Project Description

A project for exploring windows kernel. It is consist of a Winform for presentation(by C#), and a windows driver(by C). VS2013 + WDK8.1 are required.

logo2.jpg

Coding

I firstly created the project when I finally got some time for learning windows internals. It is coded by 90% C# + 10% C. I tend to move complicated logic into Ring3 because it is easier for debugging and organizing. So I implemented some basis functions in the driver layer such as read/write memory, invoking functions and so on, with which I can do what I want in C# then.

I hope this project can give you some clues or help you out while you are entering windows kernel. You are welcome to extend the functions and advise me bugs to fix, features to implement and words to talk.

Compile and Run

You should be able to fully compile source code using Visual Studio 2013 with WDK8.1 installed.
The tool currently only supports Windows 8.1 x86. However, symbol and pe features should has no issue to run in x64 OS.

Features

  • Dynamic Compilation: Dynamically compile modules by monitoring file changes under module folder. Load compiled modules without restart host/main application.
  • Symbol: Loading/searching module symbols like dt command in windbg. Generating c# structure by giving UDT symbol.
  • Routine: Enumerating various registered system callbacks.
  • Process: Enumerating all processes/threads/handles.
  • PE: Loading pe format files, exploring its header, import/export tables and etc.
  • Object: Viewing system objects like what you see in WinObj.
  • Ndis: Using NDIS hooking to perform network traffic monitoring.
  • Module: Listing all loaded driver modules.
  • Hook: Intercepting system calls, reloading kernel, exploring SSDT/Shadow SSDT functions, replacing system calls with reloaded kernel function.
  • KeyMouse: Seeking keyboard and mouse driver class service callbacks, and using to send keys.

The Framework

  • Lazy loading of forms.
  • Services decoupling.
  • Caching.
  • Eventing.
  • Logging.
  • Settings.

Thanks to

More Screen shots

  • Dynamic Compilation
compilation.jpg
  • Hook
hook.jpg
  • Module
module.jpg
  • Ndis
ndis.jpg
  • Object
object.jpg
  • Pe
pe.jpg
  • Process
process.jpg
  • Routine
routine.jpg
  • Symbol
symbol.jpg

Last edited Aug 18, 2014 at 4:04 AM by jingwu, version 24