Closed BidHitter closed 5 years ago
EquiFox
commented
5 years ago For a few reasons.
1 - You can't use the .Net Process class to get info about a x64 process if the dumper is x86 and vice-versa. I didn't want to build 2 versions of the dumper.
2 - .Net Process class will open an handle to the process to get more details. For protected process this will fail.
3 - Driver has access to system processes.
BidHitter
commented
5 years ago Ah I understand thank you, if I wanted to adjust this to list all the modules under a process and their baseAddresses do you think the best place to start this would be in 'KsDumperDriver/ProcessLister.c' and edit the the bit where you get the first module but instead iterate through them all? Are they all going to be PLDR_DATA_TABLE_ENTRY structs?
Hi there,
This isn't a issue I just wanted to know why you get the process list and process information (base address, process id etc) via the driver and not use the System.Diagonostics namespace in the C# Client (also gives you all the modules inside process)? Is that method some kind of detection with the anti-cheat? I understand the read/write memory section being all done via driver of course as you can't get a handle to the protected process.
Thanks man.