SkillAgentSearch skills...

KernelResearchKit

Windows 11 kernel research framework demonstrating DSE bypass on Windows 11 25H2 through boot-time execution. Loads unsigned drivers by surgically patching SeCiCallbacks via native subsystem. Includes anti-loop protection and dual-path architecture. Windows 11 25H2 driver signature enforcement bypass

GenerateConvertImprove

Install / Use

/learn @wesmar/KernelResearchKit
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

KernelResearchKit - Windows DSE Bypass Framework

🚀 Update: 22.12.2025 - Code Sanitization & PDB Version Resilience

Low-level code sanitization implemented in BootBypass(FastReboot).

Introduced code cleanup and hardening in the low-level BootBypass(FastReboot) component. Additionally, initiated testing to ensure drvloader remains functional across Windows updates and is resilient to changing PDB versions. This should work seamlessly; if issues occur, please delete the C:\Windows\Symbols folder.

🚀 Update: 07.12.2025 - FastReboot Architecture ///BootBypass(FastReboot).exe///

New "FastReboot" mechanism introduced.

The new framework now utilizes direct raw-disk SYSTEM hive patching via a Chunked Rolling Scan algorithm. This allows for immediate HVCI disabling and system restart NtShutdownSystem) purely within the Native (SMSS) phase.

  • Zero Dependencies: Completely removed the RebootGuardian service and Themes dependency chain.
  • Stealth & Speed: Operations occur before Win32 subsystem initialization, leaving no service artifacts and significantly reducing reboot turnaround time. Demo

Platform Architecture Language License

📦 Download

KernelResearchKit.7z
🔐 Password: github.com

🎯 Overview

KernelResearchKit is a research framework for Windows kernel security analysis, demonstrating Driver Signature Enforcement (DSE) bypass through surgical manipulation of kernel code integrity callbacks. The framework provides two independent execution methods:

  • BootBypass.exe - Native subsystem application executing during Windows boot sequence
  • drvloader.exe - Win32 GUI application for interactive post-boot DSE manipulation

Both paths achieve identical results through different technical approaches, showcasing the versatility of the underlying vulnerability class.

Key Features

🔧 Boot-Time Execution (BootBypass)

  • Executes in Native subsystem (pre-Win32, SMSS phase)
  • Automatic HVCI detection with scheduled reboot mechanism
  • Dual-layer anti-loop protection (cleanup + RebootGuardian service)
  • Sequential driver operations: LOAD, UNLOAD, RENAME, DELETE, AutoPatch
  • State persistence via drivers.ini for DSE restoration
  • String obfuscation via assembly-based telemetry decoder

💻 Runtime Execution (drvloader)

  • Interactive Win32 GUI with real-time DSE status checking
  • Dynamic PDB symbol resolution from Microsoft Symbol Server
  • Mini-PDB caching system (32-byte .mpdb files) for offline operation
  • Automatic offset detection and drivers.ini synchronization
  • No reboot required for DSE bypass operations

🛡️ Safety Mechanisms

  • Dual-layer reboot loop protection (primary cleanup + RebootGuardian failsafe)
  • Exception-wrapped kernel memory operations
  • Registry backups before all modifications
  • State validation and consistency checks

🔒 Anti-Analysis Features

  • Assembly-based runtime string decoding (no hardcoded driver names)
  • XOR-encoded resource embedding with multi-phase transformation
  • Legitimate Windows API naming convention (MmGetPoolDiagnosticString)
  • Static analysis evasion (strings.exe, IDA Pro string search resistant)

🗂️ Architecture

Component 1: BootBypass (Native Subsystem Application)

BootBypass is a native application compiled with /SUBSYSTEM:NATIVE, executing during the Session Manager Subsystem (SMSS) phase of Windows boot. This timing provides a pristine environment where security services (Windows Defender, EDR, etc.) have not yet initialized.

Execution Timeline:

sequenceDiagram
    participant UEFI
    participant ntoskrnl
    participant SMSS
    participant BootBypass
    participant Services

    UEFI->>ntoskrnl: Load Kernel
    ntoskrnl->>SMSS: Launch Session Manager
    Note over SMSS: Read BootExecute registry value
    SMSS->>BootBypass: Execute Native App (SYSTEM)
    Note over BootBypass: Security services: INACTIVE
    BootBypass->>BootBypass: Check HVCI → Extract embedded driver → Patch DSE → Load drivers
    SMSS->>Services: Start Windows Subsystem
    Note over Services: Windows Defender starts (too late)

Deployment via BootExecute Registry:

Registry Key: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
Value: BootExecute (REG_MULTI_SZ)
Content: 
  autocheck autochk *
  BootBypass

Configuration File: drivers.ini

Sequential operations defined in UTF-16 LE format with sections:

  • [Config] - Global settings (Execute, RestoreHVCI, kernel offsets)
  • [DriverN] - Load/unload operations with optional AutoPatch
  • [RenameN] - File/directory renaming operations
  • [DeleteN] - File/directory deletion (with RecursiveDelete option)
  • [DSE_STATE] - Auto-generated state persistence for restoration

AutoPatch Feature:

Automatic DSE bypass cycle per driver. When AutoPatch=YES is set:

STEP 1: Extract vulnerable driver from embedded resources (XOR-decoded)
STEP 2: Load vulnerable driver with assembly-decoded name
STEP 3: Patch DSE callback → ZwFlushInstructionCache
STEP 4: Load target unsigned driver
STEP 5: Restore original DSE callback
STEP 6: Unload vulnerable driver
STEP 7: Delete temporary files and registry keys

This eliminates manual DSE management - each driver gets its own isolated bypass session with automatic cleanup.

Anti-Loop Protection (HVCI Handling):

When Memory Integrity (HVCI) is enabled, DSE bypass succeeds but unsigned driver loading causes BSOD. The framework implements dual-layer protection:

graph TD
    subgraph "Boot 1: Detection"
        A[BootBypass Start] --> B[Layer 1: Cleanup Attempt]
        B --> C[RemoveThemesDependency]
        C --> D[RemoveRebootGuardianService]
        D --> E{HVCI=1?}
        E -->|Yes| F[Set HVCI=0]
        F --> G[Create RebootGuardian Service]
        G --> H[Add Themes→RebootGuardian Dependency]
        H --> I[skipPatch=TRUE]
        I --> J[Exit Without DSE Patch]
    end
    
    subgraph "Boot 2: Guardian Trigger"
        K[Windows Services Start] --> L[Themes Dependency Check]
        L --> M[SCM Starts RebootGuardian]
        M --> N[Execute: sc delete RebootGuardian]
        N --> O[Execute: reg delete DependOnService]
        O --> P[Execute: shutdown /r /t 0 /f]
    end
    
    subgraph "Boot 3: Clean Operation"
        Q[BootBypass Start] --> R[Layer 1: Cleanup Success]
        R --> S{HVCI=1?}
        S -->|No| T[skipPatch=FALSE]
        T --> U[Extract & Load Vulnerable Driver]
        U --> V[Normal DSE Patching]
        V --> W[Load Unsigned Drivers]
        W --> X[Cleanup & RestoreHVCI Cosmetically]
    end
    
    J --> K
    P --> Q
    
    style F fill:#ff6b6b
    style G fill:#ff6b6b
    style V fill:#4ecdc4

Why Dual-Layer? Primary cleanup (Layer 1) executes on every boot before any operations. If system crashes/power fails before cleanup, secondary mechanism (Layer 2: RebootGuardian service) guarantees cleanup on next boot via Windows Service Control Manager.

Component 2: drvloader (Win32 Runtime Tool)

Interactive DSE bypass tool with dynamic symbol resolution and offset detection. No reboot required for operations.

Key Features:

  • PDB Symbol Download: Automatic download from https://msdl.microsoft.com/download/symbols
  • Mini-PDB Cache: Creates 32-byte .mpdb files with extracted offsets for offline use
  • Offset Auto-Update: Option 2 updates drivers.ini with current kernel offsets
  • No Driver Needed for Offset Detection: PDB parsing requires no kernel driver installation

Workflow:

graph TD
    A[Launch drvloader.exe] --> B{HVCI Active?}
    B -->|Yes| C[Offer to Disable + Reboot]
    B -->|No| D[Display Menu]
    
    C -->|Accept| E[Disable HVCI → Reboot]
    C -->|Decline| F[Continue at Risk]
    
    D --> G{Select Option}
    F --> G
    
    G -->|1: Patch DSE| H[Extract Vulnerable Driver from Resources]
    G -->|2: Show Offsets| I[Check Mini-PDB Cache]
    G -->|3: Exit| J[Cleanup]
    
    H --> K[Load Driver with Assembly-Decoded Name]
    K --> L[Read Current Callback]
    L --> M[Write ZwFlushInstructionCache]
    M --> N[Verify Patch]
    N --> O[Unload Driver & Delete Files]
    
    I -->|Cache Hit| P[Display Cached Offsets]
    I -->|Cache Miss| Q[Download PDB from Microsoft]
    Q --> R[Extract Offsets via DbgHelp]
    R --> S[Create Mini-PDB]
    S --> T[Update drivers.ini]
    T --> P
    
    style K fill:#4ecdc4
    style Q fill:#ffeb3b
    style S fill:#45b7d1

Mini-PDB Format:

File: C:\Windows\symbols\ntkrnlmp.pdb\{GUID}\ntkrnlmp.mpdb
Size: 32 bytes
Structure:
  - Magic: "MINIPDB\0" (8 bytes)
  - Version: 1 (4 bytes)
  - Reserved: (4 bytes)
  - Offset_SeCiCallbacks: (8 bytes)
  - Offset_SafeFunction: (8 bytes)

Option 2 Functionality:

  1. Check for existing mini-PDB in cache (instant if found)
  2. If not cached: download full PDB from Microsoft Symbol Server
  3. Parse PDB using DbgHelp API to extract symbol offsets
  4. Create mini-PDB for future use (no download needed next time)
  5. Update drivers.ini [Config] section with current offsets
  6. Display offset information for external tools

Important: Offsets are constant for a specific Windows build. After Windows update (new build), run Option 2 to regenerate offsets. Same build = same offsets (deterministic).

Component 3: Assembly-Based String Obfuscation

Critical Innovation: The vulnerable driver name is never stored as a plaintext string in the binary. Instead, it's encoded in assembly data and decoded at runtime through a multi-phase algorithm.

**M

wesmar

View profile

View on GitHub
GitHub Stars99
CategoryEducation
Updated9h ago
Forks15
wesmar/KernelResearchKit

Languages

C

Security Score

80/100

Audited on Mar 31, 2026

No findings