From aradotso-trending-skills-37
Inspects Windows processes, kernel internals, services, network, ETW, registry via ImGui + DirectX11 GUI. Supports remote access and kernel driver for SSDT hooks, EPT detection in test VMs.
npx claudepluginhub joshuarweaver/cascade-ai-ml-agents-misc-1 --plugin aradotso-trending-skills-37This skill uses the workspace's default tool permissions.
> Skill by [ara.so](https://ara.so) — Daily 2026 Skills collection.
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
Skill by ara.so — Daily 2026 Skills collection.
NtWarden is a Windows system inspection tool built on ImGui + DirectX 11. It covers processes, services, network, kernel internals, ETW, registry, object manager, and more — locally or remotely via WinSysServer. A kernel driver (KWinSys) enables deep kernel-mode analysis including SSDT hooks, kernel callbacks, EPT hook detection, and driver integrity checks.
| Component | Role |
|---|---|
| NtWarden | GUI app (ImGui + DirectX 11) |
| WinSys | Static lib — process, service, network enumeration |
| KWinSys | Kernel driver — callbacks, SSDT, kernel modules, pool, etc. |
| WinSysServer | Headless TCP server for remote inspection |
# Open solution in Visual Studio 2022
# Select Release | x64
# Build All
# Output lands in:
x64/Release/NtWarden.exe
x64/Release/WinSysServer.exe
x64/Release/KWinSys/KWinSys.sys
Solution structure:
NtWarden.sln
├── NtWarden/ # GUI application
├── WinSys/ # Core static library
├── KWinSys/ # Kernel driver (.sys)
└── WinSysServer/ # Remote TCP server
Always run as Administrator for full functionality.
# Run elevated
Start-Process NtWarden.exe -Verb RunAs
User-mode features (processes, services, network, ETW, registry, object manager) work without the driver.
⚠️ Use only in a test VM. Enable test signing before installing.
# Enable test signing (requires reboot)
bcdedit /set testsigning on
# On VMs, may also need:
bcdedit /set nointegritychecks on
# Reboot, then run NtWarden as Administrator.
# Switching to the Kernel Mode tab auto-installs and starts KWinSys.
Manual driver management:
# Install manually
sc create KWinSys type= kernel binPath= "C:\path\to\KWinSys.sys"
sc start KWinSys
# Stop and remove
sc stop KWinSys
sc delete KWinSys
The NtWarden GUI also exposes driver management under the Driver menu.
Deploy to a target machine (typically a VM) and connect from NtWarden.
| File | Source Path | Purpose |
|---|---|---|
WinSysServer.exe | x64/Release/WinSysServer.exe | Always required |
KWinSys.sys | x64/Release/KWinSys/KWinSys.sys | Kernel features only |
# Auto-install driver + start server on default port 50002
WinSysServer.exe --install
# Custom port
WinSysServer.exe --install --port 9000
# If driver already installed manually:
WinSysServer.exe
WinSysServer.exe --port 9000
50002)MessageType, DataSize, StatusWinSys is the core library consumed by both NtWarden and WinSysServer. Example integration patterns in C++:
#include "WinSys/ProcessManager.h"
// Enumerate all processes (user mode)
auto& pm = WinSys::ProcessManager::Get();
pm.Update(); // Refresh snapshot
for (auto& proc : pm.GetProcesses()) {
printf("PID: %5u Name: %s\n",
proc->Id,
proc->GetImageName().c_str());
}
#include "WinSys/ServiceManager.h"
WinSys::ServiceManager svcMgr;
auto services = svcMgr.EnumServices();
for (auto& svc : services) {
printf("Service: %-40s State: %u StartType: %u\n",
svc.GetName().c_str(),
svc.Status.dwCurrentState,
svc.Config.dwStartType);
}
#include "WinSys/NetworkManager.h"
WinSys::NetworkManager netMgr;
auto conns = netMgr.GetTcpConnections();
for (auto& conn : conns) {
printf("PID: %u Local: %s:%u Remote: %s:%u State: %u\n",
conn.ProcessId,
conn.LocalAddress.c_str(), conn.LocalPort,
conn.RemoteAddress.c_str(), conn.RemotePort,
conn.State);
}
#include "WinSys/KernelInterface.h"
// Open handle to driver device
WinSys::KernelInterface ki;
if (!ki.Open()) {
fprintf(stderr, "Failed to open KWinSys device. Is driver loaded?\n");
return;
}
// Enumerate kernel modules
auto modules = ki.EnumKernelModules();
for (auto& mod : modules) {
printf("Base: %p Size: 0x%X Path: %s\n",
mod.Base, mod.Size, mod.FullPath.c_str());
}
// Read kernel callbacks
auto callbacks = ki.EnumProcessCallbacks();
for (auto& cb : callbacks) {
printf("Callback: %p Module: %s Suspicious: %d\n",
cb.Address,
cb.OwnerModule.c_str(),
cb.IsSuspicious ? 1 : 0);
}
Accessible via right-click > Analyze Process in the GUI, or programmatically:
#include "WinSys/ProcessAnalyzer.h"
DWORD targetPid = 1234;
WinSys::ProcessAnalyzer analyzer(targetPid);
auto result = analyzer.Analyze();
// Unbacked executable memory (shellcode indicator)
for (auto& region : result.UnbackedRegions) {
printf("Unbacked RX region: base=%p size=0x%zX\n",
region.Base, region.Size);
}
// Hollowing detection
if (result.HollowingDetected) {
printf("Hollowing: PEB ImageBase=%p vs PE Header ImageBase=%p\n",
result.PebImageBase, result.PeHeaderImageBase);
}
// Direct syscalls outside ntdll
for (auto& sc : result.DirectSyscalls) {
printf("Direct syscall at: %p in module: %s\n",
sc.Address, sc.ModuleName.c_str());
}
// Inline user hooks
for (auto& hook : result.UserHooks) {
printf("Hook in %s!%s at %p -> %p\n",
hook.Module.c_str(),
hook.Function.c_str(),
hook.Address,
hook.Target);
}
// Token info
printf("Elevated: %d IntegrityLevel: %u\n",
result.Token.IsElevated,
result.Token.IntegrityLevel);
| Tab | Capability |
|---|---|
| Processes | Tree view, handles, threads, memory regions, modules |
| Performance | CPU/RAM/GPU/network graphs, overlay mode |
| Services | Status, start type, binary path |
| Network > Connections | TCP/UDP with owning PID |
| Network > Root Certificates | Subject, issuer, thumbprint |
| Network > NDIS | Adapter driver, MAC, speed, media type |
| ETW | Active trace sessions and registered providers |
| IPC | RPC endpoints and named pipes |
| Object Manager | Kernel object namespace browser |
| Registry | Key/value browser |
| Logger | Kernel driver debug logs + GUI logs |
| Tab | Capability |
|---|---|
| Process Objects | EPROCESS enumeration, hidden process detection |
| Modules | Kernel drivers + LolDrivers check |
| Callbacks | Process/thread/image/registry/object/power callbacks + integrity |
| SSDT | Entries with owner and hook detection |
| Kernel Pool | Big pool allocations and tag stats |
| Memory R/W | Read/write kernel memory by address |
| Timers | Per-CPU interrupt and DPC counters |
| Filter | Minifilter drivers with altitude/instance |
| Descriptor Tables | GDT/IDT entries |
| IRP Dispatch | IRP dispatch table for any driver |
| WFP | WFP callout drivers and filters |
| DSE Status | Driver Signature Enforcement state |
| CI Policy | Code Integrity policy and enforcement level |
| Kernel Integrity | Verify kernel .text vs on-disk image |
| Hypervisor Hooks | EPT hook detection via timing analysis |
#include "WinSys/KernelInterface.h"
WinSys::KernelInterface ki;
bool driverAvailable = ki.Open();
if (driverAvailable) {
// Use kernel-mode features
auto ssdt = ki.GetSSDTEntries();
} else {
// Fall back to user-mode only
fprintf(stderr, "KWinSys not loaded — kernel features unavailable.\n");
}
WinSys::KernelInterface ki;
ki.Open();
auto kernelProcs = ki.EnumProcessObjects(); // Via EPROCESS walk
auto& pm = WinSys::ProcessManager::Get();
pm.Update();
auto userProcs = pm.GetProcesses();
// Build set of user-visible PIDs
std::unordered_set<DWORD> visiblePids;
for (auto& p : userProcs) visiblePids.insert(p->Id);
// Find PIDs in kernel list but not user list
for (auto& kp : kernelProcs) {
if (visiblePids.find(kp.ProcessId) == visiblePids.end()) {
printf("HIDDEN PROCESS: PID=%u Name=%s\n",
kp.ProcessId, kp.ImageName.c_str());
}
}
x64/Release/KWinSys/)bcdedit /enum | findstr testsigning# Verify test signing is on
bcdedit /enum | Select-String "testsigning"
# Check for existing broken service entry
sc query KWinSys
sc delete KWinSys # if stuck, delete and retry
# Some VMs also need:
bcdedit /set nointegritychecks on
# Then reboot
# Verify server is running on target
netstat -ano | findstr 50002
# Check Windows Firewall on target
netsh advfirewall firewall add rule name="WinSysServer" `
dir=in action=allow protocol=TCP localport=50002