ntwarden-windows-analysis-toolkit
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseNtWarden Windows Analysis and Research Toolkit
NtWarden Windows分析与研究工具包
Skill by ara.so — Daily 2026 Skills collection.
NtWarden is a Windows system inspection tool built on ImGui + DirectX 11. It covers processes, services, network, kernel internals, ETW, registry, object manager, and more — locally or remotely via WinSysServer. A kernel driver (KWinSys) enables deep kernel-mode analysis including SSDT hooks, kernel callbacks, EPT hook detection, and driver integrity checks.
由ara.so提供的技能——2026每日技能合集。
NtWarden是基于ImGui + DirectX 11构建的Windows系统检查工具。它支持对进程、服务、网络、内核内部、ETW、注册表、对象管理器等进行本地或远程(通过WinSysServer)检查。内核驱动KWinSys可实现深度内核模式分析,包括SSDT钩子、内核回调、EPT钩子检测以及驱动完整性校验。
Architecture
架构
| Component | Role |
|---|---|
| NtWarden | GUI app (ImGui + DirectX 11) |
| WinSys | Static lib — process, service, network enumeration |
| KWinSys | Kernel driver — callbacks, SSDT, kernel modules, pool, etc. |
| WinSysServer | Headless TCP server for remote inspection |
| 组件 | 作用 |
|---|---|
| NtWarden | GUI应用(ImGui + DirectX 11) |
| WinSys | 静态库——进程、服务、网络枚举 |
| KWinSys | 内核驱动——回调、SSDT、内核模块、内存池等 |
| WinSysServer | 用于远程检查的无界面TCP服务器 |
Build Requirements
构建要求
- Visual Studio 2022
- Windows SDK 10.0.26100.0+
- WDK (Windows Driver Kit) — required only for KWinSys kernel driver
- Visual Studio 2022
- Windows SDK 10.0.26100.0+
- WDK(Windows Driver Kit)——仅构建KWinSys内核驱动时需要
Building
构建步骤
powershell
undefinedpowershell
undefinedOpen solution in Visual Studio 2022
在Visual Studio 2022中打开解决方案
Select Release | x64
选择Release | x64
Build All
全部构建
Output lands in:
输出文件路径:
x64/Release/NtWarden.exe
x64/Release/WinSysServer.exe
x64/Release/KWinSys/KWinSys.sys
Solution structure:NtWarden.sln
├── NtWarden/ # GUI application
├── WinSys/ # Core static library
├── KWinSys/ # Kernel driver (.sys)
└── WinSysServer/ # Remote TCP server
---x64/Release/NtWarden.exe
x64/Release/WinSysServer.exe
x64/Release/KWinSys/KWinSys.sys
解决方案结构:NtWarden.sln
├── NtWarden/ # GUI应用
├── WinSys/ # 核心静态库
├── KWinSys/ # 内核驱动(.sys)
└── WinSysServer/ # 远程TCP服务器
---Running NtWarden
运行NtWarden
Always run as Administrator for full functionality.
powershell
undefined请始终以管理员身份运行以获取完整功能。
powershell
undefinedRun elevated
以管理员权限启动
Start-Process NtWarden.exe -Verb RunAs
User-mode features (processes, services, network, ETW, registry, object manager) work without the driver.
---Start-Process NtWarden.exe -Verb RunAs
无需驱动即可使用用户态功能(进程、服务、网络、ETW、注册表、对象管理器)。
---Kernel Driver Setup (KWinSys)
内核驱动设置(KWinSys)
⚠️ Use only in a test VM. Enable test signing before installing.
powershell
undefined⚠️ 仅在测试虚拟机中使用。安装前需启用测试签名。
powershell
undefinedEnable test signing (requires reboot)
启用测试签名(需要重启)
bcdedit /set testsigning on
bcdedit /set testsigning on
On VMs, may also need:
在虚拟机中,可能还需要:
bcdedit /set nointegritychecks on
bcdedit /set nointegritychecks on
Reboot, then run NtWarden as Administrator.
重启后,以管理员身份运行NtWarden。
Switching to the Kernel Mode tab auto-installs and starts KWinSys.
切换到Kernel Mode标签页会自动安装并启动KWinSys。
Manual driver management:
```powershell
手动管理驱动:
```powershellInstall manually
手动安装
sc create KWinSys type= kernel binPath= "C:\path\to\KWinSys.sys"
sc start KWinSys
sc create KWinSys type= kernel binPath= "C:\path\to\KWinSys.sys"
sc start KWinSys
Stop and remove
停止并卸载
sc stop KWinSys
sc delete KWinSys
The NtWarden GUI also exposes driver management under the **Driver** menu.
---sc stop KWinSys
sc delete KWinSys
NtWarden的GUI界面也在**Driver**菜单下提供了驱动管理功能。
---Remote Inspection (WinSysServer)
远程检查(WinSysServer)
Deploy to a target machine (typically a VM) and connect from NtWarden.
将文件部署到目标机器(通常是虚拟机),然后从NtWarden连接。
Files to copy to target
需要复制到目标机器的文件
| File | Source Path | Purpose |
|---|---|---|
| | Always required |
| | Kernel features only |
| 文件 | 源路径 | 用途 |
|---|---|---|
| | 始终需要 |
| | 仅使用内核功能时需要 |
Starting the server (on target, elevated)
在目标机器上启动服务器(管理员权限)
powershell
undefinedpowershell
undefinedAuto-install driver + start server on default port 50002
自动安装驱动并在默认端口50002启动服务器
WinSysServer.exe --install
WinSysServer.exe --install
Custom port
使用自定义端口
WinSysServer.exe --install --port 9000
WinSysServer.exe --install --port 9000
If driver already installed manually:
如果已手动安装驱动:
WinSysServer.exe
WinSysServer.exe --port 9000
undefinedWinSysServer.exe
WinSysServer.exe --port 9000
undefinedConnecting from NtWarden (on host)
在主机上从NtWarden连接
- Launch NtWarden
- Go to Remote menu
- Enter target IP and port (default: )
50002 - Click Connect
- 启动NtWarden
- 进入Remote菜单
- 输入目标IP和端口(默认:)
50002 - 点击Connect
Protocol notes
协议说明
- Custom binary protocol over TCP
- 12-byte header: ,
MessageType,DataSizeStatus - No authentication — use only in isolated lab/VM environments
- User-mode data (processes, services, network) works without KWinSys on target
- Kernel tabs require KWinSys loaded on the remote target
- 基于TCP的自定义二进制协议
- 12字节头部:,
MessageType,DataSizeStatus - 无身份验证——仅在隔离的实验室/虚拟机环境中使用
- 无需在目标机器上安装KWinSys即可使用用户态数据(进程、服务、网络)
- 内核标签页需要在远程目标机器上加载KWinSys
WinSys Static Library — Key Usage Patterns
WinSys静态库——核心使用模式
WinSys is the core library consumed by both NtWarden and WinSysServer. Example integration patterns in C++:
WinSys是NtWarden和WinSysServer都依赖的核心库。以下是C++中的集成示例:
Process Enumeration
进程枚举
cpp
#include "WinSys/ProcessManager.h"
// Enumerate all processes (user mode)
auto& pm = WinSys::ProcessManager::Get();
pm.Update(); // Refresh snapshot
for (auto& proc : pm.GetProcesses()) {
printf("PID: %5u Name: %s\n",
proc->Id,
proc->GetImageName().c_str());
}cpp
#include "WinSys/ProcessManager.h"
// 枚举所有进程(用户态)
auto& pm = WinSys::ProcessManager::Get();
pm.Update(); // 刷新快照
for (auto& proc : pm.GetProcesses()) {
printf("PID: %5u 名称: %s\n",
proc->Id,
proc->GetImageName().c_str());
}Service Enumeration
服务枚举
cpp
#include "WinSys/ServiceManager.h"
WinSys::ServiceManager svcMgr;
auto services = svcMgr.EnumServices();
for (auto& svc : services) {
printf("Service: %-40s State: %u StartType: %u\n",
svc.GetName().c_str(),
svc.Status.dwCurrentState,
svc.Config.dwStartType);
}cpp
#include "WinSys/ServiceManager.h"
WinSys::ServiceManager svcMgr;
auto services = svcMgr.EnumServices();
for (auto& svc : services) {
printf("服务: %-40s 状态: %u 启动类型: %u\n",
svc.GetName().c_str(),
svc.Status.dwCurrentState,
svc.Config.dwStartType);
}Network Connections
网络连接
cpp
#include "WinSys/NetworkManager.h"
WinSys::NetworkManager netMgr;
auto conns = netMgr.GetTcpConnections();
for (auto& conn : conns) {
printf("PID: %u Local: %s:%u Remote: %s:%u State: %u\n",
conn.ProcessId,
conn.LocalAddress.c_str(), conn.LocalPort,
conn.RemoteAddress.c_str(), conn.RemotePort,
conn.State);
}cpp
#include "WinSys/NetworkManager.h"
WinSys::NetworkManager netMgr;
auto conns = netMgr.GetTcpConnections();
for (auto& conn : conns) {
printf("PID: %u 本地: %s:%u 远程: %s:%u 状态: %u\n",
conn.ProcessId,
conn.LocalAddress.c_str(), conn.LocalPort,
conn.RemoteAddress.c_str(), conn.RemotePort,
conn.State);
}Communicating with KWinSys Driver (IOCTL)
与KWinSys驱动通信(IOCTL)
cpp
#include "WinSys/KernelInterface.h"
// Open handle to driver device
WinSys::KernelInterface ki;
if (!ki.Open()) {
fprintf(stderr, "Failed to open KWinSys device. Is driver loaded?\n");
return;
}
// Enumerate kernel modules
auto modules = ki.EnumKernelModules();
for (auto& mod : modules) {
printf("Base: %p Size: 0x%X Path: %s\n",
mod.Base, mod.Size, mod.FullPath.c_str());
}
// Read kernel callbacks
auto callbacks = ki.EnumProcessCallbacks();
for (auto& cb : callbacks) {
printf("Callback: %p Module: %s Suspicious: %d\n",
cb.Address,
cb.OwnerModule.c_str(),
cb.IsSuspicious ? 1 : 0);
}cpp
#include "WinSys/KernelInterface.h"
// 打开驱动设备句柄
WinSys::KernelInterface ki;
if (!ki.Open()) {
fprintf(stderr, "无法打开KWinSys设备。驱动是否已加载?\n");
return;
}
// 枚举内核模块
auto modules = ki.EnumKernelModules();
for (auto& mod : modules) {
printf("基地址: %p 大小: 0x%X 路径: %s\n",
mod.Base, mod.Size, mod.FullPath.c_str());
}
// 读取内核回调
auto callbacks = ki.EnumProcessCallbacks();
for (auto& cb : callbacks) {
printf("回调: %p 模块: %s 可疑: %d\n",
cb.Address,
cb.OwnerModule.c_str(),
cb.IsSuspicious ? 1 : 0);
}Per-Process Security Analysis (Analyze Process)
进程安全分析(Analyze Process)
Accessible via right-click > Analyze Process in the GUI, or programmatically:
cpp
#include "WinSys/ProcessAnalyzer.h"
DWORD targetPid = 1234;
WinSys::ProcessAnalyzer analyzer(targetPid);
auto result = analyzer.Analyze();
// Unbacked executable memory (shellcode indicator)
for (auto& region : result.UnbackedRegions) {
printf("Unbacked RX region: base=%p size=0x%zX\n",
region.Base, region.Size);
}
// Hollowing detection
if (result.HollowingDetected) {
printf("Hollowing: PEB ImageBase=%p vs PE Header ImageBase=%p\n",
result.PebImageBase, result.PeHeaderImageBase);
}
// Direct syscalls outside ntdll
for (auto& sc : result.DirectSyscalls) {
printf("Direct syscall at: %p in module: %s\n",
sc.Address, sc.ModuleName.c_str());
}
// Inline user hooks
for (auto& hook : result.UserHooks) {
printf("Hook in %s!%s at %p -> %p\n",
hook.Module.c_str(),
hook.Function.c_str(),
hook.Address,
hook.Target);
}
// Token info
printf("Elevated: %d IntegrityLevel: %u\n",
result.Token.IsElevated,
result.Token.IntegrityLevel);可通过GUI右键菜单>Analyze Process访问,或通过代码实现:
cpp
#include "WinSys/ProcessAnalyzer.h"
DWORD targetPid = 1234;
WinSys::ProcessAnalyzer analyzer(targetPid);
auto result = analyzer.Analyze();
// 无后备可执行内存(Shellcode标识)
for (auto& region : result.UnbackedRegions) {
printf("无后备RX区域: 基地址=%p 大小=0x%zX\n",
region.Base, region.Size);
}
// 进程注入检测
if (result.HollowingDetected) {
printf("进程注入: PEB镜像基地址=%p vs PE头镜像基地址=%p\n",
result.PebImageBase, result.PeHeaderImageBase);
}
// ntdll外的直接系统调用
for (auto& sc : result.DirectSyscalls) {
printf("直接系统调用地址: %p 模块: %s\n",
sc.Address, sc.ModuleName.c_str());
}
// 用户态内联钩子
for (auto& hook : result.UserHooks) {
printf("钩子位于 %s!%s 地址 %p -> %p\n",
hook.Module.c_str(),
hook.Function.c_str(),
hook.Address,
hook.Target);
}
// 令牌信息
printf("已提权: %d 完整性级别: %u\n",
result.Token.IsElevated,
result.Token.IntegrityLevel);
}Key Features by Tab
各标签页核心功能
User Mode (no driver)
用户态(无需驱动)
| Tab | Capability |
|---|---|
| Processes | Tree view, handles, threads, memory regions, modules |
| Performance | CPU/RAM/GPU/network graphs, overlay mode |
| Services | Status, start type, binary path |
| Network > Connections | TCP/UDP with owning PID |
| Network > Root Certificates | Subject, issuer, thumbprint |
| Network > NDIS | Adapter driver, MAC, speed, media type |
| ETW | Active trace sessions and registered providers |
| IPC | RPC endpoints and named pipes |
| Object Manager | Kernel object namespace browser |
| Registry | Key/value browser |
| Logger | Kernel driver debug logs + GUI logs |
| 标签页 | 功能 |
|---|---|
| Processes | 树形视图、句柄、线程、内存区域、模块 |
| Performance | CPU/RAM/GPU/网络图表、覆盖模式 |
| Services | 状态、启动类型、二进制路径 |
| Network > Connections | 带所属PID的TCP/UDP连接 |
| Network > Root Certificates | 主题、颁发者、指纹 |
| Network > NDIS | 适配器驱动、MAC地址、速度、介质类型 |
| ETW | 活动跟踪会话和已注册提供者 |
| IPC | RPC端点和命名管道 |
| Object Manager | 内核对象命名空间浏览器 |
| Registry | 键/值浏览器 |
| Logger | 内核驱动调试日志 + GUI日志 |
Kernel Mode (requires KWinSys)
内核态(需要KWinSys)
| Tab | Capability |
|---|---|
| Process Objects | EPROCESS enumeration, hidden process detection |
| Modules | Kernel drivers + LolDrivers check |
| Callbacks | Process/thread/image/registry/object/power callbacks + integrity |
| SSDT | Entries with owner and hook detection |
| Kernel Pool | Big pool allocations and tag stats |
| Memory R/W | Read/write kernel memory by address |
| Timers | Per-CPU interrupt and DPC counters |
| Filter | Minifilter drivers with altitude/instance |
| Descriptor Tables | GDT/IDT entries |
| IRP Dispatch | IRP dispatch table for any driver |
| WFP | WFP callout drivers and filters |
| DSE Status | Driver Signature Enforcement state |
| CI Policy | Code Integrity policy and enforcement level |
| Kernel Integrity | Verify kernel .text vs on-disk image |
| Hypervisor Hooks | EPT hook detection via timing analysis |
| 标签页 | 功能 |
|---|---|
| Process Objects | EPROCESS枚举、隐藏进程检测 |
| Modules | 内核驱动 + LolDrivers检查 |
| Callbacks | 进程/线程/镜像/注册表/对象/电源回调 + 完整性校验 |
| SSDT | 带所属模块和钩子检测的条目 |
| Kernel Pool | 大内存池分配和标签统计 |
| Memory R/W | 通过地址读写内核内存 |
| Timers | 每CPU中断和DPC计数器 |
| Filter | 带优先级/实例的微过滤驱动 |
| Descriptor Tables | GDT/IDT条目 |
| IRP Dispatch | 任意驱动的IRP调度表 |
| WFP | WFP标注驱动和过滤器 |
| DSE Status | 驱动签名强制状态 |
| CI Policy | 代码完整性策略和强制级别 |
| Kernel Integrity | 验证内核.text段与磁盘镜像一致性 |
| Hypervisor Hooks | 通过时序分析检测EPT钩子 |
Common Patterns
常见模式
Check if driver is loaded before using kernel features
使用内核功能前检查驱动是否加载
cpp
#include "WinSys/KernelInterface.h"
WinSys::KernelInterface ki;
bool driverAvailable = ki.Open();
if (driverAvailable) {
// Use kernel-mode features
auto ssdt = ki.GetSSDTEntries();
} else {
// Fall back to user-mode only
fprintf(stderr, "KWinSys not loaded — kernel features unavailable.\n");
}cpp
#include "WinSys/KernelInterface.h"
WinSys::KernelInterface ki;
bool driverAvailable = ki.Open();
if (driverAvailable) {
// 使用内核态功能
auto ssdt = ki.GetSSDTEntries();
} else {
// 回退到仅用户态功能
fprintf(stderr, "未加载KWinSys——内核功能不可用。\n");
}Detect hidden processes (cross-reference EPROCESS list vs user-mode list)
检测隐藏进程(交叉对比EPROCESS列表与用户态列表)
cpp
WinSys::KernelInterface ki;
ki.Open();
auto kernelProcs = ki.EnumProcessObjects(); // Via EPROCESS walk
auto& pm = WinSys::ProcessManager::Get();
pm.Update();
auto userProcs = pm.GetProcesses();
// Build set of user-visible PIDs
std::unordered_set<DWORD> visiblePids;
for (auto& p : userProcs) visiblePids.insert(p->Id);
// Find PIDs in kernel list but not user list
for (auto& kp : kernelProcs) {
if (visiblePids.find(kp.ProcessId) == visiblePids.end()) {
printf("HIDDEN PROCESS: PID=%u Name=%s\n",
kp.ProcessId, kp.ImageName.c_str());
}
}cpp
WinSys::KernelInterface ki;
ki.Open();
auto kernelProcs = ki.EnumProcessObjects(); // 遍历EPROCESS获取
auto& pm = WinSys::ProcessManager::Get();
pm.Update();
auto userProcs = pm.GetProcesses();
// 构建用户可见PID集合
std::unordered_set<DWORD> visiblePids;
for (auto& p : userProcs) visiblePids.insert(p->Id);
// 找出内核列表中有但用户列表中没有的PID
for (auto& kp : kernelProcs) {
if (visiblePids.find(kp.ProcessId) == visiblePids.end()) {
printf("隐藏进程: PID=%u 名称=%s\n",
kp.ProcessId, kp.ImageName.c_str());
}
}Troubleshooting
故障排除
NtWarden won't show kernel tabs
NtWarden不显示内核标签页
- Ensure KWinSys.sys is in the same directory as NtWarden.exe (or )
x64/Release/KWinSys/ - Run NtWarden as Administrator
- Confirm test signing is enabled:
bcdedit /enum | findstr testsigning - Check Logger tab for driver load errors
- 确保KWinSys.sys与NtWarden.exe在同一目录(或目录)
x64/Release/KWinSys/ - 以管理员身份运行NtWarden
- 确认已启用测试签名:
bcdedit /enum | findstr testsigning - 查看Logger标签页获取驱动加载错误信息
Driver fails to install
驱动安装失败
powershell
undefinedpowershell
undefinedVerify test signing is on
验证测试签名是否开启
bcdedit /enum | Select-String "testsigning"
bcdedit /enum | Select-String "testsigning"
Check for existing broken service entry
检查是否存在损坏的服务条目
sc query KWinSys
sc delete KWinSys # if stuck, delete and retry
sc query KWinSys
sc delete KWinSys # 如果卡住,删除后重试
Some VMs also need:
部分虚拟机还需要:
bcdedit /set nointegritychecks on
bcdedit /set nointegritychecks on
Then reboot
然后重启
undefinedundefinedWinSysServer connection refused
WinSysServer连接被拒绝
powershell
undefinedpowershell
undefinedVerify server is running on target
验证目标机器上服务器是否在运行
netstat -ano | findstr 50002
netstat -ano | findstr 50002
Check Windows Firewall on target
检查目标机器的Windows防火墙
netsh advfirewall firewall add rule name="WinSysServer" `
dir=in action=allow protocol=TCP localport=50002
undefinednetsh advfirewall firewall add rule name="WinSysServer" `
dir=in action=allow protocol=TCP localport=50002
undefinedCapstone not found (user hooks tab shows no data)
找不到Capstone(用户钩子标签页无数据)
- User hook detection with disassembly requires Capstone
- Build WinSys with Capstone linked, or the hook scanner will report bytes without disassembly
- 带反汇编的用户钩子检测需要Capstone
- 构建WinSys时需链接Capstone,否则钩子扫描仅会报告字节而无反汇编结果
Performance overlay not visible
性能覆盖层不可见
- Launch NtWarden, go to Performance tab
- Enable overlay mode — it renders over other windows using DirectX 11 transparency
- 启动NtWarden,进入Performance标签页
- 启用覆盖模式——它会使用DirectX 11透明效果渲染在其他窗口上方
Build errors — missing WDK
构建错误——缺少WDK
- KWinSys requires the Windows Driver Kit
- If you only need user-mode features, exclude KWinSys project from build in Visual Studio (right-click project > Unload Project)
- KWinSys需要Windows Driver Kit
- 如果仅需要用户态功能,可在Visual Studio中排除KWinSys项目(右键项目>卸载项目)
Tested Windows Versions
已测试的Windows版本
- Windows 11 23H2 (Build 22631.6199)
- Windows 10 22H2 (Build 19045.2006)
- Windows 10 1703 (Build 15063.13)
- Windows 11 23H2(版本22631.6199)
- Windows 10 22H2(版本19045.2006)
- Windows 10 1703(版本15063.13)
References
参考资料
- zodiacon — Primary inspiration
- WinArk — Kernel-mode feature reference
- LolDrivers — Vulnerable driver database used in Modules tab
- zodiacon — 主要灵感来源
- WinArk — 内核态功能参考
- LolDrivers — 模块标签页使用的漏洞驱动数据库