/******************************************************************************************************************
WARNING: You must reboot then run new version WIN64AST if you have run old version WIN64AST, or it will cause BSOD.
******************************************************************************************************************/

Use
===
This software can view and manage a lot of kernel information of WINDOWS x64, you can use it to kill virus, assist debugging or explore windows kernel.
The first time you run this software, strongly suggest download symbol files at once(goto page "Settings", click button "Download symbol files").
If this software cause BSOD on your computer and make you suffer economic losses, I am not responsible for any. USE AT YOUR OWN RISK!

Function
========
1.Manage Process(include Module/Thread/Memory/Handle/Window)
2.View Kernel Module
3.View/Disconnect Net Connection
4.Enum/Restore SSDT and SHADOW SSDT
5.Scan/Clear User mode and Kernel mode Inline hook
6.View/Delete Message Hook
7.View/Restore Driver Dispatch Function
8.View/Restore Kernel Object Routine Function
9.View/Delete Callback & Notify
10.Enum/Delete IO Timer
11.Enum/Delete DPC Timer
12.Enum MiniFilter/Disable MiniFilter callback function
13.Enum/Remove Filter Driver
14.View/Backup/Restore/Repair MBR
15.Process Behavior Monitor
16.Edit(Disasm/Modify) Kernel Memory
17.Low-level File operation
18.Low-level Registry operation
19.Forbid create Process/File/RegKey/RegValue and forbid load driver
20.Check digital signature of file
21.Enum/Restore IDT
22.Enum GDT
23.Show value of special register(CR0/CR2/CR3/CR4/DR0/DR1/DR2/DR3/DR6/DR7)
24.Scan/Clear User mode EAT/IAT Hook
25.View/Backup/Restore VBR
26.Simple Firewall
27.Enum/Delete SPI/BHO/IE Right-Click Menu/WFP CALLOUT
28.DLL/Driver Loader
29.Turn ON/OFF LKD and DSE dynamically(This function will trigger PatchGuard and lead to BSOD, designed for advanced users.)
30."funny" functions(Some "funny" functions need to pay)

Requirement
===========
1.Win7x64/Win2008R2/Win8x64/Win2012/Win8.1x64/Win2012R2 (7600/7601/9200/9600)
2.Win7x64 and Win2008R2 need to setup Microsoft .NET Framework 4 (Download URL: http://www.microsoft.com/en-us/download/details.aspx?id=17718)
3.Need administrator privilege (Click right button to Win64AST.exe, choose "Run as administrator")
4.If you want to use "Behavior Monitor", your computer had better have 2 cores processor and 8GB RAM

Bugs
====
1.Maybe running slowly in the old computer (like: AMD Athlon II X2 245 + 2GB DDR2)
2.Memory leak

Other
=====
QQ group: 173718777
Author info: Tesla.Angela (Chinese, male, graduated from GDUT)
Publish page: www.kernelmode.info/forum/viewtopic.php?f=11&t=1691 (Another page: win64ast.m5home.com [CHINESE LANGUAGE])

Appendix: Kernel Explorer Command
=================================
global statement:
1.You can use DEC number(123456) and HEX number(0xABCD)
2.Function include SSDT functions, Shadow SSDT functions and export table of [NTOSKRNL.EXE]
3.You'd better to use "syminit" command to initialize symbol.
4.It maybe lead to BSOD if you do improper operation.
------
db Address/Function Count             (Display specified count of BYTE, default is 128)
Example: [db 0xFFFFF8001234567 0x64], [db NtUserPostMessage], [db ntopenprocess 2048]
------
dw Address/Function Count             (Display specified count of WORD, default is 64)
Example: [dw 0xFFFFF8001234567 0x64], [dw NtUserPostMessage], [dw ntopenprocess 2048]
------
dd Address/Function Count             (Display specified count of DWORD, default is 32)
Example: [dd 0xFFFFF8001234567 0x64], [dd NtUserPostMessage], [dd ntopenprocess 2048]
------
dq Address/Function Count             (Display specified count of QWORD, default is 16)
Example: [dq 0xFFFFF8001234567 0x64], [dq NtUserPostMessage], [dq ntopenprocess 2048]
------
eb Address/Function b1 b2 b3 ... bN   (Write a BYTE or a BYTE ARRAY to specified address)
Example: [eb 0xFFFFF8001234567 0x64], [eb NtUserPostMessage 0xC3 0x90]
------
ew Address/Function w1 w2 w3 ... wN   (Write a WORD to specified address)
Example: [ew 0xFFFFF8001234567 0x6464], [ew NtUserPostMessage 0x90C3 0x90C3]
------
ed Address/Function d1 d2 d3 ... dN   (Write a DWORD to specified address)
Example: [ed 0xFFFFF8001234567 0x64646464], [ed NtUserPostMessage 0x909090C3 0x909090C3 0x909090C3 0x909090C3]
------
eq Address/Function q1 q2 q3 ... qN   (Write a QWORD to specified address)
Example: [eq 0xFFFFF8001234567 0x6464646464646464], [eq NtUserPostMessage 0x90909090909090C3 0x90909090909090C3]
------
ub Address/Function InstructionCount  (Disasm an address, default instruction count is 8, "u" is another name of this command)
Example: [ub 0xFFFFF8001234567 0x64], [ub NtUserPostMessage]
------
uf Address/Function                   (Disasm whole function)
Example: [uf 0xFFFFF8001234567], [uf NtUserPostMessage]
------
dt StructName                         (Return the size of structure)
Example: [dt eprocess], [dt _list_entry]
-------
dtx StructName                        (Return the size of structure, support wildcard(need symbol file): XX*/*XX/XX*YY/*XX*/*/NT!*/WIN32K*)
Example: [dtx *INFO], [dtx *], [dtx win32k!*]
------
x FunctionName                        (Return the address of function, support wildcard(need symbol file): XX*/*XX/XX*YY/*XX*/*/NT!*/WIN32K*)
Example: [x ntopenprocess], [x NtUserPostMessage], [x *Process], [x Ki*Service], [x *Terminate*]
------
ln Address	                      (Return fcuntion name and module name of address)
Example: [ln 0xFFFFF8001234567]
-------
kma Length                            (Allocate kernel memory, return start address, like C runtime function "malloc")
Example: [kma 20]
-------
kfr StartAddress                      (Release kernel memory, like C runtime function "free")
Example: [kfr 0xFFFFF8001234567]
-------
kms StartAddress Byte Length          (Set value to a continuous region of kernel memory, like C runtime function "memset")
Example: [kms 0xFFFFF8001234567 0 20]
-------
kmc TargetAddress SourceAddress Length(Copy kernel memory, like C runtime function "memcpy")
Example: [kmc 0xFFFFF8001234567 0xFFFFF8007654321 20]
-------
kec StartAddress                      (Execute kernel shellcode)
Example: [kec 0xFFFFF8001234567]
------
vtop EPROCESS VirtualAddress          (Convert virtual address to physical address)
Example: [vtop 0xFFFFF8001234567 0x12345678]
------
mpa PhysicalAddress Length            (Map physical address)
Example: [mpa 0x0 64]
------
umpa VirtualAddress Length            (Unmap physical address)
Example: [umpa 0xFFFFF8001234567 64]
------
syminit                               (Initialize symbol file)
No Example
------
help                                  (Get help information)
No Example
------
cls                                   (Clear screen)
No Example
------
option OptionName Value               (Set option value)
|-[option chkmemsafe 1/0](Turn on/off memory validation)

Appendix: MS Tools Download
===========================
WINDBG:  http://download.microsoft.com/download/A/6/A/A6AC035D-DA3F-4F0C-ADA4-37C8E5D34E3D/setup/WinSDKDebuggingTools_amd64/dbg_amd64.msi
DbgView: http://download.sysinternals.com/files/DebugView.zip