gitwtfhub

wtf is kn-live-dbg?

kernullist/kn-live-dbg — explained in plain English

Analysis updated 2026-05-18

20C++Audience · developerComplexity · 5/5Setup · hard

TL;DR

An experimental Windows kernel research console, shaped after LiveKD, that reads and writes kernel memory through a signed driver for defensive security research.

Mindmap

mindmap
  root((Kn-Live-Dbg))
    Architecture
      Kernel Driver
      User Mode Console
      WinDbg Compatible Commands
    Capabilities
      Read Write Kernel Memory
      Address Translation
      Module Enumeration
      Callback Parsing
    Scope
      Defensive Research
      Anti Cheat Research
      No CI Bypass
    Extras
      AI Command Assistant
      Probe Driver Testing

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Inspect live kernel memory and translate virtual addresses to physical ones for Windows driver diagnostics.

REASON 2

Enumerate loaded kernel modules, object-manager filters, and registry or process callbacks for anti-cheat or security research.

REASON 3

Run WinDbg-compatible commands like memory display, search, and disassembly against a live kernel target.

REASON 4

Get AI-assisted command planning and result explanations through an optional Codex, ChatGPT, DeepSeek, or OpenRouter provider layer.

What's in the stack?

C++Windows Driver KitZydis

How it stacks up

kernullist/kn-live-dbgcraftsmantweezers95/unlocker-phone-tool-2026ypichev/underwaterfx
Stars202020
LanguageC++C++C++
Setup difficultyhardmoderateeasy
Complexity5/52/52/5
Audiencedeveloperops devopsdesigner

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · hard Time to first run · 1day+

Requires Visual Studio 2022, the Windows Driver Kit, and either test-signing mode or a production code-signing certificate to load the driver.

Wtf does this do

Kn-Live-Dbg is an experimental Windows kernel research tool. It looks and feels like a debugger but the author is careful to say it is not one in the strict sense. It is shaped after the useful parts of an older Microsoft tool called LiveKD: a small kernel driver exposes narrow primitives for reading and writing memory, and a user-mode text-based console handles everything else, including symbol loading, type interpretation, and the command interface. The project is aimed at defensive Windows security research, anti-cheat research, driver diagnostics, and controlled lab analysis. It does not bypass Windows Code Integrity. To load the driver you need to either turn on Windows test-signing mode and use the test-signed build, or sign the driver with a real production code-signing certificate for deployment use. From an elevated console the tool installs and starts its driver KnLiveDbg.sys through Windows service control, opens a device that only Administrators and SYSTEM can use, and validates the driver and user-mode ABI version. It can then read kernel virtual memory, translate virtual addresses to physical ones through a manual page-table walk, read and write physical memory, write kernel virtual memory, and enumerate loaded kernel modules. Symbol loading uses DbgHelp, with the Microsoft public symbol server as the source, and downloaded PDBs are kept next to the executable. The console offers a WinDbg-compatible command set. Some commands are implemented natively against live memory, including memory display, symbol lookup, type display, search, compare, fill, move, and disassembly. Heavier commands are routed through the DbgEng backend. The tool also parses kernel PDB types to list object-manager filters, registry callbacks, process and thread and image-load callbacks, and minifilter callbacks, with function, module, and context annotations. An optional AI assistant layer can plan commands and explain results through Codex CLI, ChatGPT, DeepSeek, or OpenRouter. A companion driver KnLiveDbgProbe.sys provides known buffers for positive-control testing. Building requires Visual Studio 2022, the Windows Driver Kit, and a vendored copy of the Zydis disassembler. The full README is longer than what was shown.

Yoink these prompts

Prompt 1
Help me build this project with Visual Studio 2022 and the Windows Driver Kit, including the vendored Zydis disassembler.
Prompt 2
Explain how the kernel driver and the user-mode console divide responsibilities in this tool's architecture.
Prompt 3
Show me how to install and start the KnLiveDbg.sys driver through Windows service control from an elevated console.
Prompt 4
Walk me through using the native memory display and symbol lookup commands once the driver is running.
Prompt 5
Explain what test-signing mode is and why I need it to load this driver without a production code-signing certificate.

Frequently asked questions

wtf is kn-live-dbg?

An experimental Windows kernel research console, shaped after LiveKD, that reads and writes kernel memory through a signed driver for defensive security research.

What language is kn-live-dbg written in?

Mainly C++. The stack also includes C++, Windows Driver Kit, Zydis.

How hard is kn-live-dbg to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is kn-live-dbg for?

Mainly developer.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.