{"id":20408365,"url":"https://github.com/DErDYAST1R/NmiCallbackBlocker","last_synced_at":"2025-05-08T14:32:07.525Z","repository":{"id":251545899,"uuid":"837725318","full_name":"i32-Sudo/NmiCallbackBlocker","owner":"i32-Sudo","description":"Kernel Level NMI Callback Blocker","archived":false,"fork":false,"pushed_at":"2024-08-29T02:49:08.000Z","size":37,"stargazers_count":9,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-08-29T03:47:37.814Z","etag":null,"topics":["be","blocker","bypass","callback","driver","eac","exploit","hvci","hyperguard","nmi","ntoskrnl","patchguard","project","undetected","windows"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/i32-Sudo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-03T20:45:13.000Z","updated_at":"2024-08-29T02:49:11.000Z","dependencies_parsed_at":"2024-08-24T20:19:51.883Z","dependency_job_id":"c06eb8d7-99c3-4e8d-8cfb-a24f275d18c9","html_url":"https://github.com/i32-Sudo/NmiCallbackBlocker","commit_stats":null,"previous_names":["i32-sudo/nmicallbackblocker"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/i32-Sudo%2FNmiCallbackBlocker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/i32-Sudo%2FNmiCallbackBlocker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/i32-Sudo%2FNmiCallbackBlocker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/i32-Sudo%2FNmiCallbackBlocker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/i32-Sudo","download_url":"https://codeload.github.com/i32-Sudo/NmiCallbackBlocker/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224737431,"owners_count":17361345,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["be","blocker","bypass","callback","driver","eac","exploit","hvci","hyperguard","nmi","ntoskrnl","patchguard","project","undetected","windows"],"created_at":"2024-11-15T05:30:38.038Z","updated_at":"2025-05-08T14:32:02.226Z","avatar_url":"https://github.com/i32-Sudo.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Warning ⚠️\n***THERE IS 0 ANTI-CHEAT PROTECTIONS IN THIS PROJECT, PLEASE USE A BASE DRIVER THAT IS ALREADY UNDETECTED, THIS IS JUST A CONCEPT PROJECT.***\n# Explenation\nThe exploit involves scanning for specific signatures in kernel memory, and modifying processor affinity masks to prevent NMIs from executing. This approach employs techniques to avoid detection and tracing.\n# Function\n1. I do a signature scan for NMI_IN_PROGRESS using 23H2 Signatures for NMI_IN_PROGRESS and import the struct as (PKNMI_HANDLER_CALLBACK) for easy DKOM Modification.\n```cpp\n\t// nmi_in_progress function (signature)\n\tchar NmiSignature[] = \"\\x81\\x25\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xB9\\x00\\x00\\x00\\x00\"; // use XOR to encrypt this (will get sig scanned by ac)\n\tchar NmiSignatureMask[] = \"xx????????x????\"; // use XOR to encrypt this (will get sig scanned by ac)\n\tuintptr_t nmi_in_progress = modules::find_pattern(ntos_base_address,\n\t\tNmiSignature,\n\t\tNmiSignatureMask);\n\n    return reinterpret_cast\u003cPKNMI_HANDLER_CALLBACK\u003e(nmi_in_progress);\n```\n2. I then after importing the structure loop through the KiNmiCallbackList and change the process affinity of the specific assets to prevent NMI Execution.\n```cpp\nPKNMI_HANDLER_CALLBACK KiNmiCallbackListHead = nullptr;\nextern \"C\" NTSTATUS PreventNMIExecution() {\n\tKiNmiCallbackListHead = SigscanKiNmiCallbackListHead();\n\tPKNMI_HANDLER_CALLBACK CurrentNMI = KiNmiCallbackListHead;\n\twhile (CurrentNMI) {\n\t\tuint8_t* nmi_in_progress = reinterpret_cast\u003cuint8_t*\u003e(KiNmiCallbackListHead);\n\n\t\twhile (*nmi_in_progress != 0x48) {\n\t\t\t++nmi_in_progress;\n\t\t}\n\n\t\tnmi_in_progress = reinterpret_cast\u003cuint8_t*\u003e(reinterpret_cast\u003cintptr_t\u003e(nmi_in_progress) + 3);\n\n\t\tauto irql = KfRaiseIrql(0); // Use Udman Spoof to not get logged by this\n\n\t\tULONG cores = KeQueryActiveProcessorCount(NULL); // Use Udman Spoof to not get logged by this\n\n\t\tfor (auto i = 0ul; i \u003c cores; ++i) {\n\t\t\tKeInterlockedSetProcessorAffinityEx((PKAFFINITY_EX)nmi_in_progress, i); // Use Udman Spoof to not get logged by this\n\t\t\tInterlockedBitTestAndSet64(reinterpret_cast\u003cLONG64*\u003e(nmi_in_progress), i);\n\t\t}\n\n\t\tKeLowerIrql(irql); // Use Udman Spoof to not get logged by this\n\n\t\tCurrentNMI = CurrentNMI-\u003eNext;\n\t}\n\treturn STATUS_SUCCESS;\n}\n```\n# EAC NMI Walker\n```cpp\nBOOLEAN EAC::NmiCallbackRoutine( PVOID Context, BOOLEAN Handled )\n{\n\tauto* callback_context = reinterpret_cast\u003c EAC_NMI_CALLBACK_CONTEXT* \u003e( Context );\n\t\n\tauto* data = \u0026callback_context-\u003edata_blocks[ KeGetCurrentProcessorNumberEx( NULL ) ];\n\t\n\tif ( !data-\u003egdtr_value.base )\n\t{\n\t\tconst auto* current_thread = PsGetCurrentThread();\n\t\t__sgdt( \u0026data-\u003egdtr_value );\n\t\tdata-\u003ethread_id = PsGetCurrentThreadId();\n\t\tdata-\u003ethread_process_id = PsGetThreadProcessId( current_thread );\n\t\tdata-\u003ethread_SystemCallNumber = current_thread-\u003eSystemCallNumber;\n\t\tdata-\u003ethread_StartAddress = current_thread-\u003eStartAddress;\n\t\tdata-\u003ethread_StackLimit = current_thread-\u003eStackLimit;\n\t\tdata-\u003ethread_StackBase = current_thread-\u003eStackBase;\n\t\tdata-\u003epcr_HalReserved_8 = KeGetPcr()-\u003eHalReserved[ 8 ];\n\t\tdata-\u003ecr3_value = __readcr3();\n\t\tdata-\u003estack_copy_number_of_bytes = 1024;\n\t\tstd::memcpy( \u0026data-\u003estack_copy, _AddressOfReturnAddress(), 1024 );\n\t\t_InterlockedIncrement( \u0026callback_context-\u003ecounter );\n\t}\n\t\n\treturn TRUE;\n}\n// Not My Code\n```\n# Notes\nYou will need to add \u0026 use (x) as this is detected by default for Tracing \u0026 Trace Calls (If using standard NtLoad or standard Service Running).\n- Udman Spoof Calls to avoid tracing\n- XOR for strings \u0026 signatures\n- SpoofCall \u0026 SpoofFunc Functions\n# PatchGuard \u0026 HVCI\nThis will trigger PatchGuard Protections and if trying to bypass PatchGuard will trigger HyperGuard High-Level Protections and if you also use HVCI (say in valorant/VGK) This will trigger a BSOD or block the requests to modify the NMI List and nothing will change. I have figured these issues out on my own for my personal driver but if you have a bypass for PatchGuard / HyperGuard and dont use HVCI Protection (for BE/EAC) this will work.\n# Contact\nIf you want to contact me in regards of my work or projects my discord is -\u003e `_chisla`, Please do not message me for Issues or Learning/Studying I am not a teacher.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDErDYAST1R%2FNmiCallbackBlocker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FDErDYAST1R%2FNmiCallbackBlocker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDErDYAST1R%2FNmiCallbackBlocker/lists"}