KReClassEx

Kernel ReClassEx is a WinDbg extension that implements gui to reverse struct in Windows Kernel.

Usage

Config the ip addr.

config.json

{
  "server": "0.0.0.0",
  "server_port": "9000",
  "timeout": 300
}

.load YourPath\KDbgEngExt.dll
!runserver YourPath\config.json
bu WdFilter!DriverEntry

.load YourPath\KDbgEngExt.dll
.unload KDbgEngExt.dll
!runserver YourPath\config.json

The config file should be put in the KReClassEx.exe's directory.

The main UI. Connect to the Windbg.

The following simple example shows the WdFilter's MpData memory in KReClassEx.

The memory view. If the node is a function pointer, Kernel ReClassEx will auto get the function name. (Sometimes you should execute the .reload to get the pdb info.)

The generate view.

Note:

The KReClass only read kernel memory when windbg is in break status.

References and acknowledgement

About

Kernel ReClassEx

MIT License

Languages

Language:C++ 74.7%Language:HTML 16.4%Language:Objective-C++ 2.7%Language:Python 2.4%Language:Makefile 1.6%Language:C 1.4%Language:Objective-C 0.2%Language:Perl 0.1%Language:F# 0.1%Language:MATLAB 0.1%Language:QMake 0.1%Language:Ruby 0.0%Language:Batchfile 0.0%Language:Shell 0.0%Language:Prolog 0.0%Language:PHP 0.0%Language:PowerShell 0.0%Language:Module Management System 0.0%Language:VHDL 0.0%Language:R 0.0%Language:Raku 0.0%Language:CSS 0.0%Language:GDScript 0.0%Language:TeX 0.0%Language:Nim 0.0%Language:Erlang 0.0%Language:Inno Setup 0.0%Language:ASP.NET 0.0%Language:OCaml 0.0%Language:D 0.0%Language:Modula-3 0.0%Language:CMake 0.0%Language:Visual Basic .NET 0.0%Language:Julia 0.0%Language:Rust 0.0%Language:Lua 0.0%Language:Tcl 0.0%Language:Classic ASP 0.0%