The user provides kdmapper with a .sys file that:
Common examples include:
kdmapper opens a handle to the loaded vulnerable driver and sends a specially crafted I/O Control Code (IOCTL) that triggers the vulnerability. The goal is to gain arbitrary kernel memory read/write capabilities.
kdmapper.exe is a command-line tool that comes with the Windows Debugging Tools. Its primary function is to map a kernel or a part of it, allowing for more flexible and powerful kernel debugging capabilities. The tool is particularly useful in scenarios where developers or system administrators need to debug kernel-mode drivers or the Windows kernel itself.
kdmapper.exe is a powerful example of the dual-use nature of software. It is a sophisticated tool for bypassing Windows security protections.
For a security researcher, it is a valuable instrument for exploring the depths of the Windows kernel. For a malware author or game hacker, it is a key for unlocking the most privileged areas of the operating system. Understanding how it works provides crucial insight into the ongoing battle between system security and those attempting to subvert it. kdmapper.exe
kdmapper.exe is a widely utilized open-source tool designed to manually map unsigned kernel drivers into Windows memory. By exploiting a "Bring Your Own Vulnerable Driver" (BYOVD) vulnerability, it allows developers—and often game cheaters—to execute code at the highest privilege level (Ring 0) without a valid digital signature from Microsoft. Technical Overview The core function of is to bypass Windows Driver Signature Enforcement (DSE)
, a security feature that prevents the loading of unsigned or improperly signed drivers. The BYOVD Mechanism
: Instead of directly loading an unsigned driver (which Windows would block),
loads a legitimate, digitally signed driver that contains a known security flaw. Historically, it has used the Intel Network Adapter Diagnostic Driver iqvw64.sys Kernel Exploitation : Once the vulnerable driver is loaded, uses exposed I/O Control (IOCTL)
codes to gain read/write access to kernel memory. It then "manually maps" the target unsigned driver by: Allocating kernel memory. The user provides kdmapper with a
Resolving imports and fixing relocations (tasks normally handled by the Windows loader). Copying the driver's code into the allocated space. Calling the driver's entry point. Evasion & Cleanup : After the unsigned driver is successfully mapped,
clears the vulnerable driver from the list of loaded modules to avoid detection by security software. Common Use Cases Typical Usage Game Cheating
Bypassing kernel-level anti-cheats (like Vanguard or BattlEye) to run internal cheats that can read/write game memory directly. Security Research
Developing and testing kernel-mode tools or drivers without purchasing expensive Extended Validation (EV) certificates. Malware Analysis
Used by researchers to understand how advanced persistent threats (APTs) might leverage similar techniques for persistence. Security Risks and Countermeasures Common examples include: kdmapper opens a handle to
grants Ring 0 access, it is frequently flagged by security software as malicious or high-risk Hybrid Analysis
: Modern anti-virus and EDR (Endpoint Detection and Response) systems monitor for the loading of known vulnerable drivers. They also scan kernel memory for suspicious, unbacked code regions that lack a corresponding module on disk. Microsoft Mitigation
: Microsoft maintains a "driver blocklist" to prevent known vulnerable drivers from loading. Updates to Windows 11 (22H2 and later)
have significantly strengthened these protections, often requiring users to disable features like Hypervisor-protected Code Integrity (HVCI) to function. Static Analysis : Tools like Falcon Sandbox Joe Sandbox kdmapper.exe by its high-entropy sections and specific API calls like NtQuerySystemInformation RtlGetVersion Are you looking to this tool on a network, or are you interested in the source code for research purposes?
Windows 11 22H2 - ./kdmapper.exe valthrun-driver ... - GitHub