Trending-skills ntwarden-windows-analysis-toolkit

NtWarden is a Windows Analysis and Research Toolkit providing GUI-based inspection of processes, kernel internals, services, network, ETW, and more via ImGui + DirectX 11 with optional kernel driver support.

install

source · Clone the upstream repo

git clone https://github.com/Aradotso/trending-skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/Aradotso/trending-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/ntwarden-windows-analysis-toolkit" ~/.claude/skills/aradotso-trending-skills-ntwarden-windows-analysis-toolkit && rm -rf "$T"

manifest: skills/ntwarden-windows-analysis-toolkit/SKILL.md

source content

NtWarden Windows Analysis and Research Toolkit

Skill by ara.so — Daily 2026 Skills collection.

NtWarden is a Windows system inspection tool built on ImGui + DirectX 11. It covers processes, services, network, kernel internals, ETW, registry, object manager, and more — locally or remotely via WinSysServer. A kernel driver (KWinSys) enables deep kernel-mode analysis including SSDT hooks, kernel callbacks, EPT hook detection, and driver integrity checks.

Architecture

Component	Role
NtWarden	GUI app (ImGui + DirectX 11)
WinSys	Static lib — process, service, network enumeration
KWinSys	Kernel driver — callbacks, SSDT, kernel modules, pool, etc.
WinSysServer	Headless TCP server for remote inspection

Build Requirements

Visual Studio 2022
Windows SDK 10.0.26100.0+
WDK (Windows Driver Kit) — required only for KWinSys kernel driver

Building

# Open solution in Visual Studio 2022
# Select Release | x64
# Build All

# Output lands in:
x64/Release/NtWarden.exe
x64/Release/WinSysServer.exe
x64/Release/KWinSys/KWinSys.sys

Solution structure:

NtWarden.sln
├── NtWarden/          # GUI application
├── WinSys/            # Core static library
├── KWinSys/           # Kernel driver (.sys)
└── WinSysServer/      # Remote TCP server

Running NtWarden

Always run as Administrator for full functionality.

# Run elevated
Start-Process NtWarden.exe -Verb RunAs

User-mode features (processes, services, network, ETW, registry, object manager) work without the driver.

Kernel Driver Setup (KWinSys)

⚠️ Use only in a test VM. Enable test signing before installing.

# Enable test signing (requires reboot)
bcdedit /set testsigning on

# On VMs, may also need:
bcdedit /set nointegritychecks on

# Reboot, then run NtWarden as Administrator.
# Switching to the Kernel Mode tab auto-installs and starts KWinSys.

Manual driver management:

# Install manually
sc create KWinSys type= kernel binPath= "C:\path\to\KWinSys.sys"
sc start KWinSys

# Stop and remove
sc stop KWinSys
sc delete KWinSys

The NtWarden GUI also exposes driver management under the Driver menu.

Remote Inspection (WinSysServer)

Deploy to a target machine (typically a VM) and connect from NtWarden.

Files to copy to target

File	Source Path	Purpose
`WinSysServer.exe`	`x64/Release/WinSysServer.exe`	Always required
`KWinSys.sys`	`x64/Release/KWinSys/KWinSys.sys`	Kernel features only

Starting the server (on target, elevated)

# Auto-install driver + start server on default port 50002
WinSysServer.exe --install

# Custom port
WinSysServer.exe --install --port 9000

# If driver already installed manually:
WinSysServer.exe
WinSysServer.exe --port 9000

Connecting from NtWarden (on host)

Launch NtWarden
Go to Remote menu
Enter target IP and port (default:
```
50002
```
)
Click Connect

Protocol notes

Custom binary protocol over TCP
12-byte header:
```
MessageType
```
,
```
DataSize
```
,
```
Status
```
No authentication — use only in isolated lab/VM environments
User-mode data (processes, services, network) works without KWinSys on target
Kernel tabs require KWinSys loaded on the remote target

WinSys Static Library — Key Usage Patterns

WinSys is the core library consumed by both NtWarden and WinSysServer. Example integration patterns in C++:

Process Enumeration

#include "WinSys/ProcessManager.h"

// Enumerate all processes (user mode)
auto& pm = WinSys::ProcessManager::Get();
pm.Update();  // Refresh snapshot

for (auto& proc : pm.GetProcesses()) {
    printf("PID: %5u  Name: %s\n",
        proc->Id,
        proc->GetImageName().c_str());
}

Service Enumeration

#include "WinSys/ServiceManager.h"

WinSys::ServiceManager svcMgr;
auto services = svcMgr.EnumServices();

for (auto& svc : services) {
    printf("Service: %-40s  State: %u  StartType: %u\n",
        svc.GetName().c_str(),
        svc.Status.dwCurrentState,
        svc.Config.dwStartType);
}

Network Connections

#include "WinSys/NetworkManager.h"

WinSys::NetworkManager netMgr;
auto conns = netMgr.GetTcpConnections();

for (auto& conn : conns) {
    printf("PID: %u  Local: %s:%u  Remote: %s:%u  State: %u\n",
        conn.ProcessId,
        conn.LocalAddress.c_str(), conn.LocalPort,
        conn.RemoteAddress.c_str(), conn.RemotePort,
        conn.State);
}

Communicating with KWinSys Driver (IOCTL)

#include "WinSys/KernelInterface.h"

// Open handle to driver device
WinSys::KernelInterface ki;
if (!ki.Open()) {
    fprintf(stderr, "Failed to open KWinSys device. Is driver loaded?\n");
    return;
}

// Enumerate kernel modules
auto modules = ki.EnumKernelModules();
for (auto& mod : modules) {
    printf("Base: %p  Size: 0x%X  Path: %s\n",
        mod.Base, mod.Size, mod.FullPath.c_str());
}

// Read kernel callbacks
auto callbacks = ki.EnumProcessCallbacks();
for (auto& cb : callbacks) {
    printf("Callback: %p  Module: %s  Suspicious: %d\n",
        cb.Address,
        cb.OwnerModule.c_str(),
        cb.IsSuspicious ? 1 : 0);
}

Per-Process Security Analysis (Analyze Process)

Accessible via right-click > Analyze Process in the GUI, or programmatically:

#include "WinSys/ProcessAnalyzer.h"

DWORD targetPid = 1234;
WinSys::ProcessAnalyzer analyzer(targetPid);

auto result = analyzer.Analyze();

// Unbacked executable memory (shellcode indicator)
for (auto& region : result.UnbackedRegions) {
    printf("Unbacked RX region: base=%p size=0x%zX\n",
        region.Base, region.Size);
}

// Hollowing detection
if (result.HollowingDetected) {
    printf("Hollowing: PEB ImageBase=%p vs PE Header ImageBase=%p\n",
        result.PebImageBase, result.PeHeaderImageBase);
}

// Direct syscalls outside ntdll
for (auto& sc : result.DirectSyscalls) {
    printf("Direct syscall at: %p in module: %s\n",
        sc.Address, sc.ModuleName.c_str());
}

// Inline user hooks
for (auto& hook : result.UserHooks) {
    printf("Hook in %s!%s at %p -> %p\n",
        hook.Module.c_str(),
        hook.Function.c_str(),
        hook.Address,
        hook.Target);
}

// Token info
printf("Elevated: %d  IntegrityLevel: %u\n",
    result.Token.IsElevated,
    result.Token.IntegrityLevel);

Key Features by Tab

User Mode (no driver)

Tab	Capability
Processes	Tree view, handles, threads, memory regions, modules
Performance	CPU/RAM/GPU/network graphs, overlay mode
Services	Status, start type, binary path
Network > Connections	TCP/UDP with owning PID
Network > Root Certificates	Subject, issuer, thumbprint
Network > NDIS	Adapter driver, MAC, speed, media type
ETW	Active trace sessions and registered providers
IPC	RPC endpoints and named pipes
Object Manager	Kernel object namespace browser
Registry	Key/value browser
Logger	Kernel driver debug logs + GUI logs

Kernel Mode (requires KWinSys)

Tab	Capability
Process Objects	EPROCESS enumeration, hidden process detection
Modules	Kernel drivers + LolDrivers check
Callbacks	Process/thread/image/registry/object/power callbacks + integrity
SSDT	Entries with owner and hook detection
Kernel Pool	Big pool allocations and tag stats
Memory R/W	Read/write kernel memory by address
Timers	Per-CPU interrupt and DPC counters
Filter	Minifilter drivers with altitude/instance
Descriptor Tables	GDT/IDT entries
IRP Dispatch	IRP dispatch table for any driver
WFP	WFP callout drivers and filters
DSE Status	Driver Signature Enforcement state
CI Policy	Code Integrity policy and enforcement level
Kernel Integrity	Verify kernel .text vs on-disk image
Hypervisor Hooks	EPT hook detection via timing analysis

Common Patterns

Check if driver is loaded before using kernel features

#include "WinSys/KernelInterface.h"

WinSys::KernelInterface ki;
bool driverAvailable = ki.Open();

if (driverAvailable) {
    // Use kernel-mode features
    auto ssdt = ki.GetSSDTEntries();
} else {
    // Fall back to user-mode only
    fprintf(stderr, "KWinSys not loaded — kernel features unavailable.\n");
}

Detect hidden processes (cross-reference EPROCESS list vs user-mode list)

WinSys::KernelInterface ki;
ki.Open();

auto kernelProcs = ki.EnumProcessObjects();  // Via EPROCESS walk
auto& pm = WinSys::ProcessManager::Get();
pm.Update();
auto userProcs = pm.GetProcesses();

// Build set of user-visible PIDs
std::unordered_set<DWORD> visiblePids;
for (auto& p : userProcs) visiblePids.insert(p->Id);

// Find PIDs in kernel list but not user list
for (auto& kp : kernelProcs) {
    if (visiblePids.find(kp.ProcessId) == visiblePids.end()) {
        printf("HIDDEN PROCESS: PID=%u Name=%s\n",
            kp.ProcessId, kp.ImageName.c_str());
    }
}

Troubleshooting

NtWarden won't show kernel tabs

Ensure KWinSys.sys is in the same directory as NtWarden.exe (or
```
x64/Release/KWinSys/
```
)
Run NtWarden as Administrator
Confirm test signing is enabled:
```
bcdedit /enum | findstr testsigning
```
Check Logger tab for driver load errors

Driver fails to install

# Verify test signing is on
bcdedit /enum | Select-String "testsigning"

# Check for existing broken service entry
sc query KWinSys
sc delete KWinSys  # if stuck, delete and retry

# Some VMs also need:
bcdedit /set nointegritychecks on
# Then reboot

WinSysServer connection refused

# Verify server is running on target
netstat -ano | findstr 50002

# Check Windows Firewall on target
netsh advfirewall firewall add rule name="WinSysServer" `
  dir=in action=allow protocol=TCP localport=50002

Capstone not found (user hooks tab shows no data)

User hook detection with disassembly requires Capstone
Build WinSys with Capstone linked, or the hook scanner will report bytes without disassembly

Performance overlay not visible

Launch NtWarden, go to Performance tab
Enable overlay mode — it renders over other windows using DirectX 11 transparency

Build errors — missing WDK

KWinSys requires the Windows Driver Kit
If you only need user-mode features, exclude KWinSys project from build in Visual Studio (right-click project > Unload Project)

Tested Windows Versions

Windows 11 23H2 (Build 22631.6199)
Windows 10 22H2 (Build 19045.2006)
Windows 10 1703 (Build 15063.13)

References

zodiacon — Primary inspiration
WinArk — Kernel-mode feature reference
LolDrivers — Vulnerable driver database used in Modules tab