Windows Kernel Explorer (you can simply call it as "WKE") is a free but powerful Windows kernel research tool. It supports from Windows XP to Windows 10, 32-bit and 64-bit. Compare to popular tools (such as WIN64AST and PCHunter), WKE is a highly customizable tool and it can run on the latest Windows 10 without updating binary files.
WKE will automatically download required symbol files if no native support for current system, 90% of the features will work after this step. For some needed data that doesn't exist in symbol files, WKE will try to get them from the DAT file (so, when new Windows 10 releases, I will upload the newest DAT file to GitHub). If there is no internet access for WKE, 50% of the features will still work. Currently, native support is available from Windows XP to Windows 10 RS3, RS4 and RS5 are fully supported by parsing symbol files and DAT file.
You can customize WKE by editing the configuration file. Currently, you can set the device name and symbolic link name of driver, and altitude of filter. You can also enable kernel-mode and user-mode characteristics randomization to avoid being detected by malware. If you rename the EXE file of WKE, then you need to rename SYS/DAT/INI files together with the same name.
Due to I don't have a digital certificate, I have to use the leaked digital certificate from HT SRL to sign drivers of WKE. I use "DSEFIX" as an alternative solution to bypass DSE, you can try to launch WKE with "WKE_dsefix.bat" if WKE loads driver unsuccessfully on your system. Signing files with the HT SRL digital certificate causes a side effect: almost all anti-virus softwares consider files with HT SRL digital signature are viruses, because many hackers use it to sign malwares since 2015. If you don't trust WKE, you can run it in a test environment, or monitor its network activity on your router.
It is a bit awkward, so I say straightforwardly: I don't plan to share the source code of this tool, but I might share some source code of test programs that related to this tool.
In order to optimize the page load speed in low quality network environments, I only placed one picture on this page. Click this link to view all screenshots (click middle button to open the page in a new window).
Please write E-MAIL in English or German, I only reply to E-MAILs that I am interested in.
Bug fix: symbol related features in memory editor dialog.
Bug fix: prompt the status of process and thread in the context menu.
New feature: disable CreateProcess / CreateThread / LoadImage / Registry / Process and Thread object callbacks, FS filters.
New feature: support drag file to input box dialog (do not need to type input when you need to fill the file path).
New feature: highlight hidden drivers and processes.
New feature: output all object names to a file.
New feature: display NDIS handler functions.
New feature: display process command line.
New feature: registry value editor dialog.
New feature: hide process, hide driver.
New feature: unsigned driver loader.
New feature: hive file operations.
These versions have serious security issues and should not be used anymore.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。