Inspect live kernel memory and translate virtual addresses to physical ones for Windows driver diagnostics.
Enumerate loaded kernel modules, object-manager filters, and registry or process callbacks for anti-cheat or security research.
Run WinDbg-compatible commands like memory display, search, and disassembly against a live kernel target.
Get AI-assisted command planning and result explanations through an optional Codex, ChatGPT, DeepSeek, or OpenRouter provider layer.
| kernullist/kn-live-dbg | craftsmantweezers95/unlocker-phone-tool-2026 | ypichev/underwaterfx | |
|---|---|---|---|
| Stars | 20 | 20 | 20 |
| Language | C++ | C++ | C++ |
| Setup difficulty | hard | moderate | easy |
| Complexity | 5/5 | 2/5 | 2/5 |
| Audience | developer | ops devops | designer |
Figures from each repo's GitHub metadata at analysis time.
Requires Visual Studio 2022, the Windows Driver Kit, and either test-signing mode or a production code-signing certificate to load the driver.
Kn-Live-Dbg is an experimental Windows kernel research tool. It looks and feels like a debugger but the author is careful to say it is not one in the strict sense. It is shaped after the useful parts of an older Microsoft tool called LiveKD: a small kernel driver exposes narrow primitives for reading and writing memory, and a user-mode text-based console handles everything else, including symbol loading, type interpretation, and the command interface. The project is aimed at defensive Windows security research, anti-cheat research, driver diagnostics, and controlled lab analysis. It does not bypass Windows Code Integrity. To load the driver you need to either turn on Windows test-signing mode and use the test-signed build, or sign the driver with a real production code-signing certificate for deployment use. From an elevated console the tool installs and starts its driver KnLiveDbg.sys through Windows service control, opens a device that only Administrators and SYSTEM can use, and validates the driver and user-mode ABI version. It can then read kernel virtual memory, translate virtual addresses to physical ones through a manual page-table walk, read and write physical memory, write kernel virtual memory, and enumerate loaded kernel modules. Symbol loading uses DbgHelp, with the Microsoft public symbol server as the source, and downloaded PDBs are kept next to the executable. The console offers a WinDbg-compatible command set. Some commands are implemented natively against live memory, including memory display, symbol lookup, type display, search, compare, fill, move, and disassembly. Heavier commands are routed through the DbgEng backend. The tool also parses kernel PDB types to list object-manager filters, registry callbacks, process and thread and image-load callbacks, and minifilter callbacks, with function, module, and context annotations. An optional AI assistant layer can plan commands and explain results through Codex CLI, ChatGPT, DeepSeek, or OpenRouter. A companion driver KnLiveDbgProbe.sys provides known buffers for positive-control testing. Building requires Visual Studio 2022, the Windows Driver Kit, and a vendored copy of the Zydis disassembler. The full README is longer than what was shown.
An experimental Windows kernel research console, shaped after LiveKD, that reads and writes kernel memory through a signed driver for defensive security research.
Mainly C++. The stack also includes C++, Windows Driver Kit, Zydis.
Setup difficulty is rated hard, with roughly 1day+ to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.