https://github.com/hoshimin/kernel-bridge

Windows kernel hacking framework, driver template, hypervisor and API written on C++
https://github.com/hoshimin/kernel-bridge

Last synced: about 1 month ago
JSON representation

Windows kernel hacking framework, driver template, hypervisor and API written on C++

• Host: GitHub
• URL: https://github.com/hoshimin/kernel-bridge
• Owner: HoShiMin
• License: gpl-3.0
• Created: 2018-08-15T21:00:42.000Z (about 6 years ago)
• Default Branch: master
• Last Pushed: 2023-11-12T10:48:04.000Z (almost 1 year ago)
• Last Synced: 2024-10-09T16:22:51.104Z (about 1 month ago)
• Language: C++
• Homepage:
• Size: 593 KB
• Stars: 1,670
• Watchers: 85
• Forks: 385
• Open Issues: 17
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml
  • License: LICENSE

Awesome Lists containing this project

README

        
# The Kernel-Bridge Framework

The "Kernel-Bridge" project is a C++20-ready Windows kernel driver template, development framework and

kernel-mode API and wrappers.  

  

[Precompiled and signed binaries with the SecureBoot support](https://github.com/HoShiMin/Kernel-Bridge/releases)  

[Delphi bindings](https://github.com/diversenok/Kernel-Bridge-Delphi-Connector)

  

### ✔ Capabilities:

* Hypervisor (both Intel VT-x/EPT and AMD-V/RVI) with the Hyper-V support

* Extremely fast hypervisor-based memory interceptions and hiding (+ support of Write-only pages), VT-x only

* Support of [HookLib](https://github.com/HoShiMin/HookLib) and [Zydis](https://github.com/zyantific/zydis)

* IO-ports (+ 'in/out/cli/sti' usermode forwarding by IOPL)

* System beeper

* MSRs, CPUID, TSC and performance counters (RDPMC)

* DMI/SMBIOS memory reading

* Physical memory (allocations, RW, mappings)

* Kernel memory management (allocations, mappings, transitions)

* Usermode memory management (allocations in processes etc.)

* Direct UM->KM and KM->UM memory transitions

* Direct PTE-based memory management

* Direct MDL management

* Obtaining processes/threads handles from kernel

* Reading and writing memory of another processes

* Suspending/resuming/termination processes

* Creating kernel and usermode threads

* Memory mappings between usermode and kernel

* Remote code execution (APCs delivery)

* Execution of custom usermode shellcodes

* Unsigned drivers mapping

* Processes, threads, handles and modules usermode callbacks (`ObRegisterCallbacks` & `PsSet***NotifyRoutine`)

* Minifilter with usermode callbacks

* PDB parsing

* Signatures and patterns scanning

* Sections management (to map `\\Device\PhysicalMemory` and more)

* Python binding

  

### ➰ In development and plans:

* Qt-based GUI for the kernel-hacking and memory researching framework

* Kernel WinSock support

* Extensions for the RTL: hooks, injections, disassembling

* Kernel loadable modules with SEH support

  

Driver template has full support of C++ static and global initializers and all of C++20 features (without C++ exceptions). All of API modules are easy-to-use and have no external dependiencies, so you can include them to your own C++ drivers. All of API functions are grouped into a logical categories into namespaces, so you can quickly find all functions you want.

  

### 💦 Driver template has:

* Support of METHOD_BUFFERED, METHOD_IN/OUT_DIRECT and METHOD_NEITHER

* Minifilter loading and filtering routines templates

* SAL-annotations and self-documented API

* Ready-to-use IOCTLs handling routine

* Out-of-box STL support

* Static Driver Verifier tests passing

  

### 💨 Building and using:  

Download [Microsoft Visual Studio Community](https://visualstudio.microsoft.com/downloads/) and [Windows Driver Kit](https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk).  

For driver testing use [VMware Player](https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/14_0).  

For load an unsigned drivers you should to enable Test-mode of Windows and disable signs checkings:

```

- Disable signatures checkings (allow to install unsigned drivers):

bcdedit.exe /set loadoptions DISABLE_INTEGRITY_CHECKS

bcdedit.exe /set TESTSIGNING ON

- Enable signatures checkings (deny to install unsigned drivers):

bcdedit.exe /set loadoptions ENABLE_INTEGRITY_CHECKS

bcdedit.exe /set TESTSIGNING OFF

- Enable support of kernel debugger (WinDbg and Kernel Debugger from WDK):

bcdedit.exe /debug on   -  enable support of kernel debugging

bcdedit.exe /debug off  -  disable it

```

  

#### Communication with usermode apps:  

For communication with usermode you should use "User-Bridge" wrappers as standalone \*.cpp/\*.h modules or as \*.dll.  

All required headers are `WdkTypes.h`, `CtlTypes.h` and `User-Bridge.h`. For using an extended features like minifilter callbacks, you should also use `FltTypes.h`, `CommPort.h` and `Flt-Bridge.h`. Some of ready-to-use RTL-functions (like an unsigned drivers mapping) you can find in `Rtl-Bridge.h`.

  

#### Files hierarchy:

`/User-Bridge/API/` - usermode API and wrappers for all functions of KB  

`/Kernel-Bridge/API/` - standalone kernel API for using in C++ drivers  

`/Kernel-Bridge/Kernel-Bridge/` - driver template files  

`/SharedTypes/` - shared types headers required for UM and KM modules  

`/CommonTypes/` - common user- and kernelmode headers and types  

`/Python-Bridge/` - Python binding  

`/Kernel-Tests/` - unit-tests for UM and KM modules and common functions  

  

#### Example (using of KbReadProcessMemory):

```cpp

#include 

#include "WdkTypes.h"

#include "CtlTypes.h"

#include "User-Bridge.h"

using namespace Processes::MemoryManagement;

...

// Loading as minifilter (it allows to use extended features):

KbLoader::KbLoadAsFilter(L"N:\\Folder\\Kernel-Bridge.sys", L"260000");

constexpr int Size = 64;

UCHAR Buffer[Size] = {};

 

BOOL Status = KbReadProcessMemory(

    ProcessId,

    0x7FFF0000, // Desired address in context of ProcessId

    &Buffer,

    Size

);

KbLoader::KbUnload();

```