🛡️ Kernel VangDBlock

Advanced Kernel-Mode Security Monitor for Windows

Features • Architecture • Documentation • Roadmap • Contributing

---

📋 Overview

Kernel VangDBlock is an advanced kernel-mode security monitoring system designed to detect and automatically respond to threats at the Windows kernel level. It provides real-time protection against rootkits, kernel hooks, DKOM attacks, and other low-level exploitation techniques.

Key Capabilities

• 🔍 Real-time Kernel Monitoring: SSDT, IDT, process lists, driver integrity
• 🛡️ Automatic Threat Response: Kill processes, block drivers, restore kernel structures
• 📊 Comprehensive Logging: Immutable audit trails with SIEM integration
• 🎯 Heuristic Analysis: Risk scoring for intelligent threat detection
• 🔒 Surface Hardening: Filesystem and registry protection via minifilter

---

🏗️ Architecture

┌────────────────────────────────────────────────────────────┐
│                     User Mode (Ring 3)                      │
├────────────────────────────────────────────────────────────┤
│  Control Service (.NET 8)                                   │
│  • Configuration management                                 │
│  • Event consumption & SIEM integration                     │
│  • REST API for monitoring                                  │
└──────────────────────┬─────────────────────────────────────┘
                       │ IOCTL Communication
┌──────────────────────▼─────────────────────────────────────┐
│                    Kernel Mode (Ring 0)                     │
├────────────────────────────────────────────────────────────┤
│  VangDBlock Driver (KMDF)                                   │
│  ┌──────────────┬──────────────┬──────────────┐            │
│  │   Monitor    │   Analysis   │   Response   │            │
│  │   Module     │   Module     │   Module     │            │
│  └──────────────┴──────────────┴──────────────┘            │
│  ┌──────────────────────────────────────────┐              │
│  │         Logging & Telemetry              │              │
│  └──────────────────────────────────────────┘              │
│  ┌──────────────────────────────────────────┐              │
│  │      Minifilter (Filesystem Guard)       │              │
│  └──────────────────────────────────────────┘              │
└────────────────────────────────────────────────────────────┘

Components

• Monitor Module: Continuous verification of SSDT, IDT, process lists, and loaded drivers
• Analysis Module: Risk scoring and threat decision engine
• Response Module: Automated actions (terminate, block, rollback, quarantine)
• Logging System: Circular buffer with ETW integration
• Minifilter: Filesystem and registry protection

---

🚀 Features

Detection Capabilities

✅ SSDT Hook Detection - Monitors System Service Dispatch Table for unauthorized modifications
✅ IDT Integrity Verification - Validates Interrupt Descriptor Table handlers
✅ DKOM Detection - Identifies hidden processes via Direct Kernel Object Manipulation
✅ Driver Validation - Verifies digital signatures and whitelists
✅ Inline Hook Detection - Analyzes function prologues for unexpected jumps
✅ Bootkit Detection - MBR/GPT integrity checks with ELAM integration

Response Mechanisms

🛡️ Automatic Process Termination - Kills malicious processes instantly
🛡️ Driver Load Blocking - Prevents unsigned/malicious driver loading
🛡️ SSDT Restoration - Rolls back hooks to original baseline
🛡️ File Quarantine - Isolates suspicious executables via minifilter
🛡️ Network Isolation - Removes network handles from compromised processes

Observability

📊 Immutable Logs - Circular buffer in non-paged kernel memory
📊 ETW Integration - Event Tracing for Windows provider
📊 SIEM Support - Syslog, Splunk, ELK forwarding
📊 Real-time Dashboard - Live monitoring via Control Service
📊 Forensic Exports - Timestamped audit trails (TSC + NTP sync)

---

📚 Documentation

Core Documents

• TECHNICAL_SPECIFICATION.md - Complete technical specification (30+ pages)
• BUILD.md - Build instructions and prerequisites
• docs/architecture/ - C4 diagrams, operational flows
• docs/research/ - Security research and POCs

Quick Links

• System Requirements
• Development Setup
• Testing Strategy
• Security Considerations

---

💻 System Requirements

Minimum Requirements

• OS: Windows 10 22H2 (build 19045+) or Windows 11 21H2+
• Architecture: x86_64
• Privileges: Administrator/SYSTEM for driver operations
• Signing: Test Mode or EV Certificate for production

Development Environment

• IDE: Visual Studio 2022
• SDK: Windows Driver Kit (WDK)
• Debugger: WinDbg with kernel debugging setup
• VM: Windows 10/11 VM with snapshots (recommended)

---

🛠️ Development Setup

# 1. Install prerequisites
# - Visual Studio 2022 (C++ Desktop Development + Windows SDK)
# - Windows Driver Kit (WDK)
# - .NET 8 SDK

# 2. Clone repository
git clone https://github.com/eduardomb08/Kernel-VangDBlock.git
cd Kernel-VangDBlock

# 3. Open solution
start KernelSecProject.sln

# 4. Build driver (Release x64)
msbuild /p:Configuration=Release /p:Platform=x64 workspace/src/driver/KernelSecDriver.vcxproj

# 5. Build service
dotnet build workspace/src/service/KernelSecService.csproj --configuration Release

# 6. Enable test signing (development only)
bcdedit /set testsigning on
# Reboot required

---

🧪 Testing Strategy

Phase 1: Unit Tests

• Baseline capture validation
• IOCTL communication tests
• Risk scoring algorithm verification

Phase 2: Integration Tests

• Driver load/unload cycles
• Callback registration validation
• Service ↔ Driver communication

Phase 3: Security Tests

• SSDT hook simulation
• DKOM attack scenarios
• Bootkit detection tests
• Performance benchmarking (CPU overhead < 3%)

---

🗺️ Roadmap

✅ Phase 1: Foundation (Weeks 1-2)

• Project structure and documentation
• Visual Studio solution configuration
• DriverEntry implementation
• Basic IOCTL dispatcher
• SSDT baseline capture

🚧 Phase 2: Monitoring (Weeks 3-4)

• Periodic verification thread
• Process/LoadImage callbacks
• SSDT hook detection
• Circular log buffer

📅 Phase 3: Response (Weeks 5-6)

• SSDT restoration
• Process termination
• Driver blocking
• Automated testing

📅 Phase 4: Advanced Features (Weeks 7-8)

• DKOM detection
• IDT monitoring
• Risk scoring heuristics
• Threat intelligence

📅 Phase 5: Hardening (Weeks 9-10)

• Minifilter implementation
• Registry protection
• Self-defense mechanisms
• Performance optimization

📅 Phase 6: Production Ready (Weeks 11-16)

• User-mode service
• ETW integration
• SIEM connectors
• Driver signing
• Security audit

---

🔒 Security Considerations

⚠️ Educational/Research Project - This project is designed for security research and educational purposes. Deploying kernel-mode drivers in production environments requires:

• Code Signing: EV certificate from approved CA (DigiCert, Sectigo)
• WHQL Testing: Windows Hardware Quality Labs certification
• Security Audit: Third-party penetration testing
• Compliance: GDPR, SOC 2, ISO 27001 as applicable

Threat Model

• ✅ Detects: SSDT hooks, driver rootkits, DKOM, inline hooks
• ✅ Mitigates: Process injection, unauthorized driver loading
• ⚠️ Limited: Bootkits (requires ELAM), hardware-based attacks
• ❌ Out of Scope: Secure Boot bypasses, BIOS-level malware

---

🤝 Contributing

This is a research project. Contributions are welcome via:

1. Issues: Report bugs or suggest features
2. Pull Requests: Submit improvements with detailed descriptions
3. Research: Share POCs or attack techniques in docs/research/

Code Standards

• Follow Microsoft C++ coding conventions
• Document all kernel APIs and data structures
• Include unit tests for new features
• Update technical specification accordingly

---

📄 License

This project is released under a Research License. See LICENSE for details.

Disclaimer

⚠️ Use at your own risk. Kernel-mode development is inherently dangerous and can cause system instability, data loss, or security vulnerabilities if implemented incorrectly. Always test in isolated VMs.

---

📞 Contact

• Project: Kernel VangDBlock
• Made by: Void

---

Made with 🛡️ for Windows Security Research