ntwarden-windows-analysis-toolkit

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

NtWarden Windows Analysis and Research Toolkit

NtWarden Windows分析与研究工具包

Skill by ara.so — Daily 2026 Skills collection.

NtWarden is a Windows system inspection tool built on ImGui + DirectX 11. It covers processes, services, network, kernel internals, ETW, registry, object manager, and more — locally or remotely via WinSysServer. A kernel driver (KWinSys) enables deep kernel-mode analysis including SSDT hooks, kernel callbacks, EPT hook detection, and driver integrity checks.

由ara.so提供的技能——2026每日技能合集。

NtWarden是基于ImGui + DirectX 11构建的Windows系统检查工具。它支持对进程、服务、网络、内核内部、ETW、注册表、对象管理器等进行本地或远程（通过WinSysServer）检查。内核驱动KWinSys可实现深度内核模式分析，包括SSDT钩子、内核回调、EPT钩子检测以及驱动完整性校验。

Architecture

架构

Component	Role
NtWarden	GUI app (ImGui + DirectX 11)
WinSys	Static lib — process, service, network enumeration
KWinSys	Kernel driver — callbacks, SSDT, kernel modules, pool, etc.
WinSysServer	Headless TCP server for remote inspection

组件	作用
NtWarden	GUI应用（ImGui + DirectX 11）
WinSys	静态库——进程、服务、网络枚举
KWinSys	内核驱动——回调、SSDT、内核模块、内存池等
WinSysServer	用于远程检查的无界面TCP服务器

Build Requirements

构建要求

Visual Studio 2022
Windows SDK 10.0.26100.0+
WDK (Windows Driver Kit) — required only for KWinSys kernel driver

Visual Studio 2022
Windows SDK 10.0.26100.0+
WDK（Windows Driver Kit）——仅构建KWinSys内核驱动时需要

Building

构建步骤

powershell

undefined

powershell

undefined

Open solution in Visual Studio 2022

在Visual Studio 2022中打开解决方案

Select Release | x64

选择Release | x64

Build All

全部构建

Output lands in:

输出文件路径：

x64/Release/NtWarden.exe x64/Release/WinSysServer.exe x64/Release/KWinSys/KWinSys.sys


Solution structure:

NtWarden.sln ├── NtWarden/ # GUI application ├── WinSys/ # Core static library ├── KWinSys/ # Kernel driver (.sys) └── WinSysServer/ # Remote TCP server

---

x64/Release/NtWarden.exe x64/Release/WinSysServer.exe x64/Release/KWinSys/KWinSys.sys


解决方案结构：

NtWarden.sln ├── NtWarden/ # GUI应用 ├── WinSys/ # 核心静态库 ├── KWinSys/ # 内核驱动（.sys） └── WinSysServer/ # 远程TCP服务器

---

Running NtWarden

运行NtWarden

Always run as Administrator for full functionality.

powershell

undefined

请始终以管理员身份运行以获取完整功能。

powershell

undefined

Run elevated

以管理员权限启动

Start-Process NtWarden.exe -Verb RunAs


User-mode features (processes, services, network, ETW, registry, object manager) work without the driver.

---

Start-Process NtWarden.exe -Verb RunAs


无需驱动即可使用用户态功能（进程、服务、网络、ETW、注册表、对象管理器）。

---

Kernel Driver Setup (KWinSys)

内核驱动设置（KWinSys）

⚠️ Use only in a test VM. Enable test signing before installing.

powershell

undefined

⚠️ 仅在测试虚拟机中使用。安装前需启用测试签名。

powershell

undefined

Enable test signing (requires reboot)

启用测试签名（需要重启）

bcdedit /set testsigning on

On VMs, may also need:

在虚拟机中，可能还需要：

bcdedit /set nointegritychecks on

Reboot, then run NtWarden as Administrator.

重启后，以管理员身份运行NtWarden。

Switching to the Kernel Mode tab auto-installs and starts KWinSys.

切换到Kernel Mode标签页会自动安装并启动KWinSys。


Manual driver management:
```powershell


手动管理驱动：
```powershell

Install manually

手动安装

sc create KWinSys type= kernel binPath= "C:\path\to\KWinSys.sys" sc start KWinSys

Stop and remove

停止并卸载

sc stop KWinSys sc delete KWinSys


The NtWarden GUI also exposes driver management under the **Driver** menu.

---

sc stop KWinSys sc delete KWinSys


NtWarden的GUI界面也在**Driver**菜单下提供了驱动管理功能。

---

Remote Inspection (WinSysServer)

远程检查（WinSysServer）

Deploy to a target machine (typically a VM) and connect from NtWarden.

将文件部署到目标机器（通常是虚拟机），然后从NtWarden连接。

Files to copy to target

需要复制到目标机器的文件

File	Source Path	Purpose
`WinSysServer.exe`	`x64/Release/WinSysServer.exe`	Always required
`KWinSys.sys`	`x64/Release/KWinSys/KWinSys.sys`	Kernel features only

文件	源路径	用途
`WinSysServer.exe`	`x64/Release/WinSysServer.exe`	始终需要
`KWinSys.sys`	`x64/Release/KWinSys/KWinSys.sys`	仅使用内核功能时需要

Starting the server (on target, elevated)

在目标机器上启动服务器（管理员权限）

powershell

undefined

powershell

undefined

Auto-install driver + start server on default port 50002

自动安装驱动并在默认端口50002启动服务器

WinSysServer.exe --install

Custom port

使用自定义端口

WinSysServer.exe --install --port 9000

If driver already installed manually:

如果已手动安装驱动：

WinSysServer.exe WinSysServer.exe --port 9000

undefined

WinSysServer.exe WinSysServer.exe --port 9000

undefined

Connecting from NtWarden (on host)

在主机上从NtWarden连接

Launch NtWarden
Go to Remote menu
Enter target IP and port (default:
```
50002
```
)
Click Connect

启动NtWarden
进入Remote菜单
输入目标IP和端口（默认：
```
50002
```
）
点击Connect

Protocol notes

协议说明

Custom binary protocol over TCP
12-byte header:
```
MessageType
```
,
```
DataSize
```
,
```
Status
```
No authentication — use only in isolated lab/VM environments
User-mode data (processes, services, network) works without KWinSys on target
Kernel tabs require KWinSys loaded on the remote target

基于TCP的自定义二进制协议
12字节头部：
```
MessageType
```
,
```
DataSize
```
,
```
Status
```
无身份验证——仅在隔离的实验室/虚拟机环境中使用
无需在目标机器上安装KWinSys即可使用用户态数据（进程、服务、网络）
内核标签页需要在远程目标机器上加载KWinSys

WinSys Static Library — Key Usage Patterns

WinSys静态库——核心使用模式

WinSys is the core library consumed by both NtWarden and WinSysServer. Example integration patterns in C++:

WinSys是NtWarden和WinSysServer都依赖的核心库。以下是C++中的集成示例：

Process Enumeration

进程枚举

cpp

#include "WinSys/ProcessManager.h"

// Enumerate all processes (user mode)
auto& pm = WinSys::ProcessManager::Get();
pm.Update();  // Refresh snapshot

for (auto& proc : pm.GetProcesses()) {
    printf("PID: %5u  Name: %s\n",
        proc->Id,
        proc->GetImageName().c_str());
}

cpp

#include "WinSys/ProcessManager.h"

// 枚举所有进程（用户态）
auto& pm = WinSys::ProcessManager::Get();
pm.Update();  // 刷新快照

for (auto& proc : pm.GetProcesses()) {
    printf("PID: %5u  名称: %s\n",
        proc->Id,
        proc->GetImageName().c_str());
}

Service Enumeration

服务枚举

cpp

#include "WinSys/ServiceManager.h"

WinSys::ServiceManager svcMgr;
auto services = svcMgr.EnumServices();

for (auto& svc : services) {
    printf("Service: %-40s  State: %u  StartType: %u\n",
        svc.GetName().c_str(),
        svc.Status.dwCurrentState,
        svc.Config.dwStartType);
}

cpp

#include "WinSys/ServiceManager.h"

WinSys::ServiceManager svcMgr;
auto services = svcMgr.EnumServices();

for (auto& svc : services) {
    printf("服务: %-40s  状态: %u  启动类型: %u\n",
        svc.GetName().c_str(),
        svc.Status.dwCurrentState,
        svc.Config.dwStartType);
}

Network Connections

网络连接

cpp

#include "WinSys/NetworkManager.h"

WinSys::NetworkManager netMgr;
auto conns = netMgr.GetTcpConnections();

for (auto& conn : conns) {
    printf("PID: %u  Local: %s:%u  Remote: %s:%u  State: %u\n",
        conn.ProcessId,
        conn.LocalAddress.c_str(), conn.LocalPort,
        conn.RemoteAddress.c_str(), conn.RemotePort,
        conn.State);
}

cpp

#include "WinSys/NetworkManager.h"

WinSys::NetworkManager netMgr;
auto conns = netMgr.GetTcpConnections();

for (auto& conn : conns) {
    printf("PID: %u  本地: %s:%u  远程: %s:%u  状态: %u\n",
        conn.ProcessId,
        conn.LocalAddress.c_str(), conn.LocalPort,
        conn.RemoteAddress.c_str(), conn.RemotePort,
        conn.State);
}

Communicating with KWinSys Driver (IOCTL)

与KWinSys驱动通信（IOCTL）

cpp

#include "WinSys/KernelInterface.h"

// Open handle to driver device
WinSys::KernelInterface ki;
if (!ki.Open()) {
    fprintf(stderr, "Failed to open KWinSys device. Is driver loaded?\n");
    return;
}

// Enumerate kernel modules
auto modules = ki.EnumKernelModules();
for (auto& mod : modules) {
    printf("Base: %p  Size: 0x%X  Path: %s\n",
        mod.Base, mod.Size, mod.FullPath.c_str());
}

// Read kernel callbacks
auto callbacks = ki.EnumProcessCallbacks();
for (auto& cb : callbacks) {
    printf("Callback: %p  Module: %s  Suspicious: %d\n",
        cb.Address,
        cb.OwnerModule.c_str(),
        cb.IsSuspicious ? 1 : 0);
}

cpp

#include "WinSys/KernelInterface.h"

// 打开驱动设备句柄
WinSys::KernelInterface ki;
if (!ki.Open()) {
    fprintf(stderr, "无法打开KWinSys设备。驱动是否已加载？\n");
    return;
}

// 枚举内核模块
auto modules = ki.EnumKernelModules();
for (auto& mod : modules) {
    printf("基地址: %p  大小: 0x%X  路径: %s\n",
        mod.Base, mod.Size, mod.FullPath.c_str());
}

// 读取内核回调
auto callbacks = ki.EnumProcessCallbacks();
for (auto& cb : callbacks) {
    printf("回调: %p  模块: %s  可疑: %d\n",
        cb.Address,
        cb.OwnerModule.c_str(),
        cb.IsSuspicious ? 1 : 0);
}

Per-Process Security Analysis (Analyze Process)

进程安全分析（Analyze Process）

Accessible via right-click > Analyze Process in the GUI, or programmatically:

cpp

#include "WinSys/ProcessAnalyzer.h"

DWORD targetPid = 1234;
WinSys::ProcessAnalyzer analyzer(targetPid);

auto result = analyzer.Analyze();

// Unbacked executable memory (shellcode indicator)
for (auto& region : result.UnbackedRegions) {
    printf("Unbacked RX region: base=%p size=0x%zX\n",
        region.Base, region.Size);
}

// Hollowing detection
if (result.HollowingDetected) {
    printf("Hollowing: PEB ImageBase=%p vs PE Header ImageBase=%p\n",
        result.PebImageBase, result.PeHeaderImageBase);
}

// Direct syscalls outside ntdll
for (auto& sc : result.DirectSyscalls) {
    printf("Direct syscall at: %p in module: %s\n",
        sc.Address, sc.ModuleName.c_str());
}

// Inline user hooks
for (auto& hook : result.UserHooks) {
    printf("Hook in %s!%s at %p -> %p\n",
        hook.Module.c_str(),
        hook.Function.c_str(),
        hook.Address,
        hook.Target);
}

// Token info
printf("Elevated: %d  IntegrityLevel: %u\n",
    result.Token.IsElevated,
    result.Token.IntegrityLevel);

可通过GUI右键菜单>Analyze Process访问，或通过代码实现：

cpp

#include "WinSys/ProcessAnalyzer.h"

DWORD targetPid = 1234;
WinSys::ProcessAnalyzer analyzer(targetPid);

auto result = analyzer.Analyze();

// 无后备可执行内存（Shellcode标识）
for (auto& region : result.UnbackedRegions) {
    printf("无后备RX区域: 基地址=%p 大小=0x%zX\n",
        region.Base, region.Size);
}

// 进程注入检测
if (result.HollowingDetected) {
    printf("进程注入: PEB镜像基地址=%p vs PE头镜像基地址=%p\n",
        result.PebImageBase, result.PeHeaderImageBase);
}

// ntdll外的直接系统调用
for (auto& sc : result.DirectSyscalls) {
    printf("直接系统调用地址: %p 模块: %s\n",
        sc.Address, sc.ModuleName.c_str());
}

// 用户态内联钩子
for (auto& hook : result.UserHooks) {
    printf("钩子位于 %s!%s 地址 %p -> %p\n",
        hook.Module.c_str(),
        hook.Function.c_str(),
        hook.Address,
        hook.Target);
}

// 令牌信息
printf("已提权: %d  完整性级别: %u\n",
    result.Token.IsElevated,
    result.Token.IntegrityLevel);
}

Key Features by Tab

各标签页核心功能

User Mode (no driver)

用户态（无需驱动）

Tab	Capability
Processes	Tree view, handles, threads, memory regions, modules
Performance	CPU/RAM/GPU/network graphs, overlay mode
Services	Status, start type, binary path
Network > Connections	TCP/UDP with owning PID
Network > Root Certificates	Subject, issuer, thumbprint
Network > NDIS	Adapter driver, MAC, speed, media type
ETW	Active trace sessions and registered providers
IPC	RPC endpoints and named pipes
Object Manager	Kernel object namespace browser
Registry	Key/value browser
Logger	Kernel driver debug logs + GUI logs

标签页	功能
Processes	树形视图、句柄、线程、内存区域、模块
Performance	CPU/RAM/GPU/网络图表、覆盖模式
Services	状态、启动类型、二进制路径
Network > Connections	带所属PID的TCP/UDP连接
Network > Root Certificates	主题、颁发者、指纹
Network > NDIS	适配器驱动、MAC地址、速度、介质类型
ETW	活动跟踪会话和已注册提供者
IPC	RPC端点和命名管道
Object Manager	内核对象命名空间浏览器
Registry	键/值浏览器
Logger	内核驱动调试日志 + GUI日志

Kernel Mode (requires KWinSys)

内核态（需要KWinSys）

Tab	Capability
Process Objects	EPROCESS enumeration, hidden process detection
Modules	Kernel drivers + LolDrivers check
Callbacks	Process/thread/image/registry/object/power callbacks + integrity
SSDT	Entries with owner and hook detection
Kernel Pool	Big pool allocations and tag stats
Memory R/W	Read/write kernel memory by address
Timers	Per-CPU interrupt and DPC counters
Filter	Minifilter drivers with altitude/instance
Descriptor Tables	GDT/IDT entries
IRP Dispatch	IRP dispatch table for any driver
WFP	WFP callout drivers and filters
DSE Status	Driver Signature Enforcement state
CI Policy	Code Integrity policy and enforcement level
Kernel Integrity	Verify kernel .text vs on-disk image
Hypervisor Hooks	EPT hook detection via timing analysis

标签页	功能
Process Objects	EPROCESS枚举、隐藏进程检测
Modules	内核驱动 + LolDrivers检查
Callbacks	进程/线程/镜像/注册表/对象/电源回调 + 完整性校验
SSDT	带所属模块和钩子检测的条目
Kernel Pool	大内存池分配和标签统计
Memory R/W	通过地址读写内核内存
Timers	每CPU中断和DPC计数器
Filter	带优先级/实例的微过滤驱动
Descriptor Tables	GDT/IDT条目
IRP Dispatch	任意驱动的IRP调度表
WFP	WFP标注驱动和过滤器
DSE Status	驱动签名强制状态
CI Policy	代码完整性策略和强制级别
Kernel Integrity	验证内核.text段与磁盘镜像一致性
Hypervisor Hooks	通过时序分析检测EPT钩子

Common Patterns

常见模式

Check if driver is loaded before using kernel features

使用内核功能前检查驱动是否加载

cpp

#include "WinSys/KernelInterface.h"

WinSys::KernelInterface ki;
bool driverAvailable = ki.Open();

if (driverAvailable) {
    // Use kernel-mode features
    auto ssdt = ki.GetSSDTEntries();
} else {
    // Fall back to user-mode only
    fprintf(stderr, "KWinSys not loaded — kernel features unavailable.\n");
}

cpp

#include "WinSys/KernelInterface.h"

WinSys::KernelInterface ki;
bool driverAvailable = ki.Open();

if (driverAvailable) {
    // 使用内核态功能
    auto ssdt = ki.GetSSDTEntries();
} else {
    // 回退到仅用户态功能
    fprintf(stderr, "未加载KWinSys——内核功能不可用。\n");
}

Detect hidden processes (cross-reference EPROCESS list vs user-mode list)

检测隐藏进程（交叉对比EPROCESS列表与用户态列表）

cpp

WinSys::KernelInterface ki;
ki.Open();

auto kernelProcs = ki.EnumProcessObjects();  // Via EPROCESS walk
auto& pm = WinSys::ProcessManager::Get();
pm.Update();
auto userProcs = pm.GetProcesses();

// Build set of user-visible PIDs
std::unordered_set<DWORD> visiblePids;
for (auto& p : userProcs) visiblePids.insert(p->Id);

// Find PIDs in kernel list but not user list
for (auto& kp : kernelProcs) {
    if (visiblePids.find(kp.ProcessId) == visiblePids.end()) {
        printf("HIDDEN PROCESS: PID=%u Name=%s\n",
            kp.ProcessId, kp.ImageName.c_str());
    }
}

cpp

WinSys::KernelInterface ki;
ki.Open();

auto kernelProcs = ki.EnumProcessObjects();  // 遍历EPROCESS获取
auto& pm = WinSys::ProcessManager::Get();
pm.Update();
auto userProcs = pm.GetProcesses();

// 构建用户可见PID集合
std::unordered_set<DWORD> visiblePids;
for (auto& p : userProcs) visiblePids.insert(p->Id);

// 找出内核列表中有但用户列表中没有的PID
for (auto& kp : kernelProcs) {
    if (visiblePids.find(kp.ProcessId) == visiblePids.end()) {
        printf("隐藏进程: PID=%u 名称=%s\n",
            kp.ProcessId, kp.ImageName.c_str());
    }
}

Troubleshooting

故障排除

NtWarden won't show kernel tabs

NtWarden不显示内核标签页

Ensure KWinSys.sys is in the same directory as NtWarden.exe (or
```
x64/Release/KWinSys/
```
)
Run NtWarden as Administrator
Confirm test signing is enabled:
```
bcdedit /enum | findstr testsigning
```
Check Logger tab for driver load errors

确保KWinSys.sys与NtWarden.exe在同一目录（或
```
x64/Release/KWinSys/
```
目录）
以管理员身份运行NtWarden
确认已启用测试签名：
```
bcdedit /enum | findstr testsigning
```
查看Logger标签页获取驱动加载错误信息

Driver fails to install

驱动安装失败

powershell

undefined

powershell

undefined

Verify test signing is on

验证测试签名是否开启

bcdedit /enum | Select-String "testsigning"

Check for existing broken service entry

检查是否存在损坏的服务条目

sc query KWinSys sc delete KWinSys # if stuck, delete and retry

sc query KWinSys sc delete KWinSys # 如果卡住，删除后重试

Some VMs also need:

部分虚拟机还需要：

bcdedit /set nointegritychecks on

Then reboot

然后重启

undefined

undefined

WinSysServer connection refused

WinSysServer连接被拒绝

powershell

undefined

powershell

undefined

Verify server is running on target

验证目标机器上服务器是否在运行

netstat -ano | findstr 50002

Check Windows Firewall on target

检查目标机器的Windows防火墙

netsh advfirewall firewall add rule name="WinSysServer" ` dir=in action=allow protocol=TCP localport=50002

undefined

netsh advfirewall firewall add rule name="WinSysServer" ` dir=in action=allow protocol=TCP localport=50002

undefined

Capstone not found (user hooks tab shows no data)

找不到Capstone（用户钩子标签页无数据）

User hook detection with disassembly requires Capstone
Build WinSys with Capstone linked, or the hook scanner will report bytes without disassembly

带反汇编的用户钩子检测需要Capstone
构建WinSys时需链接Capstone，否则钩子扫描仅会报告字节而无反汇编结果

Performance overlay not visible

性能覆盖层不可见

Launch NtWarden, go to Performance tab
Enable overlay mode — it renders over other windows using DirectX 11 transparency

启动NtWarden，进入Performance标签页
启用覆盖模式——它会使用DirectX 11透明效果渲染在其他窗口上方

Build errors — missing WDK

构建错误——缺少WDK

KWinSys requires the Windows Driver Kit
If you only need user-mode features, exclude KWinSys project from build in Visual Studio (right-click project > Unload Project)

KWinSys需要Windows Driver Kit
如果仅需要用户态功能，可在Visual Studio中排除KWinSys项目（右键项目>卸载项目）

Tested Windows Versions

已测试的Windows版本

Windows 11 23H2 (Build 22631.6199)
Windows 10 22H2 (Build 19045.2006)
Windows 10 1703 (Build 15063.13)

Windows 11 23H2（版本22631.6199）
Windows 10 22H2（版本19045.2006）
Windows 10 1703（版本15063.13）

References

参考资料

zodiacon — Primary inspiration
WinArk — Kernel-mode feature reference
LolDrivers — Vulnerable driver database used in Modules tab

zodiacon — 主要灵感来源
WinArk — 内核态功能参考
LolDrivers — 模块标签页使用的漏洞驱动数据库