blair1922

const std::uint64_t current_thread = reinterpret_cast<std::uint64_t>(current_thread);
*reinterpret_cast<ULONG*>(current_thread + 0x560) = FALSE; // this offset is for my OS version which is windows 11 23h2, you can get offsets at https://www.vergiliusproject.com/
dbg("thread dbg status %i\n", PsIsThreadTerminating(current_thread));


//now the 1line version (meme):
*reinterpret_cast<ULONG*>(reinterpret_cast<std::uint64_t>(KeGetCurrentThread()) + 0x560) = FALSE;

blair1922

// you can hook syscalls without triggering KPP or PG, that's just a project for fun
		PVOID DisgustingPatchGuard = Utils::FindPatternImage( KBase, "\x40\x53\x48\x83\xEC\x30\x8B\x41\x18" );
		if ( !DisgustingPatchGuard )
		{
			Utils::ThrowException( _( "C4GE: FAILED TO FIND PATCHGUARD INITIALIZATION CONTEXT" ) );
			return STATUS_INVALID_ADDRESS;
		}

		DisgustingPatchGuard = RVA( DisgustingPatchGuard, 7 );
		if ( !DisgustingPatchGuard )

blair1922

	//
	// <function>
	// VgmCtx::BlockSwapContextHooks()
	// </function>
	// <purpose>
	// Prevent all vanguard TLB flushing and PML4 page remapping/copying routines in 9 lines
	// by setting a thermal sensor interrupt, not registered within the IDT directly
	// </purpose>
	//
	VOID BlockSwapContextHooks()

blair1922

// DoggoHook <CDumper.hpp>
 
namespace Dumper {

class Instruction {
    ZydisDecodedInstruction instr;
    uintptr_t address;

public:
    Instruction(const ZydisDecodedInstruction& instr, uintptr_t address) : instr(instr), address(address) {}

blair1922

#include <ntifs.h>

const wchar_t* EVENT_NAME = L"Global\\EventMeme";

extern "C"
NTSTATUS
DriverEntry(
    _In_ PDRIVER_OBJECT   DriverObject,
    _In_ PUNICODE_STRING  RegistryPath
)

blair1922

// We Break VM (ring3)
NTSTATUS FilterMachineCallbacks( )
{
	PTP_CALLBACK_INSTANCE CallInst;
	PULONG_PTR PageNum, Pages;
	DisassociateCurrentThreadFromCallback( CallInst );
	if ( AllocateUserPhysicalPages( GetCurrentProcess( ), PageNum, Pages ) )
	{
		if ( Pages[ 8771 ] == NVMeDataTypeLogPage ) // Always NVMe data type on real NVMe drivers and not VM drives. All systems.
		{

blair1922

//
// InterDKOM - Making magic happen
// -> Thread.c
// 

NTSTATUS
InterDkom::Core::PsCreateLegitSystemThread
(OUT PHANDLE ThreadHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,

blair1922

//
// stripped off projectnino
// register_shot.cc: 14
//
const auto memes::etw_get_registered_shot_event[&] = ( {
	this->registered_bullet.weapon_capacitor = reinterpret_cast< pawn* >( this->registered_bullet.sender )->current_weapon;
	this->registered_damage = static_cast< float >( this->cached_estimated_health_and_shield - GET_DAMAGE_MULTIPLIER( ##this->registered_bullet.weapon_capacitor ) );
	if ( this->cached_estimated_health_and_shield >= 205 )
	     this->event_register_count -= 5.0f;
	return true;

blair1922

//Replace Zw... functions with your own memory managing implementation
//And hide your thread (it is not needed here but makes code execution easier)
//Solution tested and working on Rust(EAC) and EFT(BE) on Windows 11 Pro 22h2
#include "util.h"

ULONG_PTR FindRwxSection(PCHAR moduleName)
{
    ULONG_PTR moduleBase = GetModuleBaseAddress(moduleName);
    if (moduleBase == 0)
        return 0;

blair1922

#include <ntifs.h>
#include <ntddk.h>

typedef unsigned char BYTE;

#pragma warning(disable : 4152)

extern NTKERNELAPI NTSTATUS ObCreateObject(
  IN KPROCESSOR_MODE      ObjectAttributesAccessMode OPTIONAL,
  IN POBJECT_TYPE         ObjectType,