ban

NTForge is a Windows 10/11 C++17 vulnerability-research and exploit-reproduction template intended for authorized testing and coordinated reporting to the Microsoft Security Response Center (MSRC). It provides a documented native API resolver, internal structure references, safe memory primitives, diagnostics, resource ownership, tests, and reproducible build/environment tooling.

It is not a weaponized exploit kit. Keep reproductions minimal, isolate research systems, avoid unrelated data or persistence, and follow Microsoft's Coordinated Vulnerability Disclosure process. Submit eligible findings through the official MSRC Researcher Portal.

Supported research targets

  • Windows 10, version 22H2/build 19045, including properly enrolled ESU research environments, plus applicable supported LTSC editions.
  • Windows 11 servicing builds, with primary validation on the exact builds named in a report.
  • x64 is the cross-platform default; Visual Studio scripts also expose Win32 and ARM64 builds where the selected SDK/toolchain supports them.

_WIN32_WINNT=0x0A00 is the correct shared compile-time baseline for Windows 10 and Windows 11. Undocumented behavior is gated at runtime by build/export checks; the macro does not guarantee a private contract exists.

Quick start

cmake -S . -B build -G "Visual Studio 17 2022" -A x64
cmake --build build --config Release
ctest --test-dir build -C Release --output-on-failure

Or use the platform scripts:

scripts/linux/build.sh       scripts/linux/run.sh       scripts/linux/test.sh
scripts/macos/build.sh       scripts/macos/run.sh       scripts/macos/test.sh
scripts/windows/build.ps1    scripts/windows/run.ps1    scripts/windows/test.ps1

Linux and macOS cross-compile Windows x64 binaries with MinGW-w64 and use Wine only for execution. Final vulnerability validation should occur on isolated, fully identified Windows 10/11 systems—not solely under Wine.

Research workflow

  1. Build and run the unchanged baseline on each target Windows build.
  2. Capture sanitized version metadata with scripts/windows/collect-system-info.ps1.
  3. Add the smallest deterministic reproducer and preserve exact status/error data.
  4. Compare affected and unaffected builds without bypassing platform protections.
  5. Remove secrets, personal data, credentials, dumps, and unnecessary payloads.
  6. Submit reproduction steps, impact, expected/actual results, and artifacts to MSRC; coordinate disclosure rather than publishing an unpatched issue.

See docs/research-workflow.md.

Resolver contract

main() calls ResolveAllFunctions(). Every pointer has static nullptr storage and is assigned from its owning module inside a resolver function. Optional pointers intentionally left unresolved by the original source remain nullptr. UnresolvedFunctions() provides a complete post-resolution inventory.

Before calling a pointer outside the startup path, test it for nullptr, pass the correct information-class buffer, and check its NTSTATUS or Win32 result.

Memory utilities

memory_utils.hpp adds documented, non-concealing helpers for current-process or caller-authorized process handles. It includes region inspection, range validation, exact reads/writes, lower-overhead direct copies, typed values, byte vectors, structured diagnostics, explicit protection scopes, and optional instruction-cache flushing. See docs/memory-utilities.md.

Additional helpers provide move-only Windows resource ownership, scope-exit cleanup, NTSTATUS/Win32 messages, checked size arithmetic, counted Unicode views, safe object-attribute construction, and a complete unresolved-export report.

See docs/README.md for versioning, undocumented-contract rules, utilities, structures, information classes, build scripts, and MSRC workflow.