Device_LiveKd

Memory Acquisition Method: LiveKd

The LeechCore library supports reading live memory by using Sysinternals LiveKd.

Facts in short:

Is supported on 64-bit Windows.
Acquires memory in read-only mode.
May acquires memory from Hyper-V guest VM from Hyper-V host.
Is slow (2MB/s) due to current inefficiencies in LiveKd driver.
Acquired memory is assumed to be volatile.
Have additional requirements.

The LeechCore process must be started from LiveKd in elevated administrator mode for LiveKd to be able to capture live memory.

Connection string:

LeechCore API:

Please specify the acquisition device type in LC_CONFIG.szDevice when calling LcCreate. The acquisition device type is livekd.

PCILeech / MemProcFS:

Please specify the device type in the -device option or start from LiveKd directly

Examples:

-device livekd -remote rpc://<spn>:<somehost>

LiveKd.exe -k MemProcFS.exe

Requirements:

Depends on LiveKd.exe. Please download the latest version of Sysinternals LiveKd from Microsoft.

Overview

Home

API

Acquisition Methods

FILE
REMOTE
EXISTING
HW: USB3380
HW: FPGA
- DMA not working
- DMA on AMD/
  Thunderbolt
HW: FPGA/RawUDP
HW: iLO/RawTCP
Hyper-V Saved State
TotalMeltdown
DumpIt
LiveKd
LiveCloudKd
QEMU
VMWare
WinPMEM

LeechAgent

Overview
Installing

Development

Building

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Device_LiveKd

Memory Acquisition Method: LiveKd

Connection string:

Requirements:

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Overview

API

Acquisition Methods

LeechAgent

Development

Clone this wiki locally