HEX DEREF SUPPORT
The professional version of the software (available later) and costs $479 USD (a one-time payment for lifetime updates). This thread is the primary support for the software.
Every order of the software is subject to manual approval/processing. The approval process may take anywhere from 12 hours up to 3 weeks when using PayPal. Read this post for more information: https://overlayhack.com/hex-deref-support/984
Official site: https://hexderef.com/
Current version: v1.09
May 15th, 2022
Payment methods: PayPal (business users only with a legitimate company). Cryptocurrency (Bitcoin or ETH) is the only payment method for individual customers.
As of 06/2022 the software has been developed for (5) years, usually on a daily basis. There is no trial version of the software. Use the free version of the software to find out if the software meets your requirements.
MEMORY SCANNING OPTIONS: https://overlayhack.com/hex-deref-support/985
HOW TO / TERMINOLOGY: https://overlayhack.com/hex-deref-support/983
If your task is to test or "bypass" kernel level anti-cheats. That can be easily done with the software as shown in https://hexderef.com/how-to-make-cheat-engine-undetectable
Changelog: https://hexderef.com/#changelog
Q: How the professional version differs from the free version?
A:
1) No thread limitation in multi-threaded disassembler (use as many threads as your CPU support)
2) Commercial use of the software is allowed
3) An unsigned version of the kernel driver is included which enables arbitrary kernel memory to be read and written through the driver. This functionality enables an unattainable level of analysis and disclosure of information from the kernel and loaded modules memory
For example:
In terms of AV, advanced malware or kernel level anti-cheat evasion and testing, every publicly released software or kernel driver may be eventually detected, blacklisted, deemed as an unwanted software and so forth. The result could be a loss of business profit for no real reason.
Therefore the kernel features of the software cannot be provided for free. The PRO version of the software has a different control flow obfuscation and the DKOM functionality in the kernel driver is provided as a solution for your researching task.
The HEX DEREF software does not do anything without the user consent.
Please watch the introduction video of the kernel features at the official site: https://hexderef.com/ and try out the free version before you purchase because all payments are final and non refundable.
The following Windows 10 64-bit (Home or Pro) versions are supported in the kernel driver
Any other windows version is subject to a custom software work.
Functionality:
Able to read and write (RW) protected user mode process arbitrary memory
Arbitrary kernel memory read or write (RW) without the need to enable kernel debugging
Handle elevation DKOM that bypasses EAC/Battleye
Process hiding functionality
A customized version of the kernel driver costs $499 - $4,999 USD depending on your needs.
You can verify your windows version by typing "winver" in the search.
You can sign the driver with your OV or EV code signing certificate. The more expensive EV code signing certificate (works with secure boot on Windows 11) is purchasable for corporate users as it requires a verified company.
Leave a comment with your contact details in the thread (every comment is subject to manual approval) if you want to pay in cryptocurrency (Bitcoins or ETH)
If you host a quality forum or security research related blog and write related articles. It may be possible to get the PRO version for advertising the software in your articles.
Every order of the software is subject to manual approval/processing. The approval process may take anywhere from 12 hours up to 3 weeks when using PayPal. Read this post for more information: https://overlayhack.com/hex-deref-support/984
Official site: https://hexderef.com/
Current version: v1.09
May 15th, 2022
Payment methods: PayPal (business users only with a legitimate company). Cryptocurrency (Bitcoin or ETH) is the only payment method for individual customers.
As of 06/2022 the software has been developed for (5) years, usually on a daily basis. There is no trial version of the software. Use the free version of the software to find out if the software meets your requirements.
MEMORY SCANNING OPTIONS: https://overlayhack.com/hex-deref-support/985
HOW TO / TERMINOLOGY: https://overlayhack.com/hex-deref-support/983
If your task is to test or "bypass" kernel level anti-cheats. That can be easily done with the software as shown in https://hexderef.com/how-to-make-cheat-engine-undetectable
Changelog: https://hexderef.com/#changelog
Q: How the professional version differs from the free version?
A:
1) No thread limitation in multi-threaded disassembler (use as many threads as your CPU support)
2) Commercial use of the software is allowed
3) An unsigned version of the kernel driver is included which enables arbitrary kernel memory to be read and written through the driver. This functionality enables an unattainable level of analysis and disclosure of information from the kernel and loaded modules memory
For example:
In terms of AV, advanced malware or kernel level anti-cheat evasion and testing, every publicly released software or kernel driver may be eventually detected, blacklisted, deemed as an unwanted software and so forth. The result could be a loss of business profit for no real reason.
Therefore the kernel features of the software cannot be provided for free. The PRO version of the software has a different control flow obfuscation and the DKOM functionality in the kernel driver is provided as a solution for your researching task.
The HEX DEREF software does not do anything without the user consent.
Please watch the introduction video of the kernel features at the official site: https://hexderef.com/ and try out the free version before you purchase because all payments are final and non refundable.
The following Windows 10 64-bit (Home or Pro) versions are supported in the kernel driver
Windows 10 21H1 Build: 19043
Windows 10 21H2 Build: 19044
Windows 10 22H2 Build: 19045
Windows 10 21H2 Build: 19044
Windows 10 22H2 Build: 19045
Any other windows version is subject to a custom software work.
Functionality:
Able to read and write (RW) protected user mode process arbitrary memory
Arbitrary kernel memory read or write (RW) without the need to enable kernel debugging
Handle elevation DKOM that bypasses EAC/Battleye
Process hiding functionality
A customized version of the kernel driver costs $499 - $4,999 USD depending on your needs.
You can verify your windows version by typing "winver" in the search.
You can sign the driver with your OV or EV code signing certificate. The more expensive EV code signing certificate (works with secure boot on Windows 11) is purchasable for corporate users as it requires a verified company.
Leave a comment with your contact details in the thread (every comment is subject to manual approval) if you want to pay in cryptocurrency (Bitcoins or ETH)
If you host a quality forum or security research related blog and write related articles. It may be possible to get the PRO version for advertising the software in your articles.
| #978 Title: HEX DEREF v1.07 Administrator |
01/31/2022 12:41 - 1256 days 15 hours 53 minutes #978 |
Implemented a page table walk which is pretty much effectively able to find every allocated user or kernel memory page in a matter of few seconds.
That feature enables dumping strings from the kernel memory (e.g from kernel driver). Try out the free version Tools->Dump strings feature.
That feature enables dumping strings from the kernel memory (e.g from kernel driver). Try out the free version Tools->Dump strings feature.
| #982 Title: HEX DEREF v1.08 Administrator |
04/01/2022 23:36 - 1196 days 5 hours 58 minutes #982 |
Main view:
- Fixed logic issue with automatic process attach
- Fixed unhandled exceptions with protected processes where an anti-cheat stripped handle access
- Added an option in settings to refresh the process list automatically
"C" kernel driver:
Added process handle elevation feature. You can attach your favorite tool to any protected user mode process with PROCESS_ALL_ACCESS (0x1FFFFF) handle.
Memory viewer:
- Minor UI optimizations (a slightly less lag when drawing user process memory)
- By default show the values as unsigned
- When you modify a value in memory, the value entered can also be a hexadecimal number
- Fixed various unhandled exceptions with protected processes
- Fixed logic issue with automatic process attach
- Fixed unhandled exceptions with protected processes where an anti-cheat stripped handle access
- Added an option in settings to refresh the process list automatically
"C" kernel driver:
Added process handle elevation feature. You can attach your favorite tool to any protected user mode process with PROCESS_ALL_ACCESS (0x1FFFFF) handle.
Memory viewer:
- Minor UI optimizations (a slightly less lag when drawing user process memory)
- By default show the values as unsigned
- When you modify a value in memory, the value entered can also be a hexadecimal number
- Fixed various unhandled exceptions with protected processes
| #983 Title: How to / Terminology in the software Administrator |
04/01/2022 23:39 - 1196 days 5 hours 54 minutes #983 |
Kernel mode (KM)
Kernel driver interface (KDI)
How to use the handle elevation DKOM feature with a game that's protected by a kernel level anti-cheat?
1) Enter the process names in the fields. If you want to elevate a handle for Cheat Engine (CE). Enter "cheatengine-x86_64-SSE4-AVX2.exe" in the "Elevate handle from process" field. Then you enter the executable name of the game in the field below.
https://hexderef.com/images/HEX_DEREF_v110_HANDLE_DKOM_EAC_BE_UNDETECTED_POC.png
2) KDI->Load
3) KDI->Hide driver
3) Start a game that's protected by a kernel level anti-cheat
4) Right-click to elevate the handle or use the KDI->Elevate the handle
The handle will be elevated with all possible access rights for a process object (PROCESS_ALL_ACCESS 0x1FFFFF).
Once you've elevated the handle. Do the following:
KDI->Unhide driver
KDI->Unload
How to hide the process?
1) KDI->Load the driver
2) Left-click on the process you want to hide. The selected process is highlighted
3) Right-click to hide the process
Every time when you reboot your computer or VM. Before you can browse the kernel memory. You need to enable KM in the settings and load the driver.
Kernel driver interface (KDI)
How to use the handle elevation DKOM feature with a game that's protected by a kernel level anti-cheat?
1) Enter the process names in the fields. If you want to elevate a handle for Cheat Engine (CE). Enter "cheatengine-x86_64-SSE4-AVX2.exe" in the "Elevate handle from process" field. Then you enter the executable name of the game in the field below.
https://hexderef.com/images/HEX_DEREF_v110_HANDLE_DKOM_EAC_BE_UNDETECTED_POC.png
2) KDI->Load
3) KDI->Hide driver
3) Start a game that's protected by a kernel level anti-cheat
4) Right-click to elevate the handle or use the KDI->Elevate the handle
The handle will be elevated with all possible access rights for a process object (PROCESS_ALL_ACCESS 0x1FFFFF).
Once you've elevated the handle. Do the following:
KDI->Unhide driver
KDI->Unload
How to hide the process?
1) KDI->Load the driver
2) Left-click on the process you want to hide. The selected process is highlighted
3) Right-click to hide the process
Every time when you reboot your computer or VM. Before you can browse the kernel memory. You need to enable KM in the settings and load the driver.
| #984 Title: PayPal payments are no longer accepted Administrator |
05/04/2022 19:02 - 1163 days 10 hours 32 minutes #984 |
As of 12/2023 PayPal payments are no longer accepted. No matter whether the customer is an individual or a business user. The only acceptable payment method is Bitcoin (BTC) or ETH. I use blockchain.com. Software work is paid in advance. If this is not according to your requirements. Please move on to another site. Thank you.
For all custom software work, you must confirm the agreement with your email before you send any payment. If you have a business, our contract confirmation email must originate from "payments@yourbusiness.com". Free email providers are only accepted for individual users.
For all custom software work, you must confirm the agreement with your email before you send any payment. If you have a business, our contract confirmation email must originate from "payments@yourbusiness.com". Free email providers are only accepted for individual users.
| #985 Title: Kernel physical memory scanner Administrator |
05/17/2022 20:20 - 1150 days 9 hours 14 minutes #985 |
The professional version of the software includes physical memory scanner.
Memory scanning is in user mode by default. The process you opened from the process list by left-clicking on the process name. When you scan your PC or laptop physical memory through the kernel driver, there is no need to open a handle to any process.
The options for kernel driver must be initialized and the driver loaded using the KDI before you can scan kernel memory.
KERNEL_MEMORY: The memory allocated by the kernel and the loaded kernel modules is scanned.
KERNEL_MODULES: The kernel and drivers data and discardable sections are checked.
USER_MEMORY: The memory allocated by all user mode processes is checked. Scanning also includes all protected processes.
The above three together are the same as a computer's physical memory. The more narrowed the scan is, the better results you will get and needless to even mention, you get the results you was after faster as well.
Memory scanning is in user mode by default. The process you opened from the process list by left-clicking on the process name. When you scan your PC or laptop physical memory through the kernel driver, there is no need to open a handle to any process.
The options for kernel driver must be initialized and the driver loaded using the KDI before you can scan kernel memory.
KERNEL_MEMORY: The memory allocated by the kernel and the loaded kernel modules is scanned.
KERNEL_MODULES: The kernel and drivers data and discardable sections are checked.
USER_MEMORY: The memory allocated by all user mode processes is checked. Scanning also includes all protected processes.
The above three together are the same as a computer's physical memory. The more narrowed the scan is, the better results you will get and needless to even mention, you get the results you was after faster as well.
| #986 Title: How to use the kernel driver interface (KDI)? Administrator |
05/24/2022 16:00 - 1143 days 13 hours 34 minutes #986 |
Each time you restart your computer or virtual machine (VM).
1) KDI->Initialize
2) KDI->Load the driver
Before you can unload the driver, you have to stop it's system thread.
KDI->Stop thread
KDI->Unload driver
1) KDI->Initialize
2) KDI->Load the driver
Before you can unload the driver, you have to stop it's system thread.
KDI->Stop thread
KDI->Unload driver
| #987 Title: You have plans to sell HEX DEREF and from a business perspective, what can your tool offer that free tools can't? Administrator |
10/18/2022 21:39 - 996 days 7 hours 55 minutes #987 |
If we compare vs Cheat Engine 7.4. Kernel memory scanner is more mature. It just works exactly as you expect it to work without any hassle.
CE does not convert physical addresses to virtual addressess. You will have to use WinDbg which will require you to enable kernel debugging as well. This is usually a no go with kernel level anti cheats. This is not a personal attack towards CE's author but the memory viewer in HEX DEREF is literally decades ahead.
Usually two options is better than just one. CE is the only tool I know what with I can even compare physical memory scan results. Kernel physical memory scanner in HEX DEREF is also notably faster.
Every publicly released software or kernel driver may be eventually detected, blacklisted, deemed as an unwanted software and so forth:
https://github.com/processhacker/processhacker/issues/725
https://wj32.org/processhacker/forums/viewtopic.php?t=3729
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win64/ProcHack&threatId=-2147221926
>> What's the difference vs the competition?
As far I tested the most of the competitive software. The memory viewer is the most advanced ever released up to the current date. You can switch on the fly between user and kernel mode in the same instance. The kernel driver in the paid version enables kernel memory scans and may other DKOM functionality.
CE does not convert physical addresses to virtual addressess. You will have to use WinDbg which will require you to enable kernel debugging as well. This is usually a no go with kernel level anti cheats. This is not a personal attack towards CE's author but the memory viewer in HEX DEREF is literally decades ahead.
Usually two options is better than just one. CE is the only tool I know what with I can even compare physical memory scan results. Kernel physical memory scanner in HEX DEREF is also notably faster.
Every publicly released software or kernel driver may be eventually detected, blacklisted, deemed as an unwanted software and so forth:
https://github.com/processhacker/processhacker/issues/725
https://wj32.org/processhacker/forums/viewtopic.php?t=3729
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win64/ProcHack&threatId=-2147221926
>> What's the difference vs the competition?
As far I tested the most of the competitive software. The memory viewer is the most advanced ever released up to the current date. You can switch on the fly between user and kernel mode in the same instance. The kernel driver in the paid version enables kernel memory scans and may other DKOM functionality.
