[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-1003":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":14,"forks30d":14,"starsTrendScore":13,"compositeScore":18,"rankGlobal":9,"rankLanguage":9,"license":19,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":9,"pushedAt":9,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":14,"starSnapshotCount":14,"syncStatus":15,"lastSyncTime":27,"discoverSource":28},1003,"NtWarden","mrT4ntr4\u002FNtWarden","mrT4ntr4","Windows Analysis and Research Toolkit",null,"C++",460,52,6,0,2,5,32,54.87,"MIT License",false,"master",true,[],"2026-06-12 04:00:06","\u003Cp align=\"center\">\n  \u003Cimg src=\"NtWarden\u002Fico\u002Fntwarden.ico\" alt=\"NtWarden Icon\" width=\"128\">\n\u003C\u002Fp>\n\n\u003Ch1 align=\"center\">NtWARden\u003C\u002Fh1>\n\u003Ch3 align=\"center\">\u003Ci>Windows Analysis and Research Toolkit\u003C\u002Fi>\u003C\u002Fh3>\n\n* Windows system inspection tool built on ImGui + DirectX 11.  \n* Covers processes, services, network, kernel internals, and more - locally or over the network via WinSysServer.\n\n> ⚠️ Parts of this project were vibe coded with AI assistance so it might have some bugs. \n The kernel driver (KWinSys) should only be installed in a Test VM for research purposes. \n\n## Screenshots\n\n#### Processes (Kernel Mode) \n![Processes (Kernel Mode)](screenshots\u002Fkernel_processes.png)\n\n\u003Ctable>\n  \u003Ctr>\n    \u003Ctd align=\"center\">\u003Ca href=\"screenshots\u002Fuser_processes.png\">\u003Cimg src=\"screenshots\u002Fuser_processes.png\" width=\"250\">\u003Cbr>Processes (User Mode)\u003C\u002Fa>\u003C\u002Ftd>\n    \u003Ctd align=\"center\">\u003Ca href=\"screenshots\u002Fuser_etw.png\">\u003Cimg src=\"screenshots\u002Fuser_etw.png\" width=\"250\">\u003Cbr>ETW Sessions\u003C\u002Fa>\u003C\u002Ftd>\n    \u003Ctd align=\"center\">\u003Ca href=\"screenshots\u002Fcallbacks.png\">\u003Cimg src=\"screenshots\u002Fcallbacks.png\" width=\"250\">\u003Cbr>Kernel Callbacks\u003C\u002Fa>\u003C\u002Ftd>\n  \u003C\u002Ftr>\n  \u003Ctr>\n    \u003Ctd align=\"center\">\u003Ca href=\"screenshots\u002Fkernel_pool.png\">\u003Cimg src=\"screenshots\u002Fkernel_pool.png\" width=\"250\">\u003Cbr>Kernel Pool\u003C\u002Fa>\u003C\u002Ftd>\n    \u003Ctd align=\"center\">\u003Ca href=\"screenshots\u002Fsymbol_viewer.png\">\u003Cimg src=\"screenshots\u002Fsymbol_viewer.png\" width=\"250\">\u003Cbr>Symbols\u003C\u002Fa>\u003C\u002Ftd>\n    \u003Ctd align=\"center\">\u003Ca href=\"screenshots\u002Ffilters.png\">\u003Cimg src=\"screenshots\u002Ffilters.png\" width=\"250\">\u003Cbr>Filters\u003C\u002Fa>\u003C\u002Ftd>\n  \u003C\u002Ftr>\n\u003C\u002Ftable>\n\n\n## Architecture\n\n| Component | Role |\n|---|---|\n| **NtWarden** | GUI app (ImGui + DirectX 11) |\n| **WinSys** | Static lib for process, service, and network enumeration |\n| **KWinSys** | Kernel driver for callbacks, SSDT, kernel modules, etc. |\n| **WinSysServer** | Headless TCP server for remote inspection |\n\n## Features\n\n### User Mode (no driver needed)\n\n| Tab | What it does |\n|---|---|\n| **Processes** | Process list with tree view, handles, threads, memory regions, modules |\n| **Performance** | Real-time CPU, RAM, GPU, and network usage graphs - can be overlaid on top of other tasks |\n| **Services** | Service enumeration with status, start type, binary path |\n| **Network > Connections** | TCP\u002FUDP connections with owning process and remote endpoints |\n| **Network > Root Certificates** | Trusted root CA store with subject, issuer, thumbprint |\n| **Network > NDIS** | Network adapter info - driver, MAC, speed, media type |\n| **ETW** | Active trace sessions and registered providers |\n| **IPC** | RPC endpoints and named pipes |\n| **Object Manager** | Browse the kernel object namespace - directories, symlinks, devices |\n| **Registry** | Registry browser with key\u002Fvalue enumeration |\n| **Symbols** | User-mode symbol loading status |\n| **Logger** | Intercepts kernel driver debug logs and user-mode GUI logs in one place |\n\n### Kernel Mode (needs KWinSys)\n\n| Tab | What it does |\n|---|---|\n| **Process Objects** | EPROCESS enumeration, hidden process detection via cross-referencing |\n| **Modules** | Loaded kernel drivers with base, size, path (along with LolDrivers check) |\n| **Callbacks** | Kernel callbacks (process\u002Fthread\u002Fimage\u002Fregistry\u002Fobject\u002Fpower) + integrity checks |\n| **SSDT** | SSDT entries with owner and hook detection |\n| **Symbols** | Kernel symbol resolution and PDB loading |\n| **Kernel Pool** | Big pool allocations, pool tag stats |\n| **Memory R\u002FW** | Read\u002Fwrite kernel memory by address |\n| **Timers** | Per-CPU interrupt and DPC counters |\n| **Filter** | Minifilter drivers with altitude and instance info |\n| **Descriptor Tables** | GDT\u002FIDT entries |\n| **IRP Dispatch** | IRP dispatch table for any driver - handler addresses, owner module |\n| **WFP** | WFP callout drivers and filters |\n| **DSE Status** | Driver Signature Enforcement state |\n| **CI Policy** | Code Integrity policy and enforcement level |\n| **Kernel Integrity** | Verify kernel .text against on-disk image |\n| **Hypervisor Hooks** | EPT hook detection via timing analysis |\n\n### Analyze Process (right-click > Analyze Process)\n\nPer-process security analysis, accessible from the process context menu.\n\n| Section | What it checks |\n|---|---|\n| **Unbacked Memory** | Private executable regions not backed by any file (shellcode indicator) |\n| **Hollowing** | PEB ImageBase vs PE header ImageBase mismatch |\n| **Module Stomping** | In-memory .text sections compared against disk originals |\n| **Direct Syscalls** | `syscall` (0F 05) instructions found outside ntdll |\n| **Syscall Stubs** | ntdll stub integrity - memory bytes vs clean disk copy |\n| **User Hooks** | Inline hooks (JMP\u002FCALL patches) in ntdll, kernel32, etc. (needs capstone to disassemble analyzed bytes)|\n| **Tokens** | Elevation, integrity level, impersonation, suspicious privileges |\n| **Debug Objects** | Debug objects and debug ports on the process |\n| **Hypervisor** | CPUID vendor check + RDTSC\u002FCPUID timing anomalies |\n| **Job Objects** | Job membership, limits, UI restrictions |\n| **CFG Status** | CFG\u002FXFG enforcement state and mitigation flags |\n\n## Building\n\n**Requirements:** Visual Studio 2022, Windows SDK 10.0.26100.0+, WDK (for KWinSys)\n\n```\nNtWarden.sln\n├── NtWarden\u002F          # GUI app\n├── WinSys\u002F            # Core library (static lib)\n├── KWinSys\u002F           # Kernel driver\n└── WinSysServer\u002F      # Remote server\n```\n\n1. Open `NtWarden.sln` in Visual Studio\n2. Build **Release | x64**\n3. Output goes to `x64\u002FRelease\u002F`\n\n## Driver Setup\n\nKWinSys needs test signing or a valid signature.\n\n```powershell\n# Enable test signing (reboot required)\nbcdedit \u002Fset testsigning on\n\n# On VMs you may also need\nbcdedit \u002Fset nointegritychecks on\n```\n\nRun NtWarden as **Administrator**. Switching to the Kernel Mode tab will auto-install and start the driver if it's not already loaded. You can also manage it manually from the **Driver** menu.\n\n## Remote Inspection\n\nWinSysServer runs on a target machine (usually a VM) and serves system data over TCP. Connect from NtWarden via **Remote > Connect**.\n\n### What to copy to the target\n\n| File | Path | Needed for |\n|---|---|---|\n| `WinSysServer.exe` | `x64\u002FRelease\u002FWinSysServer.exe` | Always |\n| `KWinSys.sys` | `x64\u002FRelease\u002FKWinSys\u002FKWinSys.sys` | Kernel features only |\n\n> User-mode stuff (processes, services, network) works without the driver. Kernel tabs need KWinSys loaded on the target.\n\n### Running the server\n\n```powershell\n# Auto-install driver + start server (run elevated)\nWinSysServer.exe --install              # default port 50002\nWinSysServer.exe --install --port 9000  # custom port\n\n# Or install the driver yourself first\nsc create KWinSys type= kernel binPath= \"C:\\path\\to\\KWinSys.sys\"\nsc start KWinSys\nWinSysServer.exe [--port \u003Cport>]        # default: 50002\n```\n\n### Connecting from NtWarden\n\n1. Launch NtWarden\n2. **Remote** > enter target IP and port > **Connect**\n\n### Protocol\n\nCustom binary protocol over TCP. 12-byte header (`MessageType`, `DataSize`, `Status`). No auth - use in isolated lab\u002FVM environments only.\n\n## Tested On\n- Windows 11 23H2 (Build 22631.6199)\n- Windows 10 22H2 (Build 19045.2006)\n- Windows 10 1703 (Build 15063.13)\n\n## Credits\n\n- [zodiacon](https:\u002F\u002Fgithub.com\u002Fzodiacon) - Major inspiration for the project\n- [WinArk](https:\u002F\u002Fgithub.com\u002FBeneficialCode\u002FWinArk) - Reference for kernel-mode features\n\n## License\n\nMIT - see [LICENSE](LICENSE).\n","NtWarden 是一个基于ImGui和DirectX 11的Windows系统检查工具，用于分析和研究Windows系统的进程、服务、网络、内核内部等信息。其核心功能包括用户模式下的进程和服务枚举、性能监控、网络连接及根证书查看等功能，以及在安装了KWinSys驱动后可访问的内核级对象如EPROCESS枚举、隐藏进程检测等高级特性。该工具支持本地运行或通过WinSysServer远程操作，适用于需要深入探究Windows系统内部状态的研究人员和技术爱好者。注意，部分代码由AI辅助编写可能存在bug，建议仅在测试环境中使用内核驱动程序以避免潜在风险。","2026-06-11 02:41:02","CREATED_QUERY"]