Skip to content

Latest commit

 

History

History
65 lines (38 loc) · 1.28 KB

README.md

File metadata and controls

65 lines (38 loc) · 1.28 KB

KReClassEx

Kernel ReClassEx is a WinDbg extension that implements gui to reverse struct in Windows Kernel.

Usage

Config the ip addr.

config.json

{
  "server": "0.0.0.0",
  "server_port": "9000",
  "timeout": 300
}
.load YourPath\KDbgEngExt.dll
!runserver YourPath\config.json
bu WdFilter!DriverEntry

.load YourPath\KDbgEngExt.dll
.unload KDbgEngExt.dll
!runserver YourPath\config.json

The config file should be put in the KReClassEx.exe's directory.

The main UI. Connect to the Windbg.

Connect

The following simple example shows the WdFilter's MpData memory in KReClassEx.

Main

The memory view. If the node is a function pointer, Kernel ReClassEx will auto get the function name. (Sometimes you should execute the .reload to get the pdb info.)

Main

The generate view.

Generated

Note:

The KReClass only read kernel memory when windbg is in break status.

References and acknowledgement

ReClassEx

lexilla 5.2.6

scintilla 5.3.6

TotalPE2

nlohmann json

libevent