Star 历史趋势
数据来源: GitHub API · 生成自 Stargazers.cn
README.md

NtWarden Icon

NtWARden

Windows Analysis and Research Toolkit

  • Windows system inspection tool built on ImGui + DirectX 11.
  • Covers processes, services, network, kernel internals, and more - locally or over the network via WinSysServer.

⚠️ Parts of this project were vibe coded with AI assistance so it might have some bugs. The kernel driver (KWinSys) should only be installed in a Test VM for research purposes.

Screenshots

Processes (Kernel Mode)

Processes (Kernel Mode)


Processes (User Mode)

ETW Sessions

Kernel Callbacks

Kernel Pool

Symbols

Filters

Architecture

ComponentRole
NtWardenGUI app (ImGui + DirectX 11)
WinSysStatic lib for process, service, and network enumeration
KWinSysKernel driver for callbacks, SSDT, kernel modules, etc.
WinSysServerHeadless TCP server for remote inspection

Features

User Mode (no driver needed)

TabWhat it does
ProcessesProcess list with tree view, handles, threads, memory regions, modules
PerformanceReal-time CPU, RAM, GPU, and network usage graphs - can be overlaid on top of other tasks
ServicesService enumeration with status, start type, binary path
Network > ConnectionsTCP/UDP connections with owning process and remote endpoints
Network > Root CertificatesTrusted root CA store with subject, issuer, thumbprint
Network > NDISNetwork adapter info - driver, MAC, speed, media type
ETWActive trace sessions and registered providers
IPCRPC endpoints and named pipes
Object ManagerBrowse the kernel object namespace - directories, symlinks, devices
RegistryRegistry browser with key/value enumeration
SymbolsUser-mode symbol loading status
LoggerIntercepts kernel driver debug logs and user-mode GUI logs in one place

Kernel Mode (needs KWinSys)

TabWhat it does
Process ObjectsEPROCESS enumeration, hidden process detection via cross-referencing
ModulesLoaded kernel drivers with base, size, path (along with LolDrivers check)
CallbacksKernel callbacks (process/thread/image/registry/object/power) + integrity checks
SSDTSSDT entries with owner and hook detection
SymbolsKernel symbol resolution and PDB loading
Kernel PoolBig pool allocations, pool tag stats
Memory R/WRead/write kernel memory by address
TimersPer-CPU interrupt and DPC counters
FilterMinifilter drivers with altitude and instance info
Descriptor TablesGDT/IDT entries
IRP DispatchIRP dispatch table for any driver - handler addresses, owner module
WFPWFP callout drivers and filters
DSE StatusDriver Signature Enforcement state
CI PolicyCode Integrity policy and enforcement level
Kernel IntegrityVerify kernel .text against on-disk image
Hypervisor HooksEPT hook detection via timing analysis

Analyze Process (right-click > Analyze Process)

Per-process security analysis, accessible from the process context menu.

SectionWhat it checks
Unbacked MemoryPrivate executable regions not backed by any file (shellcode indicator)
HollowingPEB ImageBase vs PE header ImageBase mismatch
Module StompingIn-memory .text sections compared against disk originals
Direct Syscallssyscall (0F 05) instructions found outside ntdll
Syscall Stubsntdll stub integrity - memory bytes vs clean disk copy
User HooksInline hooks (JMP/CALL patches) in ntdll, kernel32, etc. (needs capstone to disassemble analyzed bytes)
TokensElevation, integrity level, impersonation, suspicious privileges
Debug ObjectsDebug objects and debug ports on the process
HypervisorCPUID vendor check + RDTSC/CPUID timing anomalies
Job ObjectsJob membership, limits, UI restrictions
CFG StatusCFG/XFG enforcement state and mitigation flags

Building

Requirements: Visual Studio 2022, Windows SDK 10.0.26100.0+, WDK (for KWinSys)

NtWarden.sln
├── NtWarden/          # GUI app
├── WinSys/            # Core library (static lib)
├── KWinSys/           # Kernel driver
└── WinSysServer/      # Remote server
  1. Open NtWarden.sln in Visual Studio
  2. Build Release | x64
  3. Output goes to x64/Release/

Driver Setup

KWinSys needs test signing or a valid signature.

# Enable test signing (reboot required)
bcdedit /set testsigning on

# On VMs you may also need
bcdedit /set nointegritychecks on

Run NtWarden as Administrator. Switching to the Kernel Mode tab will auto-install and start the driver if it's not already loaded. You can also manage it manually from the Driver menu.

Remote Inspection

WinSysServer runs on a target machine (usually a VM) and serves system data over TCP. Connect from NtWarden via Remote > Connect.

What to copy to the target

FilePathNeeded for
WinSysServer.exex64/Release/WinSysServer.exeAlways
KWinSys.sysx64/Release/KWinSys/KWinSys.sysKernel features only

User-mode stuff (processes, services, network) works without the driver. Kernel tabs need KWinSys loaded on the target.

Running the server

# Auto-install driver + start server (run elevated)
WinSysServer.exe --install              # default port 50002
WinSysServer.exe --install --port 9000  # custom port

# Or install the driver yourself first
sc create KWinSys type= kernel binPath= "C:\path\to\KWinSys.sys"
sc start KWinSys
WinSysServer.exe [--port <port>]        # default: 50002

Connecting from NtWarden

  1. Launch NtWarden
  2. Remote > enter target IP and port > Connect

Protocol

Custom binary protocol over TCP. 12-byte header (MessageType, DataSize, Status). No auth - use in isolated lab/VM environments only.

Tested On

  • Windows 11 23H2 (Build 22631.6199)
  • Windows 10 22H2 (Build 19045.2006)
  • Windows 10 1703 (Build 15063.13)

Credits

  • zodiacon - Major inspiration for the project
  • WinArk - Reference for kernel-mode features

License

MIT - see LICENSE.

关于 About

Windows Analysis and Research Toolkit

语言 Languages

C++79.8%
C20.2%

提交活跃度 Commit Activity

代码提交热力图
过去 52 周的开发活跃度
4
Total Commits
峰值: 2次/周
Less
More

核心贡献者 Contributors