POC about how to detect windows kernel debug by pool tag.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
gmh5225 3b1797b196
Update
3 years ago
images Update 3 years ago
.clang-format Update 3 years ago
LICENSE Update 3 years ago
README.md Update 3 years ago
detect.h Update 3 years ago
detect.poc.pooltag.cpp Update 3 years ago
main.cpp Update 3 years ago
poc.sln Update 3 years ago
poc.vcxproj Update 3 years ago
poc.vcxproj.filters Update 3 years ago
util.cpp Update 3 years ago
util.h Update 3 years ago

README.md

AntiKernelDebug-poc

What's this?

A POC about how to detect windows kernel debug by pool tag.

How does this poc actually work?

Query system pool tag information matches TagUlong == 'oIdK'.

Tested in Win10 1809

image

Compile

  • Visual Studio 2019
  • llvm-msvc [link]