explaingit

kernullist/kn-live-dbg

Analysis updated 2026-05-18

20C++Audience · developerComplexity · 5/5Setup · hard

TLDR

An experimental Windows kernel research console, shaped after LiveKD, that reads and writes kernel memory through a signed driver for defensive security research.

Mindmap

mindmap
  root((Kn-Live-Dbg))
    Architecture
      Kernel Driver
      User Mode Console
      WinDbg Compatible Commands
    Capabilities
      Read Write Kernel Memory
      Address Translation
      Module Enumeration
      Callback Parsing
    Scope
      Defensive Research
      Anti Cheat Research
      No CI Bypass
    Extras
      AI Command Assistant
      Probe Driver Testing

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Inspect live kernel memory and translate virtual addresses to physical ones for Windows driver diagnostics.

USE CASE 2

Enumerate loaded kernel modules, object-manager filters, and registry or process callbacks for anti-cheat or security research.

USE CASE 3

Run WinDbg-compatible commands like memory display, search, and disassembly against a live kernel target.

USE CASE 4

Get AI-assisted command planning and result explanations through an optional Codex, ChatGPT, DeepSeek, or OpenRouter provider layer.

What is it built with?

C++Windows Driver KitZydis

How does it compare?

kernullist/kn-live-dbgcraftsmantweezers95/unlocker-phone-tool-2026ypichev/underwaterfx
Stars202020
LanguageC++C++C++
Setup difficultyhardmoderateeasy
Complexity5/52/52/5
Audiencedeveloperops devopsdesigner

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1day+

Requires Visual Studio 2022, the Windows Driver Kit, and either test-signing mode or a production code-signing certificate to load the driver.

In plain English

Kn-Live-Dbg is an experimental Windows kernel research tool. It looks and feels like a debugger but the author is careful to say it is not one in the strict sense. It is shaped after the useful parts of an older Microsoft tool called LiveKD: a small kernel driver exposes narrow primitives for reading and writing memory, and a user-mode text-based console handles everything else, including symbol loading, type interpretation, and the command interface. The project is aimed at defensive Windows security research, anti-cheat research, driver diagnostics, and controlled lab analysis. It does not bypass Windows Code Integrity. To load the driver you need to either turn on Windows test-signing mode and use the test-signed build, or sign the driver with a real production code-signing certificate for deployment use. From an elevated console the tool installs and starts its driver KnLiveDbg.sys through Windows service control, opens a device that only Administrators and SYSTEM can use, and validates the driver and user-mode ABI version. It can then read kernel virtual memory, translate virtual addresses to physical ones through a manual page-table walk, read and write physical memory, write kernel virtual memory, and enumerate loaded kernel modules. Symbol loading uses DbgHelp, with the Microsoft public symbol server as the source, and downloaded PDBs are kept next to the executable. The console offers a WinDbg-compatible command set. Some commands are implemented natively against live memory, including memory display, symbol lookup, type display, search, compare, fill, move, and disassembly. Heavier commands are routed through the DbgEng backend. The tool also parses kernel PDB types to list object-manager filters, registry callbacks, process and thread and image-load callbacks, and minifilter callbacks, with function, module, and context annotations. An optional AI assistant layer can plan commands and explain results through Codex CLI, ChatGPT, DeepSeek, or OpenRouter. A companion driver KnLiveDbgProbe.sys provides known buffers for positive-control testing. Building requires Visual Studio 2022, the Windows Driver Kit, and a vendored copy of the Zydis disassembler. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
Help me build this project with Visual Studio 2022 and the Windows Driver Kit, including the vendored Zydis disassembler.
Prompt 2
Explain how the kernel driver and the user-mode console divide responsibilities in this tool's architecture.
Prompt 3
Show me how to install and start the KnLiveDbg.sys driver through Windows service control from an elevated console.
Prompt 4
Walk me through using the native memory display and symbol lookup commands once the driver is running.
Prompt 5
Explain what test-signing mode is and why I need it to load this driver without a production code-signing certificate.

Frequently asked questions

What is kn-live-dbg?

An experimental Windows kernel research console, shaped after LiveKD, that reads and writes kernel memory through a signed driver for defensive security research.

What language is kn-live-dbg written in?

Mainly C++. The stack also includes C++, Windows Driver Kit, Zydis.

How hard is kn-live-dbg to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is kn-live-dbg for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.