HoShiMin/Kernel-Bridge HoShiMin/Kernel-Bridge

  • Stars
    star
    1,655
  • Rank 28,254 (Top 0.6 %)
  • Language
    C++
  • License
    GNU General Publi...
  • Created over 6 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
HoShiMin/Kernel-Bridge
github

HoShiMin

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Windows kernel hacking framework, driver template, hypervisor and API written on C++

The Kernel-Bridge Framework

The "Kernel-Bridge" project is a C++20-ready Windows kernel driver template, development framework and kernel-mode API and wrappers.

Precompiled and signed binaries with the SecureBoot support
Delphi bindings

Capabilities:

  • Hypervisor (both Intel VT-x/EPT and AMD-V/RVI) with the Hyper-V support
  • Extremely fast hypervisor-based memory interceptions and hiding (+ support of Write-only pages), VT-x only
  • Support of HookLib and Zydis
  • IO-ports (+ 'in/out/cli/sti' usermode forwarding by IOPL)
  • System beeper
  • MSRs, CPUID, TSC and performance counters (RDPMC)
  • DMI/SMBIOS memory reading
  • Physical memory (allocations, RW, mappings)
  • Kernel memory management (allocations, mappings, transitions)
  • Usermode memory management (allocations in processes etc.)
  • Direct UM->KM and KM->UM memory transitions
  • Direct PTE-based memory management
  • Direct MDL management
  • Obtaining processes/threads handles from kernel
  • Reading and writing memory of another processes
  • Suspending/resuming/termination processes
  • Creating kernel and usermode threads
  • Memory mappings between usermode and kernel
  • Remote code execution (APCs delivery)
  • Execution of custom usermode shellcodes
  • Unsigned drivers mapping
  • Processes, threads, handles and modules usermode callbacks (ObRegisterCallbacks & PsSet***NotifyRoutine)
  • Minifilter with usermode callbacks
  • PDB parsing
  • Signatures and patterns scanning
  • Sections management (to map \\Device\PhysicalMemory and more)
  • Python binding

In development and plans:

  • Qt-based GUI for the kernel-hacking and memory researching framework
  • Kernel WinSock support
  • Extensions for the RTL: hooks, injections, disassembling
  • Kernel loadable modules with SEH support

Driver template has full support of C++ static and global initializers and all of C++20 features (without C++ exceptions). All of API modules are easy-to-use and have no external dependiencies, so you can include them to your own C++ drivers. All of API functions are grouped into a logical categories into namespaces, so you can quickly find all functions you want.

💦 Driver template has:

  • Support of METHOD_BUFFERED, METHOD_IN/OUT_DIRECT and METHOD_NEITHER
  • Minifilter loading and filtering routines templates
  • SAL-annotations and self-documented API
  • Ready-to-use IOCTLs handling routine
  • Out-of-box STL support
  • Static Driver Verifier tests passing

💨 Building and using:

Download Microsoft Visual Studio Community and Windows Driver Kit.
For driver testing use VMware Player.
For load an unsigned drivers you should to enable Test-mode of Windows and disable signs checkings:

- Disable signatures checkings (allow to install unsigned drivers):
bcdedit.exe /set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit.exe /set TESTSIGNING ON

- Enable signatures checkings (deny to install unsigned drivers):
bcdedit.exe /set loadoptions ENABLE_INTEGRITY_CHECKS
bcdedit.exe /set TESTSIGNING OFF

- Enable support of kernel debugger (WinDbg and Kernel Debugger from WDK):
bcdedit.exe /debug on   -  enable support of kernel debugging
bcdedit.exe /debug off  -  disable it

Communication with usermode apps:

For communication with usermode you should use "User-Bridge" wrappers as standalone *.cpp/*.h modules or as *.dll.
All required headers are WdkTypes.h, CtlTypes.h and User-Bridge.h. For using an extended features like minifilter callbacks, you should also use FltTypes.h, CommPort.h and Flt-Bridge.h. Some of ready-to-use RTL-functions (like an unsigned drivers mapping) you can find in Rtl-Bridge.h.

Files hierarchy:

/User-Bridge/API/ - usermode API and wrappers for all functions of KB
/Kernel-Bridge/API/ - standalone kernel API for using in C++ drivers
/Kernel-Bridge/Kernel-Bridge/ - driver template files
/SharedTypes/ - shared types headers required for UM and KM modules
/CommonTypes/ - common user- and kernelmode headers and types
/Python-Bridge/ - Python binding
/Kernel-Tests/ - unit-tests for UM and KM modules and common functions

Example (using of KbReadProcessMemory):

#include <Windows.h>

#include "WdkTypes.h"
#include "CtlTypes.h"
#include "User-Bridge.h"

using namespace Processes::MemoryManagement;

...

// Loading as minifilter (it allows to use extended features):
KbLoader::KbLoadAsFilter(L"N:\\Folder\\Kernel-Bridge.sys", L"260000");

constexpr int Size = 64;
UCHAR Buffer[Size] = {};
 
BOOL Status = KbReadProcessMemory(
    ProcessId,
    0x7FFF0000, // Desired address in context of ProcessId
    &Buffer,
    Size
);

KbLoader::KbUnload();

More Repositories

1

HookLib

The functions interception library written on pure C and NativeAPI with UserMode and KernelMode support
C
714
star
2

formatPE

A bunch of parsers for PE and PDB formats in C++
C++
220
star
3

Sig

The most powerful and customizable binary pattern scanner
C++
202
star
4

Avanguard

The Win32 Anti-Intrusion Library
C++
200
star
5

EnjoyTheRing0

Шаблон полнофункционального драйвера и обёртки над ядерным API
C
109
star
6

Arch

A bunch of architectural headers for i386 and AMD64
C++
33
star
7

AriadnaProject

🧶 The Win32 usermode threading library with UMS/fibers/threads support
C++
29
star
8

BeeSynth

The frequency-perfect synthesizer for a PC-speaker
Rust
14
star
9

VU-meter

Just a volume visualization on a keyboard
C++
7
star