aradotso/ntwarden-windows-analysis-toolkit
skills/ntwarden-windows-analysis-toolkit/SKILL.md
NtWarden is a Windows Analysis and Research Toolkit providing GUI-based inspection of processes, kernel internals, services, network, ETW, and more via ImGui + DirectX 11 with optional kernel driver support.
$ install --global
skillsauthnpx skillsauth add aradotso/trending-skills ntwarden-windows-analysis-toolkitInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 8:05 AM47.5s1 file scanned
SKILL.md
- name:
- ntwarden-windows-analysis-toolkit
- description:
- NtWarden is a Windows Analysis and Research Toolkit providing GUI-based inspection of processes, kernel internals, services, network, ETW, and more via ImGui + DirectX 11 with optional kernel driver support.
NtWarden Windows Analysis and Research Toolkit
Skill by ara.so — Daily 2026 Skills collection.
NtWarden is a Windows system inspection tool built on ImGui + DirectX 11. It covers processes, services, network, kernel internals, ETW, registry, object manager, and more — locally or remotely via WinSysServer. A kernel driver (KWinSys) enables deep kernel-mode analysis including SSDT hooks, kernel callbacks, EPT hook detection, and driver integrity checks.
Architecture
| Component | Role | |---|---| | NtWarden | GUI app (ImGui + DirectX 11) | | WinSys | Static lib — process, service, network enumeration | | KWinSys | Kernel driver — callbacks, SSDT, kernel modules, pool, etc. | | WinSysServer | Headless TCP server for remote inspection |
Build Requirements
- Visual Studio 2022
- Windows SDK 10.0.26100.0+
- WDK (Windows Driver Kit) — required only for KWinSys kernel driver
Building
# Open solution in Visual Studio 2022
# Select Release | x64
# Build All
# Output lands in:
x64/Release/NtWarden.exe
x64/Release/WinSysServer.exe
x64/Release/KWinSys/KWinSys.sys
Solution structure:
NtWarden.sln
├── NtWarden/ # GUI application
├── WinSys/ # Core static library
├── KWinSys/ # Kernel driver (.sys)
└── WinSysServer/ # Remote TCP server
Running NtWarden
Always run as Administrator for full functionality.
# Run elevated
Start-Process NtWarden.exe -Verb RunAs
User-mode features (processes, services, network, ETW, registry, object manager) work without the driver.
Kernel Driver Setup (KWinSys)
⚠️ Use only in a test VM. Enable test signing before installing.
# Enable test signing (requires reboot)
bcdedit /set testsigning on
# On VMs, may also need:
bcdedit /set nointegritychecks on
# Reboot, then run NtWarden as Administrator.
# Switching to the Kernel Mode tab auto-installs and starts KWinSys.
Manual driver management:
# Install manually
sc create KWinSys type= kernel binPath= "C:\path\to\KWinSys.sys"
sc start KWinSys
# Stop and remove
sc stop KWinSys
sc delete KWinSys
The NtWarden GUI also exposes driver management under the Driver menu.
Remote Inspection (WinSysServer)
Deploy to a target machine (typically a VM) and connect from NtWarden.
Files to copy to target
| File | Source Path | Purpose |
|---|---|---|
| WinSysServer.exe | x64/Release/WinSysServer.exe | Always required |
| KWinSys.sys | x64/Release/KWinSys/KWinSys.sys | Kernel features only |
Starting the server (on target, elevated)
# Auto-install driver + start server on default port 50002
WinSysServer.exe --install
# Custom port
WinSysServer.exe --install --port 9000
# If driver already installed manually:
WinSysServer.exe
WinSysServer.exe --port 9000
Connecting from NtWarden (on host)
- Launch NtWarden
- Go to Remote menu
- Enter target IP and port (default:
50002) - Click Connect
Protocol notes
- Custom binary protocol over TCP
- 12-byte header:
MessageType,DataSize,Status - No authentication — use only in isolated lab/VM environments
- User-mode data (processes, services, network) works without KWinSys on target
- Kernel tabs require KWinSys loaded on the remote target
WinSys Static Library — Key Usage Patterns
WinSys is the core library consumed by both NtWarden and WinSysServer. Example integration patterns in C++:
Process Enumeration
#include "WinSys/ProcessManager.h"
// Enumerate all processes (user mode)
auto& pm = WinSys::ProcessManager::Get();
pm.Update(); // Refresh snapshot
for (auto& proc : pm.GetProcesses()) {
printf("PID: %5u Name: %s\n",
proc->Id,
proc->GetImageName().c_str());
}
Service Enumeration
#include "WinSys/ServiceManager.h"
WinSys::ServiceManager svcMgr;
auto services = svcMgr.EnumServices();
for (auto& svc : services) {
printf("Service: %-40s State: %u StartType: %u\n",
svc.GetName().c_str(),
svc.Status.dwCurrentState,
svc.Config.dwStartType);
}
Network Connections
#include "WinSys/NetworkManager.h"
WinSys::NetworkManager netMgr;
auto conns = netMgr.GetTcpConnections();
for (auto& conn : conns) {
printf("PID: %u Local: %s:%u Remote: %s:%u State: %u\n",
conn.ProcessId,
conn.LocalAddress.c_str(), conn.LocalPort,
conn.RemoteAddress.c_str(), conn.RemotePort,
conn.State);
}
Communicating with KWinSys Driver (IOCTL)
#include "WinSys/KernelInterface.h"
// Open handle to driver device
WinSys::KernelInterface ki;
if (!ki.Open()) {
fprintf(stderr, "Failed to open KWinSys device. Is driver loaded?\n");
return;
}
// Enumerate kernel modules
auto modules = ki.EnumKernelModules();
for (auto& mod : modules) {
printf("Base: %p Size: 0x%X Path: %s\n",
mod.Base, mod.Size, mod.FullPath.c_str());
}
// Read kernel callbacks
auto callbacks = ki.EnumProcessCallbacks();
for (auto& cb : callbacks) {
printf("Callback: %p Module: %s Suspicious: %d\n",
cb.Address,
cb.OwnerModule.c_str(),
cb.IsSuspicious ? 1 : 0);
}
Per-Process Security Analysis (Analyze Process)
Accessible via right-click > Analyze Process in the GUI, or programmatically:
#include "WinSys/ProcessAnalyzer.h"
DWORD targetPid = 1234;
WinSys::ProcessAnalyzer analyzer(targetPid);
auto result = analyzer.Analyze();
// Unbacked executable memory (shellcode indicator)
for (auto& region : result.UnbackedRegions) {
printf("Unbacked RX region: base=%p size=0x%zX\n",
region.Base, region.Size);
}
// Hollowing detection
if (result.HollowingDetected) {
printf("Hollowing: PEB ImageBase=%p vs PE Header ImageBase=%p\n",
result.PebImageBase, result.PeHeaderImageBase);
}
// Direct syscalls outside ntdll
for (auto& sc : result.DirectSyscalls) {
printf("Direct syscall at: %p in module: %s\n",
sc.Address, sc.ModuleName.c_str());
}
// Inline user hooks
for (auto& hook : result.UserHooks) {
printf("Hook in %s!%s at %p -> %p\n",
hook.Module.c_str(),
hook.Function.c_str(),
hook.Address,
hook.Target);
}
// Token info
printf("Elevated: %d IntegrityLevel: %u\n",
result.Token.IsElevated,
result.Token.IntegrityLevel);
Key Features by Tab
User Mode (no driver)
| Tab | Capability | |---|---| | Processes | Tree view, handles, threads, memory regions, modules | | Performance | CPU/RAM/GPU/network graphs, overlay mode | | Services | Status, start type, binary path | | Network > Connections | TCP/UDP with owning PID | | Network > Root Certificates | Subject, issuer, thumbprint | | Network > NDIS | Adapter driver, MAC, speed, media type | | ETW | Active trace sessions and registered providers | | IPC | RPC endpoints and named pipes | | Object Manager | Kernel object namespace browser | | Registry | Key/value browser | | Logger | Kernel driver debug logs + GUI logs |
Kernel Mode (requires KWinSys)
| Tab | Capability | |---|---| | Process Objects | EPROCESS enumeration, hidden process detection | | Modules | Kernel drivers + LolDrivers check | | Callbacks | Process/thread/image/registry/object/power callbacks + integrity | | SSDT | Entries with owner and hook detection | | Kernel Pool | Big pool allocations and tag stats | | Memory R/W | Read/write kernel memory by address | | Timers | Per-CPU interrupt and DPC counters | | Filter | Minifilter drivers with altitude/instance | | Descriptor Tables | GDT/IDT entries | | IRP Dispatch | IRP dispatch table for any driver | | WFP | WFP callout drivers and filters | | DSE Status | Driver Signature Enforcement state | | CI Policy | Code Integrity policy and enforcement level | | Kernel Integrity | Verify kernel .text vs on-disk image | | Hypervisor Hooks | EPT hook detection via timing analysis |
Common Patterns
Check if driver is loaded before using kernel features
#include "WinSys/KernelInterface.h"
WinSys::KernelInterface ki;
bool driverAvailable = ki.Open();
if (driverAvailable) {
// Use kernel-mode features
auto ssdt = ki.GetSSDTEntries();
} else {
// Fall back to user-mode only
fprintf(stderr, "KWinSys not loaded — kernel features unavailable.\n");
}
Detect hidden processes (cross-reference EPROCESS list vs user-mode list)
WinSys::KernelInterface ki;
ki.Open();
auto kernelProcs = ki.EnumProcessObjects(); // Via EPROCESS walk
auto& pm = WinSys::ProcessManager::Get();
pm.Update();
auto userProcs = pm.GetProcesses();
// Build set of user-visible PIDs
std::unordered_set<DWORD> visiblePids;
for (auto& p : userProcs) visiblePids.insert(p->Id);
// Find PIDs in kernel list but not user list
for (auto& kp : kernelProcs) {
if (visiblePids.find(kp.ProcessId) == visiblePids.end()) {
printf("HIDDEN PROCESS: PID=%u Name=%s\n",
kp.ProcessId, kp.ImageName.c_str());
}
}
Troubleshooting
NtWarden won't show kernel tabs
- Ensure KWinSys.sys is in the same directory as NtWarden.exe (or
x64/Release/KWinSys/) - Run NtWarden as Administrator
- Confirm test signing is enabled:
bcdedit /enum | findstr testsigning - Check Logger tab for driver load errors
Driver fails to install
# Verify test signing is on
bcdedit /enum | Select-String "testsigning"
# Check for existing broken service entry
sc query KWinSys
sc delete KWinSys # if stuck, delete and retry
# Some VMs also need:
bcdedit /set nointegritychecks on
# Then reboot
WinSysServer connection refused
# Verify server is running on target
netstat -ano | findstr 50002
# Check Windows Firewall on target
netsh advfirewall firewall add rule name="WinSysServer" `
dir=in action=allow protocol=TCP localport=50002
Capstone not found (user hooks tab shows no data)
- User hook detection with disassembly requires Capstone
- Build WinSys with Capstone linked, or the hook scanner will report bytes without disassembly
Performance overlay not visible
- Launch NtWarden, go to Performance tab
- Enable overlay mode — it renders over other windows using DirectX 11 transparency
Build errors — missing WDK
- KWinSys requires the Windows Driver Kit
- If you only need user-mode features, exclude KWinSys project from build in Visual Studio (right-click project > Unload Project)
Tested Windows Versions
- Windows 11 23H2 (Build 22631.6199)
- Windows 10 22H2 (Build 19045.2006)
- Windows 10 1703 (Build 15063.13)
References
- zodiacon — Primary inspiration
- WinArk — Kernel-mode feature reference
- LolDrivers — Vulnerable driver database used in Modules tab
Related Skills
aradotso/skills/compose-performance-skills
development
VerifiedTrustedCommunity
```markdown --- name: compose-performance-skills description: Install and use the skydoves/compose-performance-skills agent skill library to diagnose and fix Jetpack Compose performance issues including stability, recomposition, lazy layouts, modifiers, side effects, and build configuration. triggers: - "my composable recomposes too often" - "LazyColumn drops frames during scroll" - "diagnose Compose stability issues" - "fix unnecessary recomposition in Jetpack Compose" - "optimize Com
46SKILL.mdUpdated May 5, 2026
aradotso/baguette-ios-simulator
development
VerifiedTrustedCommunity
Headless iOS Simulator manager with host-side HID input injection, 60fps streaming, and device farm web UI for iOS 26
45SKILL.mdUpdated May 4, 2026
aradotso/skills/claude-code-game-studios
development
VerifiedTrustedCommunity
```markdown --- name: claude-code-game-studios description: Turn Claude Code into a full 49-agent game dev studio with 72 workflow skills, automated hooks, and a real studio hierarchy for Godot, Unity, and Unreal projects. triggers: - "set up claude code game studios" - "use ai agents for game development" - "set up game dev studio with claude" - "add game studio agents to my project" - "how do I use claude code for game dev" - "set up godot unity unreal ai workflow" - "49 agents g
43SKILL.mdUpdated May 3, 2026
aradotso/skills/xq-py-quantum-vm
development
VerifiedTrustedCommunity
```markdown --- name: xq-py-quantum-vm description: Python implementation of the Quip Network's quantum virtual machine (xqvm) triggers: - quantum virtual machine python - xqvm quip network - quantum circuit simulation python - xq-py quantum vm - quip network quantum python - simulate quantum gates python - quantum vm xqvm - xqvm-py quantum circuit --- # xq-py Quantum Virtual Machine > Skill by [ara.so](https://ara.so) — Daily 2026 Skills collection. `xqvm-py` is a Python impl
42SKILL.mdUpdated May 2, 2026