├── PushMessages.MD ├── README.md ├── binaries ├── README.md ├── WKE32.exe └── WKE64.exe ├── data ├── README.md └── WindowsKernelExplorer.dat └── screenshots ├── README.md ├── mainmenu.png ├── memedit1.png ├── memedit2.png ├── memedit3.png ├── modpath.png ├── wx32.png ├── wx64.png ├── xp32.png └── xp64.png /PushMessages.MD: -------------------------------------------------------------------------------- 1 | ##### Message[0]: 6C3BC352A078523F7A366A250A09439CD35D0B264C7B1D29FB5D80952ECA7C869F2C5341B07214B163A2CB72E0B58F9C51D87F208ADAEA007ECECDCB10351A7BF5C5203DC2F3937F8355D3475E722A2C3F98DA95D11C78D565622965B154D627C8170107F8182FB963AD9286B21FD6622824CED5053265965FA04D86E871DDCE054139364A25932938087E2F7CEF7DDD1A7880E8C0C9343FF345932BA6A23D6DAB64F1DF48BBD2F3F8E1A0BDF5BABCA8F49E79BD2D86DD1999844326F9995E3777EE80E8953D68D78656016F060CE9CF5AAD127A2B9CA427154647B971D28412B6D815744E458AEF1F8C36927FBF7B22A91C2C14D2931538065EA172E7475E9F 2 | ##### Message[1]: 25ED0FBC42E7CCEBC13E66A8C87A8C7442F5EE2544C342975A6792822B13293458EA77250AF495A03CD31138C22B5FEBDAE9F9273CCADAB4F49762CE3DF30F1311DA0C0FD557F9B1D875F4F12D68CF130929EA03D03559146DF872970469361CDBE9B84BE53FBD92FAC416160A912733676BA06E93989298A29CA5265FB1369935584937A34AC8C715D82767B30FAFF98DF32B429F996838B23C9D1854C6C248E48634ADF73E70A6017F4FE793C4744874D060F2240A89A47C63D8D248FB8474B1D28F19863C57DF7A29ABD8CBEFAF1C0A7FFE87935BA09B4E4F544BD9C87410BDCEEDA6E669B865A2E63DB5043AADA557F90182E7EEEB5D04DAB2B153308613 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | Windows Kernel Explorer (you can simply call it as "WKE") is a free but powerful kernel research tool. It supports from Windows XP to Windows 11. Compared with WIN64AST and PCHunter, WKE can run on the latest Windows without updating binary files. This means that even if I do not update WKE, or you do not have the latest version of WKE, old WKE can still run on new Windows and most features will function normally. 3 | 4 | ### How does WKE work on the latest Windows 5 | WKE automatically downloads requisite symbol files if the current system is not supported natively, 90% of the features will be available after this step. For some needed data that doesn't exist in symbol files, WKE tries to retrieve them from the DAT file (when new Windows releases, I will upload a new DAT file to GitHub). Even if WKE is not able to connect to the internet and the DAT file does not exist, more than half of the features will still work. At present, native support is available from Windows XP to Windows 10 RS3. Windows 10 from RS4 to the lastest Windows 11 are fully supported by parsing symbol files and DAT file. 6 | 7 | ### How to customize WKE 8 | You can customize WKE by editing the configuration file. Currently, you can specify the device name and symbolic link name of driver, and altitude of filter. You can also enable kernel-mode and user-mode characteristics randomization to avoid being detected by malware. If you rename the EXE file of WKE, you must synchronously rename SYS/DAT/INI files with the same name as the EXE file. 9 | 10 | ### About digital signature and negative comments from Anti-Virus software 11 | Because I don't have my own digital certificate, I have to use a leaked digital certificate to sign my drivers. Signing files with leaked digital certificates has a side effect: many Anti-Virus software infer files with leaked digital signature are suspicious, because many hackers use leaked digital certificates to sign malware. I don't care about any negative comments from any Anti-Virus software, the rule is simple: if you don't trust a program, just don't use it. 12 | 13 | ### About WKE can be detected by Anti-Cheat solutions 14 | WKE is not designed to bypass any Anti-Cheat solution. If you want to use WKE in a specfic environment, please order "binary customization" service. 15 | 16 | ### About loading driver unsuccessfully 17 | If WKE prompts "unable to load driver", there may be the following reasons: 18 | ###### 1. HVCI is enabled. 19 | ###### 2. Anti-Virus software prevents the driver from loading. 20 | Solutions: 21 | ###### 1. [Disable HVCI](https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity#how-to-turn-off-hvci) or disable Secure Boot. 22 | ###### 2. Add the files of WKE to the whitelist of the Anti-Virus software. 23 | 24 | ### About deleting files or folders unsuccessfully 25 | NTFS parsing is turned on by default on systems from Windows XP to Windows 10. On some systems, parsing NTFS fails and causes deletion of files or folders to fail. In this case, you must turn off "NTFS parsing" in "Software Options" to delete files and folders. 26 | 27 | # Main Features 28 | 1. Process management (Module, Thread, Handle, Memory, Window, Windows Hook, etc.) 29 | 2. File management (NTFS partition analysis, low-level disk access, etc.) 30 | 3. Registry management and HIVE file operation 31 | 4. Kernel-mode callback, filter, timer, NDIS blocks and WFP callout functions management 32 | 5. Kernel-mode hook scanning (MSR, EAT, IAT, CODE PATCH, SSDT, SSSDT, IDT, IRP, OBJECT) 33 | 6. User-mode hook scanning (Kernel Callback Table, EAT, IAT, CODE PATCH) 34 | 7. Memory editor and symbol parser (it looks like a simplified version of WINDBG) 35 | 8. Hide driver, hide/protect process, hide/protect/redirect file or directory, protect registry and falsify registry data 36 | 9. Path modification for driver, process and process module 37 | 10. Enable/disable some obnoxious Windows components 38 | 39 | # [Screenshots](/screenshots/README.md) 40 | In order to optimize the page load speed in low quality network environments, I only placed one picture on this page. 41 | ![image](https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/master/screenshots/mainmenu.png) 42 | 43 | # Thanking List 44 | 1. Team of WIN64AST: I referenced the UI design and many features of this software. 45 | 2. Team of PCHunter: I referenced some features of this software. 46 | 3. Team of ProcessHacker: I studied the source code of this software, but I didn't use it in my project. 47 | 4. Donald John Trump: Ich hoffe sehr, dass er noch vier Jahre Präsident sein kann. 48 | 49 | # Contact 50 | ### E-MAIL: AxtMueller#gmx.de (Replace # with @) 51 | 1. If you find bugs, have constructive suggestions or would like to purchase a paid service, please let me know. You'd better write E-MAIL in English or German, I only reply to E-MAILs that I am interested in. 52 | 2. In order to disclose as little personal information as possible (IP address, online time, etc.), I do not use instant messaging and social media. Please write what you want in the E-MAIL. 53 | ### Paid services: 54 | 1. Binary customization: You will get a customized version of WKE without copyright information and digital signature, this will prevent some software from detecting WKE based on the program characteristics. Add your customized copyright information and sign files with a different certificate than the public version is also possible. The customized version of WKE is without VMP, so it can be run on 64-bit Windows with HVCI enabled. 55 | 2. Partial source code acquisition: You will get the source code of specific features that you are interested in. 56 | 3. Complete source code acquisition: You will get the complete source code for both EXE and SYS. 57 | 4. Software production: Write the user-mode program or kernel-mode driver according to your needs. This service is only available to customers who have purchased any of the above services. 58 | 59 | # [Revision History](/binaries/README.md#all-revision-history) 60 | ### Current Version: 20241019 61 | Bug fix: Corrected some spelling mistakes. 62 | New feature: Windows 11 26100 is supported. 63 | ### Revoked Versions: 00000000 64 | These versions have serious security issues and should not be used anymore. 65 | -------------------------------------------------------------------------------- /binaries/README.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | These EXE files ([WKE32](https://github.com/AxtMueller/Windows-Kernel-Explorer/raw/master/binaries/WKE32.exe) / [WKE64](https://github.com/AxtMueller/Windows-Kernel-Explorer/raw/master/binaries/WKE64.exe)) are packaged by WINRAR and they will automatically decompress files after execution. You can rename these EXE files to ZIP files and decompress ZIP files manually. 3 | 4 | # Turn off HVCI, Microsoft SmartScreen and Windows Defender 5 | Microsoft SmartScreen and Windows Defender prevent downloading files that containing suspicious digital signatures, so you have to turn off Microsoft SmartScreen and Windows Defender before downloading. If the files cannot be downloaded, or you cannot access the downloaded files, please paste the following code into a text editor, save the code as a batch file and execute it as administrator. After restarting, this page will be opened again. You have to [manually disable Tamper Protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-tamper-protection-individual-device) and restart the system before using this batch file on Windows 10 and later systems. Drivers protected by VMProtect cannot be loaded on systems with HVCI enabled, so HVCI must also be disabled. 6 | ``` 7 | ::Please first disable Windows Defender Tamper Protection manually!!! 8 | ::https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-tamper-protection-individual-device 9 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 0 /f 10 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v RequireMicrosoftSignedBootChain /t REG_DWORD /d 0 /f 11 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v RequirePlatformSecurityFeatures /t REG_DWORD /d 0 /f 12 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v HypervisorEnforcedCodeIntegrity /t REG_DWORD /d 0 /f 13 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f 14 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f 15 | reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f 16 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f 17 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f 18 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f 19 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f 20 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f 21 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f 22 | reg add "HKCU\SOFTWARE\Microsoft\Edge\SmartScreenEnabled" /v "" /t REG_DWORD /d 0 /f 23 | reg add "HKCU\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled" /v "" /t REG_DWORD /d 0 /f 24 | reg add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f 25 | reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v OpenURL1 /t REG_SZ /d "explorer.exe https://github.com/AxtMueller/Windows-Kernel-Explorer/tree/master/binaries" /f 26 | reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v OpenURL2 /t REG_SZ /d "%HOMEDRIVE%\program files\internet explorer\iexplore.exe \"https://github.com/AxtMueller/Windows-Kernel-Explorer/tree/master/binaries\"" /f 27 | shutdown /f /r /t 0 28 | ``` 29 | 30 | # All revision history 31 | ### 15th version: 20241019 32 | [This is the latest version.](../README.md#revision-history) 33 | ### 14th version: 20240210 34 | Bug fix: Update checking failure. 35 | New feature: Windows 11 22631 is supported. 36 | ### 13th version: 20230213 37 | Bug fix: ADS operation failure on volume root directory. 38 | New feature: File / folder layout viewer. 39 | New feature: Disk hexadecimal editor. 40 | New feature: Show progress when copying or deleting folder. 41 | ### 12th version: 20211111 42 | Bug fix: Enhanced stability. 43 | New feature: Fully supported Windows 11. 44 | ### 11th version: 20210530 45 | Bug fix: Enhanced stability. 46 | Bug fix: UI fine-tuning. 47 | New feature: Prohibit process from running again after termination. 48 | New feature: Get the window information at the cursor. 49 | ### 10th version: 20201111 50 | Bug fix: Enhanced stability. 51 | ### 9th version: 20200610 52 | Bug fix: Thread entry point cannot be displayed properly in some versions of Windows 7. 53 | Bug fix: LoadImageNotify cannot be enumerated in some versions of Windows 8. 54 | New feature: Output tree view of device stacks to a text file. 55 | New feature: Add a description for GDT items. 56 | Off topic: This version was originally planned to be released on June 1, but due to the Killing of George Floyd, my attention was attracted, which led to the release of this version 10 days later than the original plan. George Floyd’s death is a tragedy, but this is just one of countless tragedies that have been caused since the establishment of the United States. The US government is oppressing the American people, slaughtering the people of the Middle East, committing economic terrorism against countries that refuse to cooperate with it, and bullying European countries. It has caused much more harm to all mankind than Nazi Germany and Communism Soviet Union. Only when this evil regime is completely destroyed can cease such tragedies to occur. 57 | ### 8th version: 20200107 58 | Bug fix: Inputbox works improperly on the latest Windows 10. 59 | ### 7th version: 20191110 60 | Bug fix: Some features of Memory Editor crash the program. 61 | ### 6th version: 20191104 62 | Bug fix: UI fine-tuning (menu, listview, etc). 63 | Bug fix: Optimize the "export to file" feature. 64 | Bug fix: Failed to access files and registry keys that contain NULL character. 65 | New feature: Map physical memory (Memory Editor). 66 | ### 5th version: 20190329 67 | Bug fix: file operation failure in FAT32 partition. 68 | New feature: export all text in the list view to a file. 69 | ### 4th version: 20190326 70 | Bug fix: UI fine-tuning. 71 | Bug fix: Repackage the binaries with the latest data file. 72 | ### 3rd version: 20190325 73 | Bug fix: UI optimization (adjust list view spacing from 13 pixels to 16 pixels, display process icon). 74 | Bug fix: some code modifications cannot be detected under certain circumstances. 75 | Bug fix: some directories cannot be deleted under certain circumstances. 76 | New feature: driver uninstallation. 77 | New feature: directory replication. 78 | New feature: digital signature verification. 79 | New feature: file CRC32 and MD5 calculations. 80 | New feature: NTFS partition parsing and stream enumeration. 81 | ### 2nd version: 20190128 82 | Bug fix: symbol related features in memory editor dialog. 83 | Bug fix: prompt the status of process and thread in the context menu. 84 | New feature: disable CreateProcess / CreateThread / LoadImage / Registry / Process and Thread object callbacks, FS filters. 85 | New feature: support drag file to input box dialog (do not need to type input when you need to fill the file path). 86 | New feature: highlight hidden drivers and processes. 87 | New feature: output all object names to a file. 88 | New feature: display NDIS handler functions. 89 | New feature: display process command line. 90 | New feature: registry value editor dialog. 91 | New feature: hide process, hide driver. 92 | New feature: unsigned driver loader. 93 | New feature: hive file operations. 94 | ### 1st version: 20181231 95 | This is the first public version. 96 | -------------------------------------------------------------------------------- /binaries/WKE32.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/3d691a8bcfe5ef4b4fd11e62b2710c96b75722bb/binaries/WKE32.exe -------------------------------------------------------------------------------- /binaries/WKE64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/3d691a8bcfe5ef4b4fd11e62b2710c96b75722bb/binaries/WKE64.exe -------------------------------------------------------------------------------- /data/README.md: -------------------------------------------------------------------------------- 1 | # Current Version: 20241019 2 | The latest supported version of Windows is 26100. 3 | 4 | # How to update data file 5 | 1. Download the latest [data file](https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/master/data/WindowsKernelExplorer.dat). 6 | 2. Replace the old data file with the new data file, which is located in the WKE directory. 7 | -------------------------------------------------------------------------------- /screenshots/README.md: -------------------------------------------------------------------------------- 1 | # Screenshots 2 | ### Windows XP 32-bit: 3 | ![image](https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/master/screenshots/xp32.png) 4 | ### Windows XP 64-bit: 5 | ![image](https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/master/screenshots/xp64.png) 6 | ### Windows 10 32-bit: 7 | ![image](https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/master/screenshots/wx32.png) 8 | ### Windows 10 64-bit: 9 | ![image](https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/master/screenshots/wx64.png) 10 | ### Main menu: 11 | ![image](https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/master/screenshots/mainmenu.png) 12 | ### Module path modification: 13 | ![image](https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/master/screenshots/modpath.png) 14 | ### Memory editor (print structure): 15 | ![image](https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/master/screenshots/memedit1.png) 16 | ### Memory editor (disassemble function): 17 | ![image](https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/master/screenshots/memedit2.png) 18 | ### Memory editor (fuzzy lookup function names): 19 | ![image](https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/master/screenshots/memedit3.png) 20 | -------------------------------------------------------------------------------- /screenshots/mainmenu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/3d691a8bcfe5ef4b4fd11e62b2710c96b75722bb/screenshots/mainmenu.png -------------------------------------------------------------------------------- /screenshots/memedit1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/3d691a8bcfe5ef4b4fd11e62b2710c96b75722bb/screenshots/memedit1.png -------------------------------------------------------------------------------- /screenshots/memedit2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/3d691a8bcfe5ef4b4fd11e62b2710c96b75722bb/screenshots/memedit2.png -------------------------------------------------------------------------------- /screenshots/memedit3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/3d691a8bcfe5ef4b4fd11e62b2710c96b75722bb/screenshots/memedit3.png -------------------------------------------------------------------------------- /screenshots/modpath.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/3d691a8bcfe5ef4b4fd11e62b2710c96b75722bb/screenshots/modpath.png -------------------------------------------------------------------------------- /screenshots/wx32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/3d691a8bcfe5ef4b4fd11e62b2710c96b75722bb/screenshots/wx32.png -------------------------------------------------------------------------------- /screenshots/wx64.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/3d691a8bcfe5ef4b4fd11e62b2710c96b75722bb/screenshots/wx64.png -------------------------------------------------------------------------------- /screenshots/xp32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/3d691a8bcfe5ef4b4fd11e62b2710c96b75722bb/screenshots/xp32.png -------------------------------------------------------------------------------- /screenshots/xp64.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AxtMueller/Windows-Kernel-Explorer/3d691a8bcfe5ef4b4fd11e62b2710c96b75722bb/screenshots/xp64.png --------------------------------------------------------------------------------