The professional version of the software (available later) and costs $479
USD (a one-time payment for lifetime updates). This thread is the primary support for the software.
Every order of the software is subject to manual approval/processing. The approval process may take anywhere from 12 hours up to 3 weeks when using PayPal. Read this post for more information: https://overlayhack.com/hex-deref-support/984
Official site: https://hexderef.com/
Current version: v1.09
May 15th, 2022
Payment methods: PayPal (business users only with a legitimate company). Cryptocurrency (Bitcoin or ETH) is the only payment method for individual customers.
As of 06/2022 the software has been developed for (5
) years, usually on a daily basis. There is no trial version of the software. Use the free version of the software to find out if the software meets your requirements.
MEMORY SCANNING OPTIONS: https://overlayhack.com/hex-deref-support/985
HOW TO / TERMINOLOGY: https://overlayhack.com/hex-deref-support/983
If your task is to test or "bypass" kernel level anti-cheats. That can be easily done with the software as shown in https://hexderef.com/how-to-make-cheat-engine-undetectable
Q: How the professional version differs from the free version?
1) No thread limitation in multi-threaded disassembler (use as many threads as your CPU support)
2) Commercial use of the software is allowed
3) An unsigned version of the kernel driver is included which enables arbitrary kernel memory to be read and written through the driver. This functionality enables an unattainable level of analysis and disclosure of information from the kernel and loaded modules memory
In terms of AV, advanced malware or kernel level anti-cheat evasion and testing, every publicly released software or kernel driver may be eventually detected, blacklisted, deemed as an unwanted software and so forth. The result could be a loss of business profit for no real reason.
Therefore the kernel features of the software cannot be provided for free. The PRO version of the software has a different control flow obfuscation and the DKOM functionality in the kernel driver is provided as a solution for your researching task.
The HEX DEREF software does not do anything without the user consent.
Please watch the introduction video of the kernel features at the official site: https://hexderef.com/
and try out the free version before you purchase because all payments are final and non refundable.
The following Windows 10 64-bit (Home or Pro) versions are supported in the kernel driver
Windows 10 21H1 Build: 19043
Windows 10 21H2 Build: 19044
Windows 10 22H2 Build: 19045
Any other windows version is subject to a custom software work.
Able to read and write (RW) protected user mode process arbitrary memory
Arbitrary kernel memory read or write (RW) without the need to enable kernel debugging
Handle elevation DKOM that bypasses EAC/Battleye
Process hiding functionality
A customized version of the kernel driver costs $499 - $4,999 USD depending on your needs.
You can verify your windows version by typing "winver" in the search.
You can sign the driver with your OV or EV code signing certificate. The more expensive EV code signing certificate (works with secure boot on Windows 11) is purchasable for corporate users as it requires a verified company.
Leave a comment with your contact details in the thread (every comment is subject to manual approval) if you want to pay in cryptocurrency (Bitcoins or ETH)
If you host a quality forum or security research related blog and write related articles. It may be possible to get the PRO version for advertising the software in your articles.
Implemented a page table walk which is pretty much effectively able to find every allocated user or kernel memory page in a matter of few seconds.
That feature enables dumping strings from the kernel memory (e.g from kernel driver). Try out the free version Tools->Dump strings feature.
Kernel mode (KM
Kernel driver interface (KDI
How to use the handle elevation DKOM feature with a game that's protected by a kernel level anti-cheat?
1) Enter the process names in the fields. If you want to elevate a handle for Cheat Engine (CE). Enter "cheatengine-x86_64-SSE4-AVX2.exe" in the "Elevate handle from process" field. Then you enter the executable name of the game in the field below.https://hexderef.com/images/HEX_DEREF_v110_HANDLE_DKOM_EAC_BE_UNDETECTED_POC.png
3) KDI->Hide driver
3) Start a game that's protected by a kernel level anti-cheat
4) Right-click to elevate the handle or use the KDI->Elevate the handle
The handle will be elevated with all possible access rights for a process object (PROCESS_ALL_ACCESS 0x1FFFFF).
Once you've elevated the handle. Do the following:
How to hide the process?
1) KDI->Load the driver
2) Left-click on the process you want to hide. The selected process is highlighted
3) Right-click to hide the process
Every time when you reboot your computer or VM. Before you can browse the kernel memory. You need to enable KM in the settings and load the driver.
The professional version of the software includes physical memory scanner.
Memory scanning is in user mode by default. The process you opened from the process list by left-clicking on the process name. When you scan your PC or laptop physical memory through the kernel driver, there is no need to open a handle to any process.
The options for kernel driver must be initialized and the driver loaded using the KDI before you can scan kernel memory.
KERNEL_MEMORY: The memory allocated by the kernel and the loaded kernel modules is scanned.
KERNEL_MODULES: The kernel and drivers data and discardable sections are checked.
USER_MEMORY: The memory allocated by all user mode processes is checked. Scanning also includes all protected processes.
The above three together are the same as a computer's physical memory. The more narrowed the scan is, the better results you will get and needless to even mention, you get the results you was after faster as well.
Each time you restart your computer or virtual machine (VM).
2) KDI->Load the driver
Before you can unload the driver, you have to stop it's system thread.
If we compare vs Cheat Engine 7.4. Kernel memory scanner is more mature. It just works exactly as you expect it to work without any hassle.
CE does not convert physical addresses to virtual addressess. You will have to use WinDbg which will require you to enable kernel debugging as well. This is usually a no go with kernel level anti cheats. This is not a personal attack towards CE's author but the memory viewer in HEX DEREF is literally decades ahead.
Usually two options is better than just one. CE is the only tool I know what with I can even compare physical memory scan results. Kernel physical memory scanner in HEX DEREF is also notably faster.
Every publicly released software or kernel driver may be eventually detected, blacklisted, deemed as an unwanted software and so forth:https://github.com/processhacker/processhacker/issues/725https://wj32.org/processhacker/forums/viewtopic.php?t=3729https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win64/ProcHack&threatId=-2147221926
>> What's the difference vs the competition?
As far I tested the most of the competitive software. The memory viewer is the most advanced ever released up to the current date. You can switch on the fly between user and kernel mode in the same instance. The kernel driver in the paid version enables kernel memory scans and may other DKOM functionality.