|
1 | | -This is fork of LiveCloudKd early developed by Matt Suiche (@msuiche) - https://github.com/comaeio/LiveCloudKd |
| 1 | +This is fork of LiveCloudKd early developped by Matt Suiche (@msuiche) - https://github.com/comaeio/LiveCloudKd |
2 | 2 |
|
3 | | -## LiveCloudKd (2021). |
| 3 | +## LiveCloudKd (2022). |
4 | 4 |
|
5 | 5 | Memory access to full Hyper-V VM memory is stable enough, therefore LiveCloudKd and Hyper-V Virtual Machine plugin for MemProcFS was released as stable version. |
6 | | -https://github.com/gerhart01/LiveCloudKd/releases/download/v2.0.0.20210814/LiveCloudKd.v2.0.0.20210814-release.zip |
| 6 | +https://github.com/gerhart01/LiveCloudKd/releases/download/v2.5.5.20210814/LiveCloudKd.v2.5.5.20220419-release.zip |
7 | 7 |
|
8 | | -https://github.com/gerhart01/LiveCloudKd/releases/download/v1.2.20210814/leechcore_hyperv_plugin_14.08.2021.zip |
| 8 | +LiveCloudKd can read and write memory to Hyper-V guest OS using kd.exe from Windows SDK (WDK) |
| 9 | + |
| 10 | +https://github.com/gerhart01/LiveCloudKd/releases/download/v2.5.5.20220419/leechcore_hyperv_plugin_19.04.2022.zip |
9 | 11 |
|
10 | 12 | Methods for accessing guest Hyper-V VM Memory: |
11 | 13 |
|
12 | 14 | ReadInterfaceWinHv - uses Hyper-V hypercall for reading guest OS memory. Slow, but robust method; |
13 | | - ReadInterfaceHvmmDrvInternal - read data directly from kernel memory. Much faster, then ReadInterfaceWinHv, but uses undocument structures). See description of -m option. Default reading method is ReadInterfaceHvmmDrvInternal. |
| 15 | + ReadInterfaceHvmmDrvInternal - read data directly from kernel memory. Faster, then ReadInterfaceWinHv, but uses undocument structures). See description of -m option. Default reading method is ReadInterfaceHvmmDrvInternal. |
14 | 16 |
|
15 | 17 | WriteInterfaceWinHv - uses Hyper-V hypercall for writing to guest OS memory. |
16 | | - WriteInterfaceHvmmDrvInternal - write data directly to kernel memory. Much faster, then WriteInterfaceWinHv, but uses undocument structures). See description of -m option. Default writing method is WriteInterfaceHvmmDrvInternal. |
| 18 | + WriteInterfaceHvmmDrvInternal - write data directly to kernel memory. Faster, then WriteInterfaceWinHv, but uses undocument structures). See description of -m option. Default writing method is WriteInterfaceHvmmDrvInternal. |
17 | 19 |
|
18 | 20 |
|
19 | | -Tested on Full VM from in Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10 and Windows 11 Preview |
| 21 | +Tested on Full VM from in Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10 and Windows 11 |
20 | 22 |
|
21 | 23 | For launch: |
22 | 24 |
|
23 | | -1. Place LiveCloudKd.exe, hvlib.dll, hvmm.sys to WinDBG x64 folder (tested on WinDBG from WDK 1809 - 21H1). |
24 | | -2. Launch LiveCloudKd.exe with admin rights (It needs Visual Studio 2019 runtime libraries - https://aka.ms/vs/15/release/vc_redist.x64.exe). |
| 25 | +1. Place LiveCloudKd.exe, hvlib.dll, hvmm.sys to WinDBG x64 folder (tested on WinDBG from WDK 1809 - 21H2). |
| 26 | +2. Launch LiveCloudKd.exe with admin rights (It needs Visual Studio 2022 runtime libraries - https://aka.ms/vs/17/release/vc_redist.x64.exe). |
25 | 27 | 3. Choose virtual machine (Full VM only) for inspection. |
26 | 28 |
|
27 | 29 | LiveCloudKd is more perfomanced, then LiveKd from Sysinternals Suite, at the time of release: |
|
0 commit comments