C. Link
Projects for building in one solution Link
Methods for accessing guest Hyper-V VM memory:
ReadInterfaceWinHv - uses Hyper-V hypercall HvReadGPA for reading guest OS memory. Slow, but robust method;
ReadInterfaceHvmmDrvInternal - read data directly from kernel memory. Faster, than ReadInterfaceWinHv, but uses undocumented structures. The default reading method is ReadInterfaceHvmmDrvInternal.
WriteInterfaceWinHv - uses Hyper-V hypercall HvWriteGPA for writing to guest OS memory.
WriteInterfaceHvmmDrvInternal - write data directly to kernel memory. Faster, than WriteInterfaceWinHv, but uses undocumented structures. The default writing method is WriteInterfaceHvmmDrvInternal.
Methods for accessing local operating system memory:
ReadInterfaceLocal - uses for reading data from local operation system memory
WriteInterfaceLocal - uses for writing data to local operation system memory
LiveCloudKd was tested on WinDBG from WDK 1809 - 25H2 on
Windows Server 2025
Windows Server 2022
Windows Server 2019
Windows Server 2016
Windows 11
Windows 10
and some preview versions of Windows 11 and Windows Server vNext.
Configure symbol path for WinDBG:
$folder = "C:\Symbols"
New-Item -Type Directory $folder
compact /c /i /q /s:$folder
$symbol_path = "SRV*$folder*https://msdl.microsoft.com/download/symbols;"+
"SRV*$folder*https://chromium-browser-symsrv.commondatastorage.googleapis.com;"+
"SRV*$folder*https://download.amd.com/dir/bin;"+
"SRV*$folder*https://driver-symbols.nvidia.com/;"+
"SRV*$folder*https://software.intel.com/sites/downloads/symbols/;"+
"SRV*$folder*https://ctxsym.citrix.com/symbols;"+
"SRV*$folder*https://symbols.nuget.org/download/symbols"
[Environment]::SetEnvironmentVariable("_NT_SYMBOL_PATH",$symbol_path,
"Machine")
for Hyper-V VMs enough:
$folder = "C:\Symbols"
New-Item -Type Directory $folder
compact /c /i /q /s:$folder
$symbol_path = "SRV*$folder*https://msdl.microsoft.com/download/symbols"
[Environment]::SetEnvironmentVariable("_NT_SYMBOL_PATH",$symbol_path,
"Machine")
For launch:
- Extract distributive to folder and specify path to WinDBG in HvlibSettingsEditor.exe (in cfg folder) or RegParam.reg, apply it or use /y command line parameter. Also, LiveCloudKd can find a path to WinDBG, if it was installed with Windows WDK or SDK.
- Install Visual Studio 2022 runtime libraries Link, if it necessary in your environment.
- Start LiveCloudKd.exe with local administrator privileges.
- Choose a Hyper-V virtual machine or local Windows for representation it's RAM as dump file.
LiveCloudKd searches WinDBG in the next steps:
- Directory, which specifying with /y parameter.
LiveCloudKd /y C:\Microsoft\WinDBG
- Windows registry HKLM\Software\LiveCloudKd\Parameters\WinDbgPath key. See RegParam.key for instance.
- Standard Windows SDK\WDK or WinDBG (classic) installation folder (uses registry key for search that path or "windbgx" command).
- If the previous result was not successful, LiveCloudKd tries to run kd.exe, windbg.exe or windbgx from the same folder.
Performance comparison with LiveKd from Sysinternals Suite (LiveCloudKd is more performance about 1000 times using ReadInterfaceHvmmDrvInternal interface for reading memory):
You can view Windows Secure Kernel address space in static mode of Hyper-V VM with VBS enabled option in guest OS.
- Launch Hyper-V VM with guest OS VBS enable;
- Launch LiveCloudKd in EXDI mode;
- Enter ".reload /f securekernel.exe=addr" or ".reload /f securekernella57.exe=addr" to get securekernel symbols information. You can see securekernel image base address in output window.
LiveCloudKd options:
Usage: LiveCloudKd.exe [/a {0-6}][/b][/m {0-2}][/n {0-9}][/o path][/p][/v {0-2}][/w][/y <path to directory with WinDBG>][/?]
/a Pre-selected action.
0 - Live kernel debugging
1 - Start EXDI plugin (WinDBG)
2 - Produce a linear physical memory dump
3 - Produce a Microsoft full memory crash dump
4 - Dump guest OS memory chunk
5 - Dump RAW guest OS memory (without KDBG scanning)
6 - Resume VM
/b Close LiveCloudKd automatically after exiting from kd or WinDBG.
/f Force to freeze virtual CPUs of selected virtual machine
/m Memory access type.
0 - Hypercalls (HvReadGPA and HvWriteGPA)
1 - Raw memory
2 - Local OS
/n Pre-selected number of VM.
/o Destination path for the output file (Action 2 - 5).
/p Pause partition.
/v Verbose output.
/w Run WinDBG (classic) instead of kd (kd is the default).
/y Set path to WinDBG (classic) or WinDBG (for start EXDI plugin).
/? Print this help
EXDI module can get instructions to write some bytes to Hyper-V virtual machine memory from WinDBG engine (depending on the WinDBG or WinDBG (classic) version), therefore writing memory capabilities are disabled by default. To enable it enter the command:
wrmsr 0x1112 1
disable
wrmsr 0x1112 0
Project uses:
- diStorm3 library (BSD license) by Gil Dabah: Distorm project.
- Singularity OS header files from Microsoft: Project, Download link.
- and some definitions from Hypervisor Development Kit by Alex Ionescu.
License to Hyper-V Memory Manager library
Donation:
Crypto: USDT
Network: Tron(TRC20)
Address: TAtXfWkNCpbjhguE3supZnT6kRE37owQgo
