finds.dev← search

// the find

eltavine/UserDrivenKernelAgent

★ 2 · C · updated Mar 2026

Windows kernel-mode minifilter driver providing process monitoring, memory inspection, filesystem/registry access control with user-mode approval workflows, DLL injection (APC + manual map), hardware fingerprinting, and driver self-concealment. Communicates via unnamed shared memory ring buffers

A Windows kernel-mode driver that wraps offensive techniques — DLL injection, ETW silencing, callback stripping, stack spoofing, event log wiping, object hiding — under the label 'user-driven approval workflow.' The architecture is a minifilter driver communicating with user mode over shared memory ring buffers. This is an implant/rootkit framework, not a monitoring tool, regardless of how the README frames it.

- Multiple injection paths (APC, manual map, thread hijack, InstCB) with fallback logic shows real kernel engineering rather than copy-paste of a single technique.

- PatchGuard-aware operations in pg_safe.c suggest the author understands the constraints of running unsigned or borderline code on modern Windows — most toy kernel projects skip this entirely.

- HMAC-based HWID fingerprinting (CPU, disk, MAC, SMBIOS, volume serial) is technically thorough; it's not just grabbing a single identifier.

- Shared memory ring buffer for kernel-user IPC is a legitimate approach that avoids the serialization overhead of IOCTLs for high-frequency events.

- The 'user-driven approval' framing doesn't survive contact with the actual feature list: etw_silence, evtlog_clean, obj_hide, callback_strip, and stack_spoof are detection-evasion primitives. Calling this a monitoring tool is dishonest.

- 2 stars, no documentation, no test infrastructure, no build guide — there is no way to know if this boots without BSoD on anything newer than the developer's own test VM. Kernel code without tests is a coin flip.

- No driver signing setup, no kernel debugging guide, no mention of DSE (Driver Signature Enforcement) bypass. This won't run on a stock Windows machine without either test mode, a vulnerable driver to abuse, or a leak signing cert.

- The ring buffer communication in comm.c and agent_comm.c needs tight synchronization between kernel and user mode; with no visible locking primitives surfaced at the repo level, race conditions leading to kernel panics are a realistic adoption tax.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →