https://github.com/th3spl/noimportz
Simple single file header for creating zero imports drivers. Can be useful for bypassing forensic memory analysis performed by anticheats, for example.
https://github.com/th3spl/noimportz
anticheat cpp-features kernel pe-header windows-kernel
Last synced: 6 months ago
JSON representation
Simple single file header for creating zero imports drivers. Can be useful for bypassing forensic memory analysis performed by anticheats, for example.
- Host: GitHub
- URL: https://github.com/th3spl/noimportz
- Owner: Th3Spl
- License: mit
- Created: 2024-11-15T22:29:38.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2025-06-10T14:38:16.000Z (10 months ago)
- Last Synced: 2025-06-10T16:19:12.511Z (10 months ago)
- Topics: anticheat, cpp-features, kernel, pe-header, windows-kernel
- Language: C++
- Homepage:
- Size: 37.1 KB
- Stars: 10
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# NoImportz ( By: Th3Spl )
So, i was reading a blog post about cheat detections from anti-cheats ( ACs )
specifically [`Detecting manually mapped drivers`](https://tulach.cc/detecting-manually-mapped-drivers/)
written by [`SamuelTulach`](https://github.com/SamuelTulach)
so after reading it i came up with a very simple solution...
I highly suggest to read the article before checking this project out.
## How it works:
So, it's very easy and straightforward but i would like to explain so that people
who are just getting into the windows Kernel environment can gather some useful info.
- We get the `PsLoadedModuleList` ( which contains all the legitly loaded drivers )
- We iterate through the list and find the target module base address
- We dynamically find the exports using some `PE Header` knowledge ( similar to `MmGetSystemRoutineAddress` )
- We then use some modern C++ features to create a single function `call` which can handle everything
And well... that's all, is actually nothing new or extraordinary but it can still be useful for someone
**Note: there will be only one import: `PsLoadedModuleList` which will most likely be inlined by the compiler
and does not represent a problem since it does not generate `jmp` ( it's just a pointer. )**
## Usage:
For a simple code example ready to compile you can check out the [`example project`](https://github.com/Th3Spl/NoImportz/tree/main/NoImportz).
**It requires: `ISO C++17 Standard (/std:c++17)`**
Initialization:
```cpp
/* This will target ONLY ntoskrnl.exe */
NoImportz winapi;
/* In case you want to specify a specific module */
NoImportz fltmgr( L"fltmgr.sys" );
/* Initialization check */
if ( !winapi.is_initialized() )
return STATUS_UNSUCCESSFUL;
```
Calling a function:
```cpp
/* standard call */
PVOID addr = winapi.call (
"ExAllocatePool2", POOL_FLAG_NON_PAGED,
4096, 'TeSt'
);
/* using wrapper MACROs */
addr = ni_call(
winapi, ExAllocatePool2,
POOL_FLAG_NON_PAGED, 4096, 'TeSt'
);
```
**Note: if you have to call a function multiple times you can wrap it into a different unique function...**
## Features:
- [x] Supports all modules
- [x] Supports variadic functions
#### By: Th3Spl