NTForge is a Windows 10/11 C++17 vulnerability-research and exploit-reproduction template intended for authorized testing and coordinated reporting to the Microsoft Security Response Center (MSRC). It provides a documented native API resolver, internal structure references, safe memory primitives, diagnostics, resource ownership, tests, and reproducible build/environment tooling.
It is not a weaponized exploit kit. Keep reproductions minimal, isolate research systems, avoid unrelated data or persistence, and follow Microsoft's Coordinated Vulnerability Disclosure process. Submit eligible findings through the official MSRC Researcher Portal.
- Windows 10, version 22H2/build 19045, including properly enrolled ESU research environments, plus applicable supported LTSC editions.
- Windows 11 servicing builds, with primary validation on the exact builds named in a report.
- x64 is the cross-platform default; Visual Studio scripts also expose Win32 and ARM64 builds where the selected SDK/toolchain supports them.
_WIN32_WINNT=0x0A00 is the correct shared compile-time baseline for Windows 10
and Windows 11. Undocumented behavior is gated at runtime by build/export checks;
the macro does not guarantee a private contract exists.
cmake -S . -B build -G "Visual Studio 17 2022" -A x64
cmake --build build --config Release
ctest --test-dir build -C Release --output-on-failureOr use the platform scripts:
scripts/linux/build.sh scripts/linux/run.sh scripts/linux/test.sh
scripts/macos/build.sh scripts/macos/run.sh scripts/macos/test.sh
scripts/windows/build.ps1 scripts/windows/run.ps1 scripts/windows/test.ps1
Linux and macOS cross-compile Windows x64 binaries with MinGW-w64 and use Wine only for execution. Final vulnerability validation should occur on isolated, fully identified Windows 10/11 systems—not solely under Wine.
- Build and run the unchanged baseline on each target Windows build.
- Capture sanitized version metadata with
scripts/windows/collect-system-info.ps1. - Add the smallest deterministic reproducer and preserve exact status/error data.
- Compare affected and unaffected builds without bypassing platform protections.
- Remove secrets, personal data, credentials, dumps, and unnecessary payloads.
- Submit reproduction steps, impact, expected/actual results, and artifacts to MSRC; coordinate disclosure rather than publishing an unpatched issue.
See docs/research-workflow.md.
main() calls ResolveAllFunctions(). Every pointer has static nullptr
storage and is assigned from its owning module inside a resolver function.
Optional pointers intentionally left unresolved by the original source remain
nullptr. UnresolvedFunctions() provides a complete post-resolution inventory.
Before calling a pointer outside the startup path, test it for nullptr, pass
the correct information-class buffer, and check its NTSTATUS or Win32 result.
memory_utils.hpp adds documented, non-concealing helpers for current-process or
caller-authorized process handles. It includes region inspection, range validation,
exact reads/writes, lower-overhead direct copies, typed values, byte vectors,
structured diagnostics, explicit protection scopes, and optional instruction-cache
flushing. See docs/memory-utilities.md.
Additional helpers provide move-only Windows resource ownership, scope-exit cleanup, NTSTATUS/Win32 messages, checked size arithmetic, counted Unicode views, safe object-attribute construction, and a complete unresolved-export report.
See docs/README.md for versioning, undocumented-contract rules, utilities, structures, information classes, build scripts, and MSRC workflow.
- codex: for writing all docs and readmes