WindowsDanger

WindowsDanger is an open-source project that help developers to Learn Windows Kernel and other x86 Features.

But, We are NOT modify/patch Windows Code

We Directly Modify x86 Context Instead

So, We will not bypass PatchGuard, Using Official Test-Mode Instead

This driver Dreamed to assist developers accessing and manipulating system resources more conveniently. By installing and launching this driver, you can elevate all threads to Ring0, allowing for full control over low-level hardware and system resources.

⚠️ Warning: Please be aware that using WindowsDanger may result in system instability, data loss, or other unintended consequences. Use with caution and perform testing in a safe environment.

This project is still under development. For more quick access, please use the QEMUDangerx86 project.

Ke386SetIoAccessMap and Ke386IoSetAccessProcess is NOT available in Win10/Server 2019 and above. It's better to learn how the x86 CPU work within TSS and IOPM, I just did that😎

Currently achieved: - Disable Write-Protection by modifiy CR0 - Hack Ring3 Segment in GDT to Ring0 - Hack TSS IOPM (0~FF) - Insert new user-callable IDT entries 78H and 79H, 78H will hack IOPL -> 3, while 79H will hack thread's CS & SS to Ring0 - Disable SMAP/SMEP by modify CR4 - Adapt Multi-Processor System

Known Issues: - I'm lazy to bakup registers in interrupts-handler, so backup urself - I'm lazy to hack EXE thread to CS=0x30, and I hate bullshit code to do that - So I just hack it with CS=0x10 instead😎 - I'm also lazy to add bullshit hook to #GP/#PF handler to id CS=0x30 - So u'll face BSOD if ur EXE crashed

Ideas: - Use soft int instruct from Ring3, and ret directly with kernel-context - Hack IOPL is the same, but with RFLAGS hacked then iretq

Features

• Ring3 thread can touch IO (0~FF) directly after int 078h
• Elevate any threads to Ring0 for full control over low-level system resources by simply int 079h
• Facilitate hardware debugging and kernel-hack study
• Tested on Windows Server 2022 x64, on Hyper-V

Hint

• I recommend u play on QEMU / Physical PC, as Hyper-V may acting strange.
• I found Azure Hypervisor may strict on vmexit, if u hack CR0/GDT, u'll recieve undef exception. Unknown exception - code c0000096 (!!! second chance !!!) WindowsDanger!Disable_WriteProtect+0x9: fffff802`662c112e 0f22c0 mov cr0,rax
• If u buy PC / Network-Card, make sure it support NT-Kernel-Dbg. U can search those info on MS-Learn.

Installation

MUST Attach Kernel Debugger to prevent BSOD, because int 3 will trigger BSOD without Kernel Debugger.

1. Download the latest version of the WindowsDanger driver.
   
2. Copy the driver file to an appropriate directory (e.g., C:\kd).
   
3. Run the following command with administrator privileges to install the driver:

C sc create WindowsDanger type= kernel binPath= C:\kd\WindowsDanger.sys

1. Start the driver:
   C sc start WindowsDanger

Play

• IoCTL_Caller: Send Requests to our Kernel Driver. Supported Commands:

  • 0 : Disable Write-Protection by modifiy CR0
  • 1 : Hack Ring3 Segment in GDT to Ring0 & Hack TSS_IOPM
  • 2 : Mapping CR3 to a Virtual Address
  • 3 : Insert new user-callable IDT entries 78H and 79H
  • 4 : Disable SMAP/SMEP by modify CR4

• InterruptTester: Test our new IDT entries 78H and 79H

  • 78H : Hack IOPL -> 3
  • 79H : Hack current thread -> Ring0-Kernel !!

Please note, before you use int 078h/079h, you must Hack the GDT, Disable SMAP/SMEP, and Insert new IDT entries by (1, 4, 3).

Uninstallation

1. Stop the driver:
   C sc stop WindowsDanger

2. Remove the driver:
   C sc delete WindowsDanger

3. Delete the driver file.

Learning Resources

1. Lab Experiment HandBooks: Contains Microsoft-Student-Ambassador Workshop, and some dbg logs
2. Download WinDbg
3. Install WDK
4. Read Kernel Debugging Document on the Microsoft Learn
5. Read My Experiment log for more details
6. Cource: Arch2001x86-64OS_Internals

License

WindowsDanger is licensed under the MIT License. Please refer to the LICENSE file for more information.

Contributing

We welcome your contributions to the WindowsDanger project! Please see CONTRIBUTING.md for how to get started.

Support and Feedback

If you encounter any issues while using WindowsDanger, or have any suggestions and feedback, please submit your concerns on the Issues page.

Disclaimer

WindowsDanger is intended for learning and research purposes only. The use of this driver may result in system instability, data loss, or other unintended consequences. The project authors and contributors are not responsible for any damages or losses resulting from the use of this driver. By using WindowsDanger, you agree to assume all risks.