// Simplified pseudo-code for reading a remote process's memory BYTE* ReadRemoteViaKShared(HANDLE hProcess, LPCVOID remoteAddr, SIZE_T size) // 1. Obtain target process CR3 (requires kernel call or direct read from KdDebuggerDataBlock) ULONG_PTR targetCr3 = GetProcessCr3(hProcess); // may still need a syscall // 2. Translate remoteAddr to physical address using targetCr3 // This requires reading physical pages of page tables. // We use KdDebuggerDataBlock's MmPhysicalMemoryBlock to iterate physical pages.
| Tool Type | Evasion Effectiveness | |-----------|----------------------| | Userland Hooks (EDR) | – no userland API called. | | Syscall Monitoring (e.g., Sysmon Event ID 10) | Bypass – no syscall to NtReadVirtualMemory . | | Kernel Callbacks ( ObRegisterCallbacks ) | Partial bypass – physical reads don’t trigger object handle checks. | | PatchGuard (on x64) | Triggers if kernel code is modified, but read-only bypass is safe. | kshared bypass
The primary motivation is efficiency. Free downloads on Kshared can be throttled to speeds as low as 50-100 KB/s, making large files take hours to finish. Bypassing offers: // Simplified pseudo-code for reading a remote process's
