windows-kernel-security

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Windows Kernel Security

Windows内核安全

Overview

概述

This skill covers Windows kernel security topics from the awesome-game-security collection, including driver development, system callbacks, security feature bypasses, and kernel-mode exploitation.

本技能涵盖了来自awesome-game-security合集的Windows内核安全主题，包括驱动开发、系统回调、安全功能绕过以及内核模式漏洞利用。

Core Kernel Concepts

核心内核概念

Important Structures

重要结构

EPROCESS / ETHREAD
PEB / TEB
DRIVER_OBJECT
DEVICE_OBJECT
IRP (I/O Request Packet)

EPROCESS / ETHREAD
PEB / TEB
DRIVER_OBJECT
DEVICE_OBJECT
IRP（I/O请求数据包）

Key Tables

关键表

SSDT (System Service Descriptor Table)
IDT (Interrupt Descriptor Table)
GDT (Global Descriptor Table)
PspCidTable (Process/Thread handle table)

SSDT（系统服务描述符表）
IDT（中断描述符表）
GDT（全局描述符表）
PspCidTable（进程/线程句柄表）

Security Features

安全功能

PatchGuard (Kernel Patch Protection)

PatchGuard（内核补丁保护）

- Protects critical kernel structures
- Periodic verification checks
- BSOD on tampering detection
- Multiple trigger mechanisms

- 保护关键内核结构
- 定期验证检查
- 检测到篡改时触发BSOD
- 多种触发机制

Driver Signature Enforcement (DSE)

驱动签名强制（DSE）

- Requires signed drivers
- CI.dll verification
- Test signing mode
- WHQL certification

- 要求驱动签名
- CI.dll验证
- 测试签名模式
- WHQL认证

Hypervisor Code Integrity (HVCI)

虚拟机监控器代码完整性（HVCI）

- VBS-based protection
- Kernel code integrity
- Driver compatibility requirements
- Memory restrictions

- 基于VBS的保护
- 内核代码完整性
- 驱动兼容性要求
- 内存限制

Secure Boot

安全启动

- UEFI-based boot verification
- Boot loader chain validation
- Kernel signature checks
- DBX (forbidden signatures)

- 基于UEFI的启动验证
- 启动加载程序链验证
- 内核签名检查
- DBX（禁用签名列表）

Kernel Callbacks

内核回调

Process Callbacks

进程回调

cpp

PsSetCreateProcessNotifyRoutine
PsSetCreateProcessNotifyRoutineEx
PsSetCreateProcessNotifyRoutineEx2

cpp

PsSetCreateProcessNotifyRoutine
PsSetCreateProcessNotifyRoutineEx
PsSetCreateProcessNotifyRoutineEx2

Thread Callbacks

线程回调

cpp

PsSetCreateThreadNotifyRoutine
PsSetCreateThreadNotifyRoutineEx

cpp

PsSetCreateThreadNotifyRoutine
PsSetCreateThreadNotifyRoutineEx

Image Load Callbacks

镜像加载回调

cpp

PsSetLoadImageNotifyRoutine
PsSetLoadImageNotifyRoutineEx

cpp

PsSetLoadImageNotifyRoutine
PsSetLoadImageNotifyRoutineEx

Object Callbacks

对象回调

cpp

ObRegisterCallbacks
// OB_OPERATION_HANDLE_CREATE
// OB_OPERATION_HANDLE_DUPLICATE

cpp

ObRegisterCallbacks
// OB_OPERATION_HANDLE_CREATE
// OB_OPERATION_HANDLE_DUPLICATE

Registry Callbacks

注册表回调

cpp

CmRegisterCallback
CmRegisterCallbackEx

cpp

CmRegisterCallback
CmRegisterCallbackEx

Minifilter Callbacks

微过滤器回调

cpp

FltRegisterFilter
// IRP_MJ_CREATE, IRP_MJ_READ, etc.

cpp

FltRegisterFilter
// IRP_MJ_CREATE, IRP_MJ_READ, etc.

Driver Development

驱动开发

Basic Structure

基本结构

cpp

NTSTATUS DriverEntry(
    PDRIVER_OBJECT DriverObject,
    PUNICODE_STRING RegistryPath
) {
    DriverObject->DriverUnload = DriverUnload;
    DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
    DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
    // Create device, symbolic link...
    return STATUS_SUCCESS;
}

cpp

NTSTATUS DriverEntry(
    PDRIVER_OBJECT DriverObject,
    PUNICODE_STRING RegistryPath
) {
    DriverObject->DriverUnload = DriverUnload;
    DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
    DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
    // 创建设备、符号链接...
    return STATUS_SUCCESS;
}

Communication Methods

通信方式

IOCTL (DeviceIoControl)
Direct I/O
Buffered I/O
Shared memory

IOCTL（DeviceIoControl）
直接I/O
缓冲I/O
共享内存

Vulnerable Driver Exploitation

漏洞驱动利用

Common Vulnerability Types

常见漏洞类型

Arbitrary read/write primitives
IOCTL handler vulnerabilities
Pool overflow
Use-after-free

任意读/写原语
IOCTL处理程序漏洞
池溢出
释放后使用

Notable Vulnerable Drivers

知名漏洞驱动

- gdrv.sys (Gigabyte)
- iqvw64e.sys (Intel)
- MsIo64.sys
- Mhyprot2.sys (Genshin Impact)
- dbutil_2_3.sys (Dell)
- RTCore64.sys (MSI)
- Capcom.sys

- gdrv.sys（技嘉）
- iqvw64e.sys（英特尔）
- MsIo64.sys
- Mhyprot2.sys（原神）
- dbutil_2_3.sys（戴尔）
- RTCore64.sys（微星）
- Capcom.sys

Exploitation Steps

利用步骤

Load vulnerable signed driver
Trigger vulnerability
Achieve kernel read/write
Disable DSE or load unsigned driver
Execute arbitrary kernel code

加载已签名的漏洞驱动
触发漏洞
实现内核读/写权限
禁用DSE或加载未签名驱动
执行任意内核代码

PatchGuard Bypass Techniques

PatchGuard绕过技术

Timing-Based

基于时序

Predict PG timer
Modify between checks

预测PG计时器
在检查间隙修改

Context Manipulation

上下文操纵

Exception handling
DPC manipulation
Thread context tampering

异常处理
DPC操纵
线程上下文篡改

Hypervisor-Based

基于虚拟机监控器

EPT manipulation
Memory virtualization
Intercept PG checks

EPT操纵
内存虚拟化
拦截PG检查

Kernel Hooking

内核挂钩

ETW (Event Tracing for Windows)

ETW（Windows事件跟踪）

- InfinityHook technique
- HalPrivateDispatchTable
- System call tracing

- InfinityHook技术
- HalPrivateDispatchTable
- 系统调用追踪

SSDT Hooking (Legacy)

SSDT挂钩（传统）

- Modify service table entries
- Requires PG bypass
- High detection risk

- 修改服务表条目
- 需要绕过PG
- 高检测风险

IRP Hooking

IRP挂钩

- Hook driver dispatch routines
- Less monitored than SSDT
- Per-driver targeting

- 挂钩驱动分发例程
- 比SSDT监控更少
- 针对单个驱动

Memory Manipulation

内存操纵

Physical Memory Access

物理内存访问

cpp

MmMapIoSpace
MmCopyMemory
\\Device\\PhysicalMemory

cpp

MmMapIoSpace
MmCopyMemory
\\Device\\PhysicalMemory

Virtual Memory

虚拟内存

cpp

ZwReadVirtualMemory
ZwWriteVirtualMemory
KeStackAttachProcess
MmCopyVirtualMemory

cpp

ZwReadVirtualMemory
ZwWriteVirtualMemory
KeStackAttachProcess
MmCopyVirtualMemory

MDL Operations

MDL操作

cpp

IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache

cpp

IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache

Research Tools

研究工具

Analysis

分析工具

WinDbg / WinDbg Preview
Process Hacker / System Informer
OpenArk
WinArk

WinDbg / WinDbg Preview
Process Hacker / System Informer
OpenArk
WinArk

Utilities

实用工具

KDU (Kernel Driver Utility)
OSR Driver Loader
DriverView

KDU（内核驱动工具）
OSR Driver Loader
DriverView

Monitoring

监控工具

Process Monitor
API Monitor
ETW consumers

Process Monitor
API Monitor
ETW消费者

EFI/UEFI Integration

EFI/UEFI集成

Boot-Time Access

启动时访问

- EFI runtime services
- Boot driver loading
- Pre-OS execution

- EFI运行时服务
- 启动驱动加载
- 操作系统前执行

Memory Access

内存访问

- GetVariable/SetVariable
- Runtime memory mapping
- Physical memory access

- GetVariable/SetVariable
- 运行时内存映射
- 物理内存访问

Hypervisor Development

虚拟机监控器开发

Intel VT-x

VMCS configuration
EPT (Extended Page Tables)
VM exits handling

VMCS配置
EPT（扩展页表）
VM退出处理

AMD-V

VMCB structure
NPT (Nested Page Tables)
SVM operations

VMCB结构
NPT（嵌套页表）
SVM操作

Use Cases

应用场景

Memory hiding
Syscall interception
Security monitoring
Anti-cheat evasion

内存隐藏
系统调用拦截
安全监控
反作弊绕过

Resource Organization

资源组织

The README contains categorized links for:

PatchGuard research and bypasses
DSE bypass techniques
Vulnerable driver exploits
Kernel callback enumeration
ETW/PMI/NMI handlers
Intel PT integration

本README包含分类链接，涉及：

PatchGuard研究与绕过
DSE绕过技术
漏洞驱动利用
内核回调枚举
ETW/PMI/NMI处理程序
Intel PT集成

Data Source

数据源

Important: This skill provides conceptual guidance and overview information. For detailed information including:

Specific GitHub repository links
Complete project lists with descriptions
Up-to-date tools and resources
Code examples and implementations

Please fetch the complete data from the main repository:

https://raw.githubusercontent.com/gmh5225/awesome-game-security/refs/heads/main/README.md

The main README contains thousands of curated links organized by category. When users ask for specific tools, projects, or implementations, retrieve and reference the appropriate sections from this source.

重要提示：本技能提供概念性指导和概述信息。如需详细信息，包括：

具体GitHub仓库链接
带描述的完整项目列表
最新工具与资源
代码示例与实现

请从主仓库获取完整数据：

https://raw.githubusercontent.com/gmh5225/awesome-game-security/refs/heads/main/README.md

主README包含数千个分类整理的链接。当用户询问特定工具、项目或实现时，请从中检索并参考相应章节。