Updated fork of btbd/access with Zydis-based dynamic pattern finding for Windows 10/11 compatibility
A kernel-mode syscall wrapper that enables privileged process operations without requiring handles. Uses xKdEnumerateDebuggingDevices pointer hooking for kernel-usermode communication.
- ✅ No hardcoded offsets - All kernel functions/offsets discovered at runtime via Zydis disassembler
- ✅ Version independent - Works across Windows 10 (1607+) and Windows 11 (up to 24H2)
- ✅ No SEH - Safe operations without structured exception handling
- ✅ Handle-free - Perform
PROCESS_ALL_ACCESSoperations without creating real handles - ✅ Minimal footprint - Clean
.datasection hook, no inline patches - ✅ Open source - Full source code available for educational purposes
This fork modernizes the original driver with:
- Zydis Integration - Dynamic disassembly replaces brittle byte patterns
- Multi-version Support - Single binary works on Windows 10 1607 through Windows 11 24H2
- Clean Logging - Informative debug output with
[singular-access]prefix - Better Reliability - Instruction-level pattern matching instead of raw bytes
The driver uses Zydis to disassemble kernel functions and extract:
| Target | Method | Offset/Address |
|---|---|---|
| KTHREAD.PreviousMode | Disassemble ExGetPreviousMode |
0x232 (all versions) |
| PsResumeThread | Disassemble PsRegisterPicoProvider |
RIP-relative LEA at +0x40 |
| PsSuspendThread | Disassemble PsRegisterPicoProvider |
RIP-relative LEA at +0x50 |
| xKdEnumerateDebuggingDevices | Pattern scan .text section |
Version-specific patterns |
User Mode (DLL)
↓ syscall with SYSCALL_UNIQUE
Kernel Hook (xKdEnumerateDebuggingDevices pointer)
↓ validates & dispatches
Kernel Syscall Handler
↓ performs privileged operation
Return to User Mode
- Visual Studio 2022 with C++ Desktop Development
- Windows Driver Kit (WDK) 10
- Test signing enabled or kernel debugging mode
cd Driver
msbuild Driver.vcxproj /p:Configuration=Release /p:Platform=x64
link_driver.batOutput: Driver\x64\Release\Driver.sys
Option 1: kdmapper (recommended for testing)
kdmapper.exe Driver.sysOption 2: Service
sc create singular_access type= kernel binPath= C:\path\to\Driver.sys
sc start singular_access[singular-access] Initializing driver...
[singular-access] Windows build: 26200
[singular-access] ntoskrnl.exe base: FFFFF80000000000
[singular-access] [*] Searching for PsResumeThread in PsRegisterPicoProvider...
[singular-access] [+] Found PsResumeThread at FFFFF803AAE331C0
[singular-access] [*] Searching for PsSuspendThread in PsRegisterPicoProvider...
[singular-access] [+] Found PsSuspendThread at FFFFF803AADFA1A0
[singular-access] [+] Found PreviousMode offset: 0x232
[singular-access] Searching for xKdEnumerateDebuggingDevices pointer...
[singular-access] xKdEnumerateDebuggingDevices pointer: FFFFF803AB200B68
[singular-access] Installing hook...
[singular-access] Driver initialized successfully
The driver intercepts and handles:
Process Operations
NtOpenProcessNtSuspendProcess/NtResumeProcessNtQueryInformationProcess/NtSetInformationProcessNtQuerySystemInformationExNtFlushInstructionCache
Memory Operations
NtAllocateVirtualMemory/NtFreeVirtualMemoryNtReadVirtualMemory/NtWriteVirtualMemoryNtProtectVirtualMemoryNtQueryVirtualMemoryNtLockVirtualMemory/NtUnlockVirtualMemoryNtFlushVirtualMemory
Thread Operations
NtOpenThreadNtSuspendThread/NtResumeThreadNtGetContextThread/NtSetContextThreadNtQueryInformationThread/NtSetInformationThread
Synchronization
NtWaitForSingleObject
Tested and confirmed working:
| OS Version | Build | Status |
|---|---|---|
| Windows 10 1607 | 14393 | ✅ |
| Windows 10 1709 | 16299 | ✅ |
| Windows 10 1809 | 17763 | ✅ |
| Windows 10 2004 | 19041 | ✅ |
| Windows 11 21H2 | 22000 | ✅ |
| Windows 11 22H2 | 22621 | ✅ |
| Windows 11 24H2 | 26100-26200 | ✅ |
Finding PsResumeThread:
lea rcx, PsResumeThread ; Load function address
mov [rdx+40h], rcx ; Store in PICO provider tableFinding xKdEnumerateDebuggingDevices (Win11 24H2):
mov rax, cs:off_140E00B68 ; Pattern: 48 8B 05 ? ? ? ? 74 ? E8
; Resolve RIP-relative pointerExtracting PreviousMode offset:
mov rax, gs:188h ; Get KTHREAD
movzx eax, byte ptr [rax+232h] ; Extract PreviousMode
retDriver/
├── main.c # Entry point, initialization, hook installation
├── core.c # Syscall handlers
├── util.c # Pattern scanning, memory utilities
├── zydis_util.c # Zydis-based pattern finders
├── zydis_util.h # Zydis function declarations
├── syscall.h # Syscall definitions
├── stdafx.h # Precompiled header
└── Zydis/ # Zydis disassembler library
Driver fails to load:
- Enable test signing:
bcdedit /set testsigning on - Check DebugView for error messages
- Verify WDK is installed correctly
Pattern not found:
- Check Windows build number in DebugView output
- May need to add new pattern for your specific build
- Open an issue with your build number and debug output
Linker errors:
- Ensure all Zydis files are included in project
- Verify
ZYDIS_STATIC_BUILDandZYCORE_STATIC_BUILDare defined - Check that
link_driver.batis using correct WDK lib paths
- Add syscall enum to
syscall.h - Add handler in
core.cusingHANDLE_SYSCALLmacro - Rebuild driver
- Analyze new build in IDA/Ghidra
- Find pattern for
xKdEnumerateDebuggingDevicespointer - Add pattern to
find_kd_enum_debug_devices_ptr()inmain.c - Test and verify
- Original Author: btbd - Original access driver
- Zydis: zyantific - Fast and lightweight x86/x86-64 disassembler
- Updated by: Singular - Zydis integration and multi-version support
This project maintains the same license as the original btbd/access repository.
This software is for educational and research purposes only. Use responsibly and only on systems you own or have explicit permission to test on.