Haschwalth is a Rust-based Windows WDM kernel driver with a companion user-mode client named Requiem. The driver exposes a \\.\Haschwalth device and accepts buffered IOCTL requests for process, token, callback, and driver-list manipulation experiments.
This project is intended for authorized research, lab testing, and driver-development study only. Several operations can destabilize or compromise a Windows system if used incorrectly. Do not run it on production machines or systems you do not own or have explicit permission to test.
Haschwalth was developed and tested on Windows 10 20H2 x64, build 19042.
Important: several kernel structure offsets are hardcoded for that build. Haschwalth does not dynamically resolve EPROCESS, ETHREAD, OBJECT_TYPE, or callback-list layout offsets. Before using the driver on another Windows build, verify and update the offsets for the target kernel. Incorrect offsets can cause immediate crashes, memory corruption, or undefined kernel behavior.
Hardcoded offsets currently include:
EPROCESS.ProtectionEPROCESS.ActiveProcessLinksEPROCESS.TokenEPROCESS.ThreadListHeadETHREAD.ThreadListEntryETHREAD.MiscFlagsOBJECT_TYPE.CallbackList- callback entry fields for OB callbacks
.
|-- Cargo.toml # Rust driver crate configuration
|-- build.rs # WDK build integration
|-- makefile.toml # cargo-make entrypoint for WDK driver build tasks
|-- Haschwalth.inx # INF template
`-- src
|-- lib.rs # Driver entrypoint, dispatch routines, IOCTL handlers
`-- ffi.rs # Extra kernel FFI declarations and helper types
The companion client, Requiem, is expected to live in its own repository. Replace the path below with the location where you cloned or created the client:
C:\path\to\Requiem
That client opens \\.\Haschwalth and sends the IOCTLs exposed by the driver. It can run single commands or start an interactive REPL when launched without arguments.
The driver currently implements IOCTL handlers for:
- Sending a test message to the driver log
- Terminating a process by PID
- Clearing PPL protection from a process
- Hiding a process by unlinking it from
ActiveProcessLinks - Copying the SYSTEM process token into a target process
- Applying a protected-process protection byte to a process
- Partially implemented enumeration/removal of selected process/thread/image callback slots
- Enumerating and disabling process/thread object callbacks
- Injecting a DLL path through a user-mode APC flow
- Unlinking the driver from the loaded module list
Some callback enumeration code is experimental. Module ownership lookup for callback routines is currently stubbed and returns empty module metadata.
The enum-callbacks and remove-callback features are not 100% complete yet. The current code includes the command surface and partial driver-side logic, but the real implementation still needs to be completed before these commands can work reliably end to end.
Requiem provides these subcommands:
message <text>
kill <pid>
strip-ppl <pid>
steal <pid>
hide <pid>
protect <pid>
enum-callbacks <cb_type>
remove-callback <cb_type> <index>
inject <pid> <path>
enum-ob-callbacks <object_type>
remove-ob-callback <object_type> <index>
unlink-driver
completions <shell>
Callback type values:
0: process1: thread2: image, for regular callback enumeration only
Note: enum-callbacks and remove-callback are currently incomplete. They are present in the client and driver interface, but the full implementation is still pending and will be added later.
Object callback type values:
0: process1: thread
When Requiem is started without a command, it opens an interactive prompt with history and tab completion.
Install the Windows driver build prerequisites before building:
- Rust toolchain compatible with the project edition
cargo-make- Windows SDK
- Windows Driver Kit / WDK components required by the Rust WDK build flow
Build from the root of the Haschwalth repository:
cargo makeThe build is configured through makefile.toml, which loads the Rust WDK driver makefile generated by wdk-build.
A successful debug build should produce driver artifacts under target\debug, including:
Haschwalth.sys
Haschwalth.inf
Haschwalth.pdb
WDRLocalTestCert.cer
Output names and signing behavior may vary depending on the local WDK/Rust WDK configuration.
Run these commands from an elevated Administrator terminal on a test machine or VM.
If you are using a test-signed driver, enable Windows test-signing mode and reboot:
bcdedit /set testsigning on
shutdown /r /t 0After rebooting, create the kernel service. Replace the path with the location of your built Haschwalth.sys:
sc create Haschwalth type= kernel binPath= "C:\path\to\Haschwalth.sys"Start the driver:
sc start HaschwalthWhen you are done testing, stop and remove the service:
sc stop Haschwalth
sc delete HaschwalthTo disable test-signing mode later, run this from an elevated terminal and reboot:
bcdedit /set testsigning off
shutdown /r /t 0Build the client from its own repository:
cd C:\path\to\Requiem
cargo buildRun the client after the driver is loaded and the \\.\Haschwalth device is available:
.\target\debug\Requiem.exeOr run a single command:
.\target\debug\Requiem.exe message "hello from user mode"If the client fails to open the device, verify that the driver is loaded, that the symbolic link was created, and that the process has sufficient privileges.
- The driver is
#![no_std]and uses the Rust WDK crates. - Driver allocation is backed by
wdk_alloc::WdkAllocator. - Panics abort in both debug and release profiles.
- The driver creates
\Device\Haschwalthand\DosDevices\Haschwalth. - IOCTLs use
METHOD_BUFFERED. - User-mode request structs must stay ABI-compatible with the matching
#[repr(C)]structs in the driver. - The client currently hardcodes the IOCTL numeric values instead of deriving them from a shared crate.
Thanks to the following projects and resources:
Kernel development errors are expensive. Test in a VM with snapshots, kernel debugging available, and no important data on the target system. Re-check offsets before every Windows build change, including cumulative updates.