[Tool] Windows Kernel Explorer

Discuss other useful utilities, general computing tips & tricks, Internet resources, etc.
Post Reply
User avatar
jNizM
Posts: 3183
Joined: 30 Sep 2013, 01:33
Contact:
Contact jNizM

[Tool] Windows Kernel Explorer

15 Jan 2019, 03:13

Windows Kernel Explorer

WKE is a free but powerful Windows kernel research tool. It supports from Windows XP to Windows 10, 32-bit and 64-bit. Compare to popular tools (such as WIN64AST and PCHunter), WKE is a highly customizable tool and it can run on the latest Windows 10 without updating binary files.

Main Features:
  • Process management (Module, Thread, Handle, Memory, Window, Windows Hook, etc.)
  • File management
  • Registry management
  • Kernel-mode callback, filter, timer, NDIS blocks and WFP callout functions management
  • Kernel-mode hook scanning (MSR, EAT, IAT, CODE PATCH, SSDT, SSSDT, IDT, IRP, OBJECT)
  • User-mode hook scanning (Kernel Callback Table, EAT, IAT, CODE PATCH)
  • Memory editor and symbol parser (it looks like a simplified version of WINDBG)
  • Protect process, hide/protect/redirect file or directory, protect registry and falsify registry data
  • Path modification for driver, process and process module
  • Enable/disable some obnoxious Windows components

Image
Image
Image
[AHK] v2.0.5 | [WIN] 11 Pro (Version 22H2) | [GitHub] Profile
Top
User avatar
Flipeador
Posts: 1204
Joined: 15 Nov 2014, 21:31
Location: Argentina
Contact:
Contact Flipeador

Re: [Tool] Windows Kernel Explorer

20 Jan 2019, 09:51

Thanks for sharing.

I have a problem, at the beginning when I tried to start the application, it started without problems, but after a blue screen, when I tried to start it again, this message appears:
Error
Unable to load driver! Please disable secure boot and try again.
I tried using the following commands in the console:
bcdedit /set testsigning on
bcdedit /set nointegritychecks off

The test mode has been activated correctly, on the desktop, in the lower right corner this message appears:
Test Mode
Windows 10 Pro
Build 17763.rs5_release.180914-1434
But it still does not work. The same thing happens with PCHunter.

:wave:
Oh, forget it, I downloaded the application again and it seems to work. Although I still can not make PCHunter work: "Load Driver Error!".
Do you know where the Message Hook tab is in WKE?
(I think I found it, in Process -> View Windows Hook).
Top
User avatar
lmstearn
Posts: 694
Joined: 11 Aug 2016, 02:32
Contact:
Contact lmstearn

Re: [Tool] Windows Kernel Explorer

20 Jan 2019, 10:32

Axt will want to put up a paragraph about Win 1809's Defender false positive. Defender can be rather obtrusive, as it now wants to reboot to take action, and the file has not even been executed. Although it might have logged that this user previously attempted to execute what was a file chunk gotten from save link as in the binaries page. :facepalm:
Defendy.JPG
Defendy.JPG (35.1 KiB) Viewed 7307 times
Looks very interesting though- and promises to be very much like the kind of things on show over at Sysinternals. :)
Edit:
Axt has provided this batch script as a security workaround:

Code: Select all

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f
reg add "HKCU\SOFTWARE\Microsoft\Edge\SmartScreenEnabled" /v "" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled" /v "" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v OpenURL /t REG_SZ /d "explorer.exe https://github.com/AxtMueller/Windows-Kernel-Explorer/tree/master/binaries" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v OpenURL2 /t REG_SZ /d "%HOMEDRIVE%\program files\internet explorer\iexplore.exe \"https://github.com/AxtMueller/Windows-Kernel-Explorer/tree/master/binaries\"" /f
shutdown /f /r /t 0
But no script to revert to Windows default- presumably as all of these are reg add, replace by RegDelete?
:arrow: itros "ylbbub eht tuO kaerB" a ni kcuts m'I pleH
Top
Post Reply

Return to “Other Utilities & Resources”

Who is online

Users browsing this forum: No registered users and 38 guests