Skip to content

blkph0x/KernelLook

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
.vscode
.vscode
 
 
Driver
Driver
 
 
User Mode App
User Mode App
 
 
.gitignore
.gitignore
 
 
K_driver.c
K_driver.c
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
TODO
TODO
 
 
UserApp.cpp
UserApp.cpp
 
 

Repository files navigation

KernelLook

The driver and user-mode application presented here provide a solution for retrieving process and module information from the Windows kernel. The driver, named "ModuleList," exposes two IOCTL commands that can be invoked by the user-mode application to retrieve a list of running processes and their associated modules.

Features:

Driver Functionality:

Retrieves a list of process IDs and names from the Windows kernel. Retrieves a list of loaded modules for a specified process. Implements error checking and robustness to handle various scenarios. Uses safe memory access techniques to prevent crashes and security vulnerabilities. User-Mode Application Functionality:

Communicates with the driver through IOCTL commands. Requests process information and displays the process names and IDs to the user. Prompts the user to select a process ID for further inspection. Requests module information for the selected process and displays the module details. How It Works:

Driver:

Upon loading, creates a device object and symbolic link for communication with user-mode applications. Implements dispatch routines for Create, Close, and IOCTL requests. Handles IOCTL_GET_PROCESS_IDS by querying the system for process information and copying it to the output buffer. Handles IOCTL_GET_MODULES by retrieving the loaded modules for a specified process ID and copying the information to the output buffer. User-Mode Application:

Connects to the driver by opening the device using the symbolic link. Sends IOCTL_GET_PROCESS_IDS request to retrieve the process information from the driver. Displays the process names and IDs to the user. Prompts the user to select a process ID. Sends IOCTL_GET_MODULES request with the selected process ID to retrieve the module information from the driver. Displays the module details to the user. Benefits for Security Professionals: The ModuleList driver and user-mode application provide security professionals with a convenient tool for inspecting running processes and loaded modules on a Windows system. It can aid in security assessments, malware analysis, and forensic investigations by providing an overview of the system's running processes and their associated modules. This information can help identify malicious processes, detect abnormal behavior, and analyze the impact of potential security threats. With error checking and robustness measures implemented, the solution ensures reliable and safe retrieval of process and module information from the Windows kernel.

About

simple kernel driver and user mode app to do some magic

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages