Releases: wesmar/KernelResearchKit
Releases · wesmar/KernelResearchKit
Early Boot DSE Bypass for Windows 11 25H2
Windows 11 25H2 Early Boot DSE Bypass
Archive Password: github.com
📦 DOWNLOAD (78 KB compressed)
File: KernelResearchKit.7z
Password: github.com
Archive Contents:
├── BootBypass.exe (32 KB) - Native boot DSE bypass (PRE-KERNEL execution)
├── drvloader.exe (150 KB) - Runtime tool (embedded RTCore64 + PDB downloader)
├── OmniUtility.exe (46 KB) - Kernel manipulation demo utility
├── OmniDriver.sys (11 KB) - Unsigned kernel driver payload
├── rtcore64.sys (14 KB) - Vulnerable signed driver (MSI, transient usage)
├── drivers.ini (13 KB) - BootBypass configuration
├── implementer.bat (1 KB) - Batch installer wrapper
└── implementer.ps1 (17 KB) - PowerShell deployment script
🎯 COMPONENTS OVERVIEW
1️⃣ BootBypass.exe (Native Boot Application)
- Execution timing: During Windows boot (SMSS phase, PRE-KERNEL)
- Technique: Replaces
CiValidateImageHeader→ZwFlushInstructionCacheinSeCiCallbackstable - Features:
- Sequential operations: LOAD, UNLOAD, RENAME, DELETE
- AutoPatch support (automatic DSE bypass per driver)
- Dual-layer anti-loop protection for HVCI scenarios
- State persistence via
drivers.inifor restoration
2️⃣ drvloader.exe (Runtime DSE Tool - Universal & Self-Contained)
- No reboot required - Post-boot DSE manipulation
- Embedded RTCore64.sys - XOR-encrypted CAB in binary resources (auto-extracts)
- Dynamic PDB downloader - Fetches symbols from Microsoft Symbol Server
- Mini-PDB caching - 32-byte
.mpdbfiles for offline operation - Universal compatibility - Auto-detects kernel offsets for any Windows 10/11 build
- Size: ~150 KB (includes embedded driver + symbol resolution + DbgHelp API)
3️⃣ OmniUtility.exe (Kernel Manipulation Demo)
- Window title modification (all processes simultaneously)
- Direct text injection into application buffers
- Module enumeration with base addresses
- Cross-process memory read/write operations
4️⃣ OmniDriver.sys (Unsigned Kernel Payload)
- Safe cross-process memory operations
- Exception handling (
__try/__except- no BSOD) KeStackAttachProcess()for context switching- Memory probing and intermediate buffering
5️⃣ rtcore64.sys (Vulnerable Signed Driver)
- MSI certificate (Micro-Star International)
- Unrestricted kernel memory R/W primitives
- Transient usage - Loaded only during patching (milliseconds)
- Auto-cleanup after operations (no persistent instance)
⚙️ DEPLOYMENT (implementer.ps1)
Smart Features:
- ✅ Preserves existing
drivers.iniif found (non-destructive) - ✅ Validates RTCore64.sys size (14,024 bytes) before deployment
- ✅ Registry backups - Timestamped
.regfiles before modifications - ✅ Transient driver - RTCore64 loaded only during operations
Installation:
# Option 1: Batch
implementer.bat
# Option 2: PowerShell
powershell -ExecutionPolicy Bypass -File implementer.ps1Deployment actions:
- Copies
BootBypass.exe→C:\Windows\System32\ - Copies
RTCore64.sys→C:\Windows\System32\drivers\(if needed) - Copies
drivers.ini→C:\Windows\(preserves existing) - Updates registry:
HKLM\...\Session Manager\BootExecute = "BootBypass"
📋 CONFIGURATION EXAMPLE
drivers.ini - AutoPatch driver loading:
[Config]
Execute=YES ; Master switch (NO=skip all operations)
RestoreHVCI=NO ; Re-enable Memory Integrity after operations
; RTCore64 IOCTL codes (hardcoded in driver, DO NOT CHANGE)
DriverDevice=\Device\RTCore64
IoControlCode_Read=0x80002048
IoControlCode_Write=0x8000204C
; Windows 11 25H2 Build 26200 offsets (update after Windows updates)
Offset_SeCiCallbacks=0xF04740 ; g_CiCallbacks table base
Offset_Callback=0x20 ; CiValidateImageHeader pointer offset
Offset_SafeFunction=0x69C1B0 ; ZwFlushInstructionCache address
[Driver1]
Action=LOAD
AutoPatch=YES ; Full cycle: Load RTCore64 → Patch DSE → Load driver → Restore DSE → Unload RTCore64
ServiceName=omnidriver
ImagePath=\SystemRoot\System32\drivers\omnidriver.sys
Type=KERNEL
StartType=DEMAND
CheckIfLoaded=YES ; Skip if already loaded🔬 TECHNICAL DETAILS
DSE Bypass Method:
- Single pointer replacement in
SeCiCallbacks[0x20] - No code patching (no PatchGuard violations)
- System stability maintained
Anti-Loop Protection (HVCI):
- Layer 1: Primary cleanup on every boot
- Layer 2: RebootGuardian self-destruct service (failsafe)
- Prevents infinite reboot cycles
Mini-PDB Format (32 bytes):
Structure:
- Magic: "MINIPDB\0" (8 bytes)
- Version: 1 (4 bytes)
- Reserved: (4 bytes)
- Offset_SeCiCallbacks: (8 bytes)
- Offset_SafeFunction: (8 bytes)
Location: C:\Windows\symbols\ntkrnlmp.pdb\{GUID}\ntkrnlmp.mpdb
Compatibility:
- ✅ Windows 11 25H2 (Build 26200) - Fully tested
⚠️ Windows 10/11 (Other builds) - Rundrvloader.exe→ Option 2 to update offsets- ✅ Secure Boot - Compatible (works with Secure Boot enabled)
⚠️ HVCI - Auto-detected and handled (scheduled reboot if enabled)
🛡️ SAFETY FEATURES
- Dual-layer reboot protection (cleanup + RebootGuardian failsafe)
- State persistence (original callback saved to
[DSE_STATE]) - Registry backups (timestamped
.regfiles) - Exception handling (all kernel ops wrapped in
__try/__except) - Smart deployment (preserves configs, validates integrity)
- Transient driver usage (RTCore64 active only during patching)
📝 EDUCATIONAL USE ONLY
Intended for:
- Security research and analysis
- Kernel security education
- Defensive security development
Prohibited uses:
- Software piracy or license circumvention
- Online game cheating
- Unauthorized system access
- Malware development
- Illegal activities
Contact & Research:
- GitHub: KernelResearchKit
- LinkedIn: Technical Analysis
- Email: marek@wesolowski.eu.org
- Website: https://kvc.pl
📖 QUICK START
1. Extract archive (password: github.com)
2. Deploy via installer:
implementer.bat3. Select operation:
[1] Deploy BootBypass - Install to system
[2] Remove BootBypass - Uninstall
[3] Exit
4. Reboot (BootBypass executes automatically during boot)
Alternative: Runtime tool (no reboot):
drvloader.exe
[1] Patch DSE - Disable signature enforcement
[2] Show Offsets - Update drivers.ini for current Windows build
[3] Restore DSE - Re-enable signature enforcementVersion: 1.0.0
Build Date: November 2025
Status: Active Development