{"id":16714117,"url":"https://github.com/therealdreg/masm32-kernel-programming","last_synced_at":"2025-10-09T14:34:28.214Z","repository":{"id":182903451,"uuid":"669298965","full_name":"therealdreg/masm32-kernel-programming","owner":"therealdreg","description":"masm32 kernel programming, drivers, tutorials, examples, and tools (credits Four-F)","archived":false,"fork":false,"pushed_at":"2023-08-11T06:18:58.000Z","size":13847,"stargazers_count":119,"open_issues_count":0,"forks_count":14,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-02T02:12:18.225Z","etag":null,"topics":["assembly-x86","driver-programming","drivers","kernel","kernel-programming","masm32","windows-kernel"],"latest_commit_sha":null,"homepage":"https://rootkit.es/","language":"Assembly","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/therealdreg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["therealdreg"],"patreon":"dreg","custom":["https://www.paypal.me/therealdreg","https://www.paypal.me/therealdreg"]}},"created_at":"2023-07-21T21:16:44.000Z","updated_at":"2025-03-09T20:26:21.000Z","dependencies_parsed_at":"2024-10-27T11:51:06.540Z","dependency_job_id":"7636dffd-9ef5-4025-918e-1d1c8bc1e73e","html_url":"https://github.com/therealdreg/masm32-kernel-programming","commit_stats":null,"previous_names":["therealdreg/masm32-kernel-programming"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/therealdreg/masm32-kernel-programming","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fmasm32-kernel-programming","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fmasm32-kernel-programming/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fmasm32-kernel-programming/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fmasm32-kernel-programming/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/therealdreg","download_url":"https://codeload.github.com/therealdreg/masm32-kernel-programming/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fmasm32-kernel-programming/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279001526,"owners_count":26083119,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-09T02:00:07.460Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["assembly-x86","driver-programming","drivers","kernel","kernel-programming","masm32","windows-kernel"],"created_at":"2024-10-12T20:49:26.004Z","updated_at":"2025-10-09T14:34:28.198Z","avatar_url":"https://github.com/therealdreg.png","language":"Assembly","readme":"# masm32-kernel-programming\n\nDreg's repo for his own needs\n\nmasm32 kernel programming, drivers, tutorials, examples, and tools (credits Four-F)\n\n# Instructions\n\n- download/clone this repo\n- run masm32v11r_install.exe\n- click on install image (earth)\n- install masm32 in C:\\\n- I recommend add to PATH environment variable following entries:\n  - C:\\masm32\\bin\n  - C:\\masm32\n- copy KmdKit18\\include\\ content to C:\\masm32\\include\\\n- copy KmdKit18\\macros\\ content to C:\\\\masm32\\macros\\\n- copy KmdKit18\\lib\\ content to C:\\masm32\\lib\\\n\n# Basic example\n\n- copy beeper.asm to C:\\\n- copy beeper.bat to C:\\\n- run beeper.bat\n\nAt this moment a .sys is created in C:\\\n\n# How to load/unload a driver \n\n## w2k_load.exe - best way\n\nload driver:\n- w2k_load.exe C:\\beeper.sys\n\nw2k_load.exe or osrloader.exe gives an error loading beeper.sys, just ignore it.\n\nThis error is generated by driver code itself when it finish its own execution (with this trick you dont need unload it)\n```\nmov eax, STATUS_DEVICE_CONFIGURATION_ERROR\nret\n```\n\nSo, if beep.sys is correctly loaded in kernel you should listen a beep in your speakers (driver code generates a beep)\n\nWhen you need unload a driver use:\n- w2k_load.exe PATH_SYS_FILE /unload\n\nI modified w2k_load.exe by Sven B. Schreiber to work for windows 2000 to windows 10 (manifest...)\n\n## osrloader\n\nunzip osrloaderv30.zip and use this GUI program:\n- Select a .sys file (driver path)\n- Register service \n- Start service\n\n## How to view debug msg without windbg\n\nfor **older windows** just use DbgView.exe attached in this repo. Btw, I modified it (manifest...)\n\nFor modern windows use the last dbgview.exe form sysinternal web site, and check this for troubleshooting:\n\n- https://stackoverflow.com/questions/12494300/no-output-from-debugview\n- http://msdn.microsoft.com/en-us/library/windows/hardware/ff551519(v=vs.85).aspx\n- https://learn.microsoft.com/en-us/sysinternals/downloads/debugview\n\n# Next steps\n\nRead .pdf files in this repo and look examples at [KmdKit18/examples](KmdKit18/examples) directory\n\n**WARNING**: ALL source ASM code are inside .bat files (batch + asm code mixed in the same file)\n\nExample with advanced\\FindShadowTable\\FindShadowTable.bat\n```\n;@echo off\n;goto make\n\nASM DRIVER CODE GOES HERE\n\n:make\nset drv=FindShadowTable\n\\masm32\\bin\\ml /nologo /c /coff %drv%.bat\n\\masm32\\bin\\link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native %drv%.obj\ndel %drv%.obj\necho.\npause\n```\n\nThis file contains BATCH code which generates a .sys and also contains the own driver source code, \nSo, yes, very tricky, the build script and source code are together\n\n## advanced/FindShadowTable\n[advanced/FindShadowTable](KmdKit18/examples/advanced/FindShadowTable)\n\nThis is an example how to find ServiceDescriptorTableShadow.\n\nIt just scans threads whith ID 80h-400h trying to find a thread which KTHREAD.ServiceTable not equal to KeServiceDescriptorTable. If such a thread is found its KTHREAD.ServiceTable holds ServiceDescriptorTableShadow address.\n\nWatch driver's debug output with the DbgView (www.sysinternals.com) or use SoftICE.\n\nTested under: Windows 2000, XP and Server 2003.\n\n## advanced/KbdSpy\n\n[advanced/KbdSpy](KmdKit18/examples/advanced/KbdSpy)\n\nThis is an example of a simple legacy (non PnP) PS/2-keyboard filter driver.\nWARNING: You will fail to attach it to USB-keyboard stack.\n\nTested under: Windows 2000, XP and Server 2003.\n\n## advanced/MouSpy\n\n[advanced/MouSpy](KmdKit18/examples/advanced/MouSpy)\n\nFour-F, four-f@mail.ruThese macro files is from my package cocomac.\n\nThis is an example of a simple legacy (non PnP) PS/2-mouse filter driver.\nWARNING: You will fail to attach it to USB-mouse stack.\n\nTested under: Windows 2000, XP and Server 2003.\n\n## advanced/SecureDevices\n\n[advanced/SecureDevices](KmdKit18/examples/advanced/SecureDevices)\n\nThis is an example how to apply particular security settings\nto named device object by calling IoCreateDeviceSecure instead of\nIoCreateDevice.\n\nSince IoCreateDeviceSecure routine is not a part of the operating system,\nwe link wdmsec.lib, which contains all needed routines.\n\nThe wdmsec.lib library you will find here is not one shipped with the DDK.\nI had to rebuild it to reduce its size, removing not needed members.\n\n## basic/FileWorks\n\n[basic/FileWorks](KmdKit18/examples/basic/FileWorks)\n\nThis is an example how to create, write to, read from and delete the file.\n\nUse KmdManager to register/unregister and start it.\nWatch its debug output with the DbgView (www.sysinternals.com) or use SoftICE.\n\nTested under: Windows 2000, XP and Server 2003.\n\n## basic/HiddenDriver\n\n[basic/HiddenDriver](KmdKit18/examples/basic/HiddenDriver)\n\nThis is an example how to pack the driver into resources.\n\nTested under: Windows 2000, XP and Server 2003.\n\n## basic/IsSafeBootMode\n\n[basic/IsSafeBootMode](KmdKit18/examples/basic/IsSafeBootMode)\n\nThe way you know whether the system is running in safe mode or not.\n\nUse KmdManager to register/unregister and start it.\nWatch its debug output with the DbgView (www.sysinternals.com) or use SoftICE.\n\nTested under: Windows 2000, XP and Server 2003.\n\n## basic/MemoryWorks/LookasideList\n\n[basic/MemoryWorks/LookasideList](KmdKit18/examples/basic/MemoryWorks/LookasideList)\n\nThis is an example how to use lookaside list and doubly linked list\nto manage the memory blocks allocated from lookaside list.\n\nUse KmdManager to register/unregister and start/stop it.\nWatch its debug output with the DbgView (www.sysinternals.com) or use SoftICE.\n\nTested under: Windows 2000, XP and Server 2003.\n\n## basic/MemoryWorks/seh\n\n[basic/MemoryWorks/seh](KmdKit18/examples/basic/MemoryWorks/seh)\n\nThis is an example how to handle exceptions with SEH. But remember.\nYOU CAN'T HANDLE ALL EXCEPTIONS WITH SEH IN KERNEL MODE !\n\nUse KmdManager to register/unregister and start/stop it.\nWatch its debug output with the DbgView (www.sysinternals.com) or use SoftICE.\n\nTested under: Windows 2000, XP and Server 2003.\n\n## basic/MemoryWorks/SharedSection\n\n[basic/MemoryWorks/SharedSection](KmdKit18/examples/basic/MemoryWorks/SharedSection)\n\nThis is an example how to use named section object to share memory\nbetween user mode process and kernel mode driver.\n\nTested under: Windows 2000, XP and Server 2003.\n\n## basic/MemoryWorks/SharingMemory\n\n[basic/MemoryWorks/SharingMemory](KmdKit18/examples/basic/MemoryWorks/SharingMemory)\n\nThis is an example of one possible way to share\nthe memory buffer between user and kernel mode.\n\nTested under: Windows 2000, XP and Server 2003.\n\n## basic/MemoryWorks/SystemModules\n\n[basic/MemoryWorks/SystemModules](KmdKit18/examples/basic/MemoryWorks/SystemModules)\n\nThis is an example how to allocate memory in kernel mode.\nTo not allocate it useless we fill it with some system info.\n\nUse KmdManager to register/unregister and start/stop it.\nWatch its debug output with the DbgView (www.sysinternals.com) or use SoftICE.\n\nTested under: Windows 2000, XP and Server 2003.\n\n## basic/RegistryWorks\n\n[basic/RegistryWorks](KmdKit18/examples/basic/RegistryWorks)\n\nThis is an example how to create, set, read and delete the registry key.\nUse KmdManager to register/unregister and start it.\nWatch its debug output with the DbgView (www.sysinternals.com) or use SoftICE.\n\nTested under: Windows 2000, XP and Server 2003.\n\n## basic/Sections\n\n[basic/Sections](KmdKit18/examples/basic/Sections)\n\nThis is an example how to put code in different PE-sections.\n\n## basic/Synchronization/MutualExclusion\n\n[basic/Synchronization/MutualExclusion](KmdKit18/examples/basic/Synchronization/MutualExclusion)\n\nThis is an example how to implement mutual exclusive access to the resource.\n\nUse KmdManager to register/unregister and start/stop it.\nWatch its debug output with the DbgView (www.sysinternals.com) or use SoftICE.\n\n## basic/Synchronization/SharedEvent - ProcessMon\n\n[basic/Synchronization/SharedEvent - ProcessMon](KmdKit18/examples/basic/Synchronization/SharedEvent - ProcessMon)\n\nThis is an example how to notify the user mode about some sort of event has happened.\n\nTested under: Windows 2000, XP and Server 2003.\n\n## basic/Synchronization/TimerWorks\n\n[basic/Synchronization/TimerWorks](KmdKit18/examples/basic/Synchronization/TimerWorks)\n\nThis is an example how to create, set, wait for and cancel the timer.\nUse KmdManager to register/unregister and start/stop it.\nWatch its debug output with the DbgView (www.sysinternals.com) or use SoftICE.\n\nTested under: Windows 2000, XP and Server 2003.\n\n## basic/WorkItem\n\n[basic/WorkItem](KmdKit18/examples/basic/WorkItem)\n\nWorkItem Example\n\n## nodriver/DiskGeometry\n\n[nodriver/DiskGeometry](KmdKit18/examples/nodriver/DiskGeometry)\n\nIn this example we deal with existing disk device.\n\nTested on: Windows 2000, XP \u0026 Server 2003\n\n## nodriver/DriveLayout\n\n[nodriver/DriveLayout](KmdKit18/examples/nodriver/DriveLayout)\n\nProvides information about features of each disk partition.\n\nTested on: Windows 2000, XP \u0026 Server 2003\n\n## nodriver/FloppyGeometry\n\n[nodriver/FloppyGeometry](KmdKit18/examples/nodriver/FloppyGeometry)\n\nIn this example we deal with existing disk device.\n\nTested on: Windows 2000, XP \u0026 Server 2003\n\n## nodriver/KbdGarland\n\n[nodriver/KbdGarland](KmdKit18/examples/nodriver/KbdGarland)\n\nIn this example we deal with existing keyboard device.\n\nTested on: Windows 2000, XP \u0026 Server 2003\n\n## nodriver/KbdTypematic\n\n[nodriver/KbdTypematic](KmdKit18/examples/nodriver/KbdTypematic)\n\nIn this example we deal with existing keyboard device.\nThis example offers some of standard Control Pannel -\u003e Keyboard applet functionality.\n\nTested on: Windows 2000, XP \u0026 Server 2003\n\n## nodriver/MbrDump\n\n[nodriver/MbrDump](KmdKit18/examples/nodriver/MbrDump)\n\nReading MBR from user-mode is easiest thing to do\nif you know what device to read from.\n\nTested on: Windows 2000, XP \u0026 Server 2003\n\n## nodriver/SerialBaudRate\n\n[nodriver/SerialBaudRate](KmdKit18/examples/nodriver/SerialBaudRate)\n\nIn this example we deal with existing serial device.\n\nTested on: Windows 2000, XP \u0026 Server 2003\n\n## setup/EnumDisk\n\n[setup/EnumDisk](KmdKit18/examples/setup/EnumDisk)\n\nThis is an example how to use some of the setup device functions.\nEnumerates all available disk devices and gets the device property.\nRun it from command line.\n\nTested on: Windows 2000, XP \u0026 Server 2003\n\n## simple/Beeper\n\n[simple/Beeper](KmdKit18/examples/simple/Beeper)\n\nHow to beep with system speaker.\n\nTested on: Windows NT4.0+sp6, 2000, XP \u0026 Server 2003\n\n## simple/DateTime\n\n[simple/DateTime](KmdKit18/examples/simple/DateTime)\n\nGives direct port I/O access to a user mode process\nBased on Dale Roberts' article and c-source code.\n\nTested on: Windows 2000, XP \u0026 Server 2003\n\n## simple/GetKernelBase\n\n[simple/GetKernelBase](KmdKit18/examples/simple/GetKernelBase)\n\nThis is an example how to find the base of ntoskrnl.exe.\n\nUse KmdManager to register/unregister and start/stop it.\nWatch its debug output with the DbgView (www.sysinternals.com) or use SoftICE.\n\nTested on: Windows 2000, XP \u0026 Server 2003\n\n## simple/NtBuild\n\n[simple/NtBuild](KmdKit18/examples/simple/NtBuild)\n\nDemonstrates driver communication with ReadFile,\nusing neither method. And how to use SEH in ring0.\n\nTested on: Windows 2000, XP \u0026 Server 2003\n\n## simple/Simplest\n\n[simple/Simplest](KmdKit18/examples/simple/Simplest)\n\nSimplest possible Kernel-Mode Driver that does absolutely nothing.\n\nTested on: Windows 2000, XP \u0026 Server 2003\n\n## simple/Skeleton\n\n[simple/Skeleton](KmdKit18/examples/simple/Skeleton)\n\nThe skeleton code for a Windows NT Kernel-Mode Device Driver.\n\nTested on: Windows 2000, XP \u0026 Server 2003\n\n## simple/VirtToPhys\n\n[simple/VirtToPhys](KmdKit18/examples/simple/VirtToPhys)\n\nDemonstrates driver communication with DeviceIoControl,\nusing buffered method. And how to translate virtual addresses.\n\nTested on: Windows 2000, XP \u0026 Server 2003\n\n## simple/WhichIrqlAndContext\n\n[simple/WhichIrqlAndContext](KmdKit18/examples/simple/WhichIrqlAndContext)\n\nThis example let you know the IRQL and Process/Thread context\nat which the main driver's routines are running.\nUse DebugView (www.sysinternals.com) to watch its output.\n\nTested on: Windows 2000, XP \u0026 Server 2003\n\n## Related\n\n- https://masm32.com/board/index.php?topic=4452.0\n- http://www.masm32.com/website/kmdtute/index.html\n- https://www.asmcommunity.net/forums/topic/10872/2.html\n- http://four-f.narod.ru/\n- https://empyreal96.github.io/nt-info-depot/WinDDK.html\n\n# More info to learn\n\n- https://github.com/therealdreg/x86osdev\n\n- Windows Driver Kit (WDK) Version 7.1.0 docs: https://www.microsoft.com/en-us/download/details.aspx?id=11800\n\n- WDK docs: https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk \n\n- Intel 64 and IA-32 Architectures Software Developer's Manual Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4\n\n- Windows 2003 source code leak, WRK, CRK ...\n\n- Undocumented Windows NT book by Prasad Dabak, Sandeep Phadke \u0026 Milind Borate\n\n- Windows Kernel Programming book by Pavel Yosifovich\n\n- Windows Internals books by Mark Russinovich, David A. Solomon \u0026 others\n\n- (book) The Rootkit Arsenal 2nd by Bill Blunden\n\n- (book) What Makes It Page?: The Windows 7 (x64) Virtual Memory Manager by Enrico Martignetti\n\n- (book) Subverting the Windows Kernel\n\n- (book) Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats\n\n- osdev (community for those people interested in OS development)\n\n- random github/gist, OSR, phrack, uninformed, openrce, kernelmode, rootkit.com, arteam...\n\n# People to follow\n\n- https://github.com/hfiref0x\n- https://github.com/rwfpl\n- https://github.com/deroko\n- https://github.com/Fyyre\n- https://github.com/Cr4sh\n- https://twitter.com/zwclose\n- https://twitter.com/yarden_shafir\n- https://twitter.com/markrussinovich\n- https://twitter.com/aionescu\n- https://twitter.com/zodiacon\n- https://github.com/TheEnergyStory\n- https://twitter.com/msuiche\n- https://twitter.com/therealdreg\n- https://twitter.com/0vercl0k\n- https://twitter.com/Ivanlef0u\n- https://twitter.com/mrexodia\n- https://twitter.com/reversemode\n- https://twitter.com/standa_t\n- https://twitter.com/richinseattle\n- https://twitter.com/gynvael\n- https://twitter.com/j00ru\n- https://twitter.com/Xylit0l\n","funding_links":["https://github.com/sponsors/therealdreg","https://patreon.com/dreg","https://www.paypal.me/therealdreg"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Fmasm32-kernel-programming","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftherealdreg%2Fmasm32-kernel-programming","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Fmasm32-kernel-programming/lists"}