Skip to content

Recursive and arbitrary code execution at kernel-level without a system thread creation

Notifications You must be signed in to change notification settings

zer0condition/ZeroThreadKernel

Repository files navigation

ZeroThreadKernel

ZeroThreadKernel allows you to execute arbitrary code recursively at kernel-level without a system thread creation.

How It Works

It works by hooking a non-KPP protected function exported by the DirectX graphics kernel subsystem (dxgkrnl). The function is called in our user-mode program using the export from win32u.dll, which serves as a thread for recursive code execution.

Detection

One way to detect is by integrity checking the .text section of the specified module. Writing our shellcode in the function modifies the original hash of the module.

Possible circumvention: Hide the hooked driver from the LDR/LoadedModuleList?

Contributing

Contributions are always welcome!

Demo

Demo

About

Recursive and arbitrary code execution at kernel-level without a system thread creation

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published