Awesome
KReClassEx
Kernel ReClassEx is a WinDbg extension that implements gui to reverse struct in Windows Kernel.
Usage
Config the ip addr.
config.json
{
"server": "0.0.0.0",
"server_port": "9000",
"timeout": 300
}
.load YourPath\KDbgEngExt.dll
!runserver YourPath\config.json
bu WdFilter!DriverEntry
.load YourPath\KDbgEngExt.dll
.unload KDbgEngExt.dll
!runserver YourPath\config.json
The config file should be put in the KReClassEx.exe's directory.
The main UI. Connect to the Windbg.
The following simple example shows the WdFilter's MpData memory in KReClassEx.
The memory view. If the node is a function pointer, Kernel ReClassEx will auto get the function name. (Sometimes you should execute the .reload to get the pdb info.)
The generate view.
Note:
The KReClass only read kernel memory when windbg is in break status.