Windows Kernel Development

An author never does more damage to his readers than when he hides a difficulty. (Evariste Galois) You can download this tutorial and all necessary files in an archive file from here. The PDF version is also available here. File password: exists4all.github.io Table of Contents Introduction Abstract Required tools Required knowledge Purpose Windows Internal and Hard disks Device Unique Identifiers (DUIDs) for Storage Devices Looking inside kernel architecture Find hard disks objects and The responsible driver that gets disk serials Reimplementing spoofer n0Lin (@Alex3434) and btbd spoofer Logic of implementation Updating SamuelTulach project Conclusion Introduction Abstract After a long time being inactive I decided to finish my break due to some personal reasons. And one other reason was that it was getting closer to release date of Windows 24H2. After the release I noticed old spoofers cause problems and lead to BSOD so it’s the best time to write a part 2 of the static spoofer tutorial. We are going to use amazing old work of other people to make our life simpler. We are basically going to do some reverse engineering and modify old spoofers to work on a new build of Windows and explain the philosophy of it. You can download most of the used resources and important files in this tutorial on my website. I also really appreciate any suggestion, and pointing out any errors since no one is prone to making mistakes. You can do that using this form. ...

Introduction In this tutorial we are going to create a static disk drive serial number spoofer. This project will be a little long and need some basic knowledge about operation systems and reverse engineering. We are going to use visual studio community, IDA and windbg and I used windows 11 enterprise. Analyzing the Kernel Setting up WinDBG The first step is to find out how windows get that information. By googling you can see easily you have to use wmic commands. If you open CMD and execute the wmic diskdrive get serialnumber, you can retrieve all the disk serials. So that is logical analyzing wmic in windbg, however if you do that you will find out wmic tokenize commands and send them to the kernel and then retrieve data in a xml file and fetch from there. So for simplicity we are not going to analyze wmic. Instead we are going to access wmic command directly using C++ and use debug command to see which kernel API used to get those data. ...

Introduction Welcome to my kernel programming tutorial document. Be sure to read these notes before starting. Important notes Kernel programming is not anything like user mode programming, information about its structure is very limited and most of the time you have to dig very deep into MSDN documentation to understand where you need to start. Kernel mode codes have to be perfect, any flaw in them will cause serious problems and most of the time lead to BSOD ( blue screen of death) if they are not treated perfectly. ...