Add information about securekernel space viewing

gerhart01 · gerhart01 · commit b0418bef3408 · 2025-02-15T22:33:44.000+03:00
diff --git a/LiveCloudKdPy/README.md b/LiveCloudKdPy/README.md
@@ -32,7 +32,7 @@ Current configuration options:
 **"ReadMethod"** - memory reading method for driver. Class ReadMemoryMethod  
 **"WriteMethod"** - memory writing method for driver. Class WriteMemoryMethod  
 **"PauseMethod"** - method of suspend VM. Class SuspendResumeMethod  
-**"LogLevel"** - log level. Integer [0..4]
+**"LogLevel"** - log level. Integer [0..4]  
 **"ForceFreezeCPU"** - boolean. FreezeCPU using virtual VM registers when suspend VM  
 **"PausePartition"** - boolean. VM was suspended when SdkSelectPartition will be executed  
 **"ReloadDriver"** - boolean. Reload driver when starting plugin. Need in some cases when service is not deleted correctly  
diff --git a/LiveCloudKdSdk/README.md b/LiveCloudKdSdk/README.md
@@ -14,11 +14,11 @@
 
 Hvlib is plugin for working with Microsoft Hyper-V virtual machines memory. It was developed, when 
 LiveCloudKd was rewritten for supporting modern Windows versions, therefore it supports Windows 10 build 1803 and above, Windows Server 2019 and above
-It also was test on Windows 8 x64 and Windows Server 2012, but not with latest patches.
+It also was tested on Windows 8 x64 and Windows Server 2012, but not with latest patches.
 
 Part of code was taken from LiveCloudKd project https://github.com/msuiche/LiveCloudKd by Matt Suiche (www.msuiche.com).
 
-So it was developed, because Microsoft doesn't provide necessary API description and examples of vid.dll
+So it was developed, because Microsoft doesn't provide necessary API description and examples of vid.dll, vid.sys, winhv.sys, winhvr.sys, hvix64.exe, hvax64.exe, hvaa64.exe
 
 Hvlib supports two memory access methods for Hyper-V memory
 
@@ -44,9 +44,9 @@ and separate LiveCloudKdExample project
 1. Fill VmOperationsConfig structure with options. See available options in VM_OPERATIONS_CONFIG structure
 2. Get list of running Virtual Machines using SdkEnumPartitions function.
 
-```c
+```
 	SdkGetDefaultConfig(&VmOperationsConfig);
-    PULONG64 Partitions = SdkEnumPartitions(&PartitionCount, &VmOperationsConfig);
+	PULONG64 Partitions = SdkEnumPartitions(&PartitionCount, &VmOperationsConfig);
 ```
 
 3. Next use
diff --git a/README.md b/README.md
@@ -14,7 +14,7 @@ The tool has additional options in comparison with LiveKd from Microsoft Sysinte
 3. Support Hyper-V VM with nested option enabled on Intel-based CPU
 4. Support multilingual OS
 
-LiveCloudKd. [Download](https://github.com/gerhart01/LiveCloudKd/releases/download/v2.8.4.20241221/LiveCloudKd.v2.8.4.20241221-release.zip)  
+LiveCloudKd. [Download](https://github.com/gerhart01/LiveCloudKd/releases/download/v2.8.5.20250209/LiveCloudKd.v2.8.5.20250209-release.zip)  
 Contains EXDI plugin for static dump view:    
 
 ![WinDBG](images/image01.png)  
@@ -42,7 +42,7 @@ Methods for accessing guest Hyper-V VM memory:
  WriteInterfaceWinHv - uses Hyper-V hypercall for writing to guest OS memory.
  WriteInterfaceHvmmDrvInternal - write data directly to kernel memory. Faster, than WriteInterfaceWinHv, but uses undocumented structures). The default writing method is WriteInterfaceHvmmDrvInternal.
 ```
-Also  ReadInterfaceLocal - read data from local operation system (not Hyper-V) is available  
+Also ReadInterfaceLocal interface for readomg data from local operation system is available  
 
 LiveCloudKd was tested on 
 ```
@@ -86,6 +86,14 @@ Performance comparison with LiveKd from Sysinternals Suite (LiveCloudKd is more
 
 ![](images/image03.png)
 
+You can view Windows securekernel address space in static mode of Hyper-V VM with VBS enabled option in guest OS.
+
+1. Launch Hyper-V VM with guest OS VBS enable;
+2. Launch LiveCloudKd in EXDi mode;
+3. Enter ".reload /f securekernel.exe=<addr>" to get securekernel symbols information. You can see securekernel image base address in output window.
+
+![](images/image04.png)
+
 LiveCloudKd options:
 
 ``` 
@@ -98,7 +106,6 @@ LiveCloudKd options:
                   5 - Dump RAW guest OS memory (without KDBG scanning)
                   6 - Resume VM
  /b         Close LiveCloudKd automatically, after exiting from kd or WinDBG.
- /f         Force freeze CPU on every read operation. It is actually for Windows Sandbox because it constantly resumes CPU.
  /m         Memory access type.
                   0 - Winhvr.sys interface
                   1 - Raw memory interface (hvmm.sys)
@@ -107,12 +114,15 @@ LiveCloudKd options:
  /o         Destination path for the output file (Action 2 - 5).
  /p         Pause partition.
  /v         Verbose output.
+                    0 - errors
+                    1 - warnings
+                    2 - information messages
  /w         Run WinDBG instead of Kd (Kd is the default).
  /y         Set path to WinDBG or WinDBG with modern UI (for start EXDI plugin)
  /?         Print this help.
 ``` 
 
-EXDI module can get instructions for writing some bytes to Hyper-V virtual machine memory from WinDBG engine (depending on WinDBG or WinDBGX version), therefore writing memory capabilities are disabled by default.
+EXDI module can get instructions to write some bytes to Hyper-V virtual machine memory from WinDBG engine (depending from WinDBG or WinDBGX version), therefore writing memory capabilities are disabled by default.
 To enable it enter the command:
 
 ```
@@ -124,4 +134,4 @@ disable
 wrmsr 0x1112 0
 ```
 
-Project uses diStorm3 library (BSD license) by [Gil Dabah](https://twitter.com/_arkon): [Distorm project](https://github.com/gdabah/distorm)
+Project uses diStorm3 library (BSD license) by [Gil Dabah](https://x.com/_arkon): [Distorm project](https://github.com/gdabah/distorm)
diff --git a/images/image04.png b/images/image04.png
