Skip to content
/ NTMemory Public

Usermode NT Explorer - Query kernel addresses, translate virtual to physical addresses, inspect the PFN database, and more.

License

MIT license
63 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

zer0condition/NTMemory

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
NTMemory
NTMemory
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
NTMemory.sln
NTMemory.sln
 
 
README.md
README.md
 
 
res.gif
res.gif
 
 

Repository files navigation

NTMemory - Usermode NT Explorer

Demo

Overview

NTMemory is a fully usermode Windows NT Explorer.
Query kernel addresses, translate virtual to physical addresses, inspect the PFN database, and more.

Features

Overview

  • Physical memory usage tracking
  • Page file statistics
  • Commit charge monitoring
  • File cache statistics
  • Memory history graphs
  • 8-priority standby list breakdown (P0-P7)
  • Memory list tracking (zeroed, free, modified, modified no-write)
  • Kernel pool statistics (paged and non-paged)
  • Context switches and system calls counters
  • Memory compression statistics (Windows 10+)

Kernel Objects

  • Kernel address enumeration - EPROCESS and KTHREAD pointers for all processes/threads

Kernel Drivers

  • Loaded kernel driver enumeration
  • Driver load order, base addresses, sizes, and paths

Ntoskrnl Exports

  • Kernel export resolution - Full ntoskrnl.exe export table with calculated kernel addresses

Physical Memory

  • Virtual to physical address translation - Translate any kernel VA to PA from usermode via Superfetch
  • PFN database queries - Query Page Frame Number database for page state and usage
  • Physical memory range mapping

Processes

  • Per-process memory statistics (working set, private bytes, page faults)

Pool Tags

  • Kernel pool allocation tracking by tag
  • Paged and non-paged pool usage breakdown
  • Allocation counts per tag

Handles

  • System-wide handle count
  • Handle type breakdown (File, Key, Event, Mutant, Section, Thread, Process, Token, Other)
  • Per-process handle details
  • Handle access rights and values

Performance

  • I/O operation metrics (read, write, other)
  • Per-processor statistics (kernel time, user time, DPC time, interrupts)

Prefetch

  • Application launch history from prefetch files
  • File sizes and last access timestamps

Requirements

  • Windows 10/11 (64-bit)
  • Administrator privileges
  • SysMain service (for Superfetch features)

Building

Requirements

  • Visual Studio 2019+
  • Windows SDK 10.0.19041.0+
  • DirectX 11 SDK

Dependencies

  • Dear ImGui
  • DirectX 11
  • ntdll.lib

License

This project is licensed under the terms of the MIT license.

Acknowledgments

About

Usermode NT Explorer - Query kernel addresses, translate virtual to physical addresses, inspect the PFN database, and more.

Topics

research kernel x64 explorer mmu offsets memory-viewer reversing nt physical-memory ntoskrnl memory-management-paging kernelexplorer

Resources

Readme

License

MIT license
Activity

Stars

63 stars

Watchers

0 watching

Forks

7 forks
Report repository

Releases 1

Release Latest
Jan 13, 2026

Packages

No packages published

Languages