pclone (Process Cloning)
this is my second release so be nice, im new .
im releasing another old project that has been laying around sorta half done for a while. It clones processes. The clone does not contain a copy, but just like reverse injector, the same memory. You can OpenProcess (PROCESS_ALL_ACCESS) the clone and do memory operations on the clone as though its the game.
pclone uses PTM which uses VDM. The VDM driver does not need to be loaded when creating a pclone_ctx as you will see in main.cpp. This project works by spawning a process (suspended) and swapping its dirbase and PEB inside of its EPROCESS structure. It does all of this from usermode by using VDM (no driver is mapped is what i mean by “usermode”).
To make a pclone_ctx you will need to make a vdm_ctx/will also need the pid of the process you want to clone. You can then call .clone as many times as you would like since it will just make new clones of the process. you can have 10 clones of the game running at once, 20, lol.
pclone_ctx clone_ctx(vdm, util::get_pid("notepad.exe")); // clone_pid is the pid of the new clone process// clone_handle is a PROCESS_ALL_ACCESS handle which you can// use to call VirtualAllocEx, ReadProcessMemory, WriteProcessMemory... etc...const auto [clone_pid, clone_handle] = clone_ctx.clone();
You can use both of these although the clone (RuntimeBroker.exe in this case) does not have the same VAD’s as the game since i dont copy the VAD_ROOT. I was supprised myself when this worked because I was pretty much assuming that the kernel would crash when trying to VirtualProtect a page that doesnt have a VAD entry but i guess it just makes a VAD entry.
What you are seeing in this image is ntdll.dll base. I VirtualProtectEx it so be RWX and then I write “IDontCode” over MZ. Also the original process says the page is RWX which is very strange. Why would it make the original processes VAD entry RWX? LOL?
https://githacks.org/snippets/31 <======================== those having blue screen issues, you can disable the set manager thread.