Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/i32-sudo/nmicallbackblocker

Kernel Level NMI Callback Blocker
https://github.com/i32-sudo/nmicallbackblocker

be blocker bypass callback driver eac exploit hvci hyperguard nmi ntoskrnl patchguard project undetected windows

Last synced: about 3 hours ago
JSON representation

Kernel Level NMI Callback Blocker

Host: GitHub
URL: https://github.com/i32-sudo/nmicallbackblocker
Owner: i32-Sudo
License: other
Created: 2024-08-03T20:45:13.000Z (3 months ago)
Default Branch: main
Last Pushed: 2024-08-29T02:49:08.000Z (3 months ago)
Last Synced: 2024-08-29T03:47:37.814Z (3 months ago)
Topics: be, blocker, bypass, callback, driver, eac, exploit, hvci, hyperguard, nmi, ntoskrnl, patchguard, project, undetected, windows
Language: C++
Homepage:
Size: 36.1 KB
Stars: 9
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # Warning ⚠️

***THERE IS 0 ANTI-CHEAT PROTECTIONS IN THIS PROJECT, PLEASE USE A BASE DRIVER THAT IS ALREADY UNDETECTED, THIS IS JUST A CONCEPT PROJECT.***

# Explenation

The exploit involves scanning for specific signatures in kernel memory, and modifying processor affinity masks to prevent NMIs from executing. This approach employs techniques to avoid detection and tracing.

# Function

1. I do a signature scan for NMI_IN_PROGRESS using 23H2 Signatures for NMI_IN_PROGRESS and import the struct as (PKNMI_HANDLER_CALLBACK) for easy DKOM Modification.

```cpp

	// nmi_in_progress function (signature)

	char NmiSignature[] = "\x81\x25\x00\x00\x00\x00\x00\x00\x00\x00\xB9\x00\x00\x00\x00"; // use XOR to encrypt this (will get sig scanned by ac)

	char NmiSignatureMask[] = "xx????????x????"; // use XOR to encrypt this (will get sig scanned by ac)

	uintptr_t nmi_in_progress = modules::find_pattern(ntos_base_address,

		NmiSignature,

		NmiSignatureMask);

    return reinterpret_cast(nmi_in_progress);

```

2. I then after importing the structure loop through the KiNmiCallbackList and change the process affinity of the specific assets to prevent NMI Execution.

```cpp

PKNMI_HANDLER_CALLBACK KiNmiCallbackListHead = nullptr;

extern "C" NTSTATUS PreventNMIExecution() {

	KiNmiCallbackListHead = SigscanKiNmiCallbackListHead();

	PKNMI_HANDLER_CALLBACK CurrentNMI = KiNmiCallbackListHead;

	while (CurrentNMI) {

		uint8_t* nmi_in_progress = reinterpret_cast(KiNmiCallbackListHead);

		while (*nmi_in_progress != 0x48) {

			++nmi_in_progress;

		}

		nmi_in_progress = reinterpret_cast(reinterpret_cast(nmi_in_progress) + 3);

		auto irql = KfRaiseIrql(0); // Use Udman Spoof to not get logged by this

		ULONG cores = KeQueryActiveProcessorCount(NULL); // Use Udman Spoof to not get logged by this

		for (auto i = 0ul; i < cores; ++i) {

			KeInterlockedSetProcessorAffinityEx((PKAFFINITY_EX)nmi_in_progress, i); // Use Udman Spoof to not get logged by this

			InterlockedBitTestAndSet64(reinterpret_cast(nmi_in_progress), i);

		}

		KeLowerIrql(irql); // Use Udman Spoof to not get logged by this

		CurrentNMI = CurrentNMI->Next;

	}

	return STATUS_SUCCESS;

}

```

# EAC NMI Walker

```cpp

BOOLEAN EAC::NmiCallbackRoutine( PVOID Context, BOOLEAN Handled )

{

	auto* callback_context = reinterpret_cast< EAC_NMI_CALLBACK_CONTEXT* >( Context );

	

	auto* data = &callback_context->data_blocks[ KeGetCurrentProcessorNumberEx( NULL ) ];

	

	if ( !data->gdtr_value.base )

	{

		const auto* current_thread = PsGetCurrentThread();

		__sgdt( &data->gdtr_value );

		data->thread_id = PsGetCurrentThreadId();

		data->thread_process_id = PsGetThreadProcessId( current_thread );

		data->thread_SystemCallNumber = current_thread->SystemCallNumber;

		data->thread_StartAddress = current_thread->StartAddress;

		data->thread_StackLimit = current_thread->StackLimit;

		data->thread_StackBase = current_thread->StackBase;

		data->pcr_HalReserved_8 = KeGetPcr()->HalReserved[ 8 ];

		data->cr3_value = __readcr3();

		data->stack_copy_number_of_bytes = 1024;

		std::memcpy( &data->stack_copy, _AddressOfReturnAddress(), 1024 );

		_InterlockedIncrement( &callback_context->counter );

	}

	

	return TRUE;

}

// Not My Code

```

# Notes

You will need to add & use (x) as this is detected by default for Tracing & Trace Calls (If using standard NtLoad or standard Service Running).

- Udman Spoof Calls to avoid tracing

- XOR for strings & signatures

- SpoofCall & SpoofFunc Functions

# PatchGuard & HVCI

This will trigger PatchGuard Protections and if trying to bypass PatchGuard will trigger HyperGuard High-Level Protections and if you also use HVCI (say in valorant/VGK) This will trigger a BSOD or block the requests to modify the NMI List and nothing will change. I have figured these issues out on my own for my personal driver but if you have a bypass for PatchGuard / HyperGuard and dont use HVCI Protection (for BE/EAC) this will work.

# Contact

If you want to contact me in regards of my work or projects my discord is -> `_chisla`, Please do not message me for Issues or Learning/Studying I am not a teacher.