Windows PatchGuard (Kernel Patch Protection) Analysis and Research Toolkit
Patchwork is a research toolkit for analyzing Windows Kernel Patch Protection (PatchGuard/KPP). It provides tools for understanding KPP's verification mechanisms, timer-based checks, exception handler chains, and the protected structures it monitors.
Disclaimer: This toolkit is intended for educational and security research purposes only. Understanding kernel protection mechanisms is essential for advancing operating system security.
- Context Discovery - Scan kernel memory for PatchGuard context structures
- Timer Analysis - Enumerate and identify PG-related kernel timers with heuristic scoring
- Integrity Checking - Verify kernel structures (SSDT, IDT, GDT, MSRs) against baselines
- Decryption Engine - Recover XOR keys and decrypt PG context data (single, rolling, multi-key, AES-lite)
- Exception Chain Analysis - Walk and analyze kernel exception handlers for PG identification
- DPC Analysis - Inspect DPC queues and correlate with timer entries
- Pool Scanner - Find PG-related pool allocations by tag and heuristic matching
- Activity Monitor - Detect PG check execution via timing analysis and performance counters
- Kernel Driver - WDM driver providing privileged access for kernel-level analysis
- CLI Interface - Usermode command-line tool with IOCTL-based driver communication
| Version | KPP Version | Support Level |
|---|---|---|
| Vista/7 | v1.x | Full |
| 8/8.1 | v2.0-2.1 | Full |
| 10 (all builds) | v2.5-2.10 | Full |
| 11 21H2 | v3.0 | Full |
| 11 22H2 | v3.1 | Full |
| 11 23H2 | v3.2 | Full |
| 11 24H2 | v3.3 | Partial (VBS limitations) |
mkdir build && cd build
cmake .. -G "Visual Studio 17 2022" -A x64
cmake --build . --config ReleaseThe kernel driver requires the Windows Driver Kit (WDK):
# Using Visual Studio with WDK integration
# Open the driver project and build for x64 Releasesc create patchwork type=kernel binPath=C:\path\to\patchwork.sys
sc start patchworkNote: The driver must be test-signed or loaded with test signing enabled.
patchwork_cli version - Show driver and system version info
patchwork_cli scan - Scan for PatchGuard context in memory
patchwork_cli timers - Enumerate and analyze kernel timers
patchwork_cli integrity - Run kernel integrity checks
patchwork_cli pool - Scan kernel pool for PG allocations
patchwork_cli monitor - Show KPP monitoring status
src/
core/ - KPP context, timer, and integrity check analysis
analysis/ - Decryption, exception chain, and DPC analysis
monitor/ - Activity monitoring and self-integrity checking
driver/ - Kernel driver and pool scanner
usermode/ - CLI interface
common/ - Shared type definitions
tests/ - Unit tests
docs/ - Technical documentation
driver/ - WDK build configuration
- PatchGuard Internals - Deep technical analysis of KPP architecture
- KPP Evolution - How KPP has changed across Windows versions
MIT License - Copyright (c) 2019-2026 BypassCore Labs
- Email: contact@bypasscore.com
- Telegram: @bypasscore
- Web: bypasscore.com
Help keep BypassCore open-source and independent.
| Network | Address |
|---|---|
| Polygon | 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a |
| Ethereum | 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a |
| BSC | 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a |
| Arbitrum | 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a |
| Optimism | 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a |
| Avalanche | 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a |
USDT / USDC / ETH / BNB accepted on all networks.