Repository: zer0condition/ZeroThreadKernel
Branch: master
Commit: 5e69418ff30d
Files: 16
Total size: 37.7 KB
Directory structure:
gitextract_1qo32x91/
├── .gitattributes
├── .gitignore
├── LICENSE
├── README.md
├── ZeroThreadCaller/
│ ├── ZeroThreadCaller.cpp
│ ├── ZeroThreadCaller.vcxproj
│ └── ZeroThreadCaller.vcxproj.filters
├── ZeroThreadKernel/
│ ├── Includes.h
│ ├── ZeroHook/
│ │ ├── ZeroHook.cpp
│ │ └── ZeroHook.h
│ ├── ZeroThreadKernel.cpp
│ ├── ZeroThreadKernel.vcxproj
│ ├── ZeroThreadKernel.vcxproj.filters
│ └── ZeroUtils/
│ ├── ZeroUtils.cpp
│ └── ZeroUtils.h
└── ZeroThreadKernel.sln
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
###############################################################################
# Set default behavior to automatically normalize line endings.
###############################################################################
* text=auto
###############################################################################
# Set default behavior for command prompt diff.
#
# This is need for earlier builds of msysgit that does not have it on by
# default for csharp files.
# Note: This is only used by command line
###############################################################################
#*.cs diff=csharp
###############################################################################
# Set the merge driver for project and solution files
#
# Merging from the command prompt will add diff markers to the files if there
# are conflicts (Merging from VS is not affected by the settings below, in VS
# the diff markers are never inserted). Diff markers may cause the following
# file extensions to fail to load in VS. An alternative would be to treat
# these files as binary and thus will always conflict and require user
# intervention with every merge. To do so, just uncomment the entries below
###############################################################################
#*.sln merge=binary
#*.csproj merge=binary
#*.vbproj merge=binary
#*.vcxproj merge=binary
#*.vcproj merge=binary
#*.dbproj merge=binary
#*.fsproj merge=binary
#*.lsproj merge=binary
#*.wixproj merge=binary
#*.modelproj merge=binary
#*.sqlproj merge=binary
#*.wwaproj merge=binary
###############################################################################
# behavior for image files
#
# image files are treated as binary by default.
###############################################################################
#*.jpg binary
#*.png binary
#*.gif binary
###############################################################################
# diff behavior for common document formats
#
# Convert binary document formats to text before diffing them. This feature
# is only available from the command line. Turn it on by uncommenting the
# entries below.
###############################################################################
#*.doc diff=astextplain
#*.DOC diff=astextplain
#*.docx diff=astextplain
#*.DOCX diff=astextplain
#*.dot diff=astextplain
#*.DOT diff=astextplain
#*.pdf diff=astextplain
#*.PDF diff=astextplain
#*.rtf diff=astextplain
#*.RTF diff=astextplain
================================================
FILE: .gitignore
================================================
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
##
## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
# User-specific files
*.rsuser
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Mono auto generated files
mono_crash.*
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
[Ww][Ii][Nn]32/
[Aa][Rr][Mm]/
[Aa][Rr][Mm]64/
bld/
[Bb]in/
[Oo]bj/
[Oo]ut/
[Ll]og/
[Ll]ogs/
# Visual Studio 2015/2017 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# Visual Studio 2017 auto generated files
Generated\ Files/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUnit
*.VisualState.xml
TestResult.xml
nunit-*.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# Benchmark Results
BenchmarkDotNet.Artifacts/
# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/
# ASP.NET Scaffolding
ScaffoldingReadMe.txt
# StyleCop
StyleCopReport.xml
# Files built by Visual Studio
*_i.c
*_p.c
*_h.h
*.ilk
*.meta
*.obj
*.iobj
*.pch
*.pdb
*.ipdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*_wpftmp.csproj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# Visual Studio Trace Files
*.e2e
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# AxoCover is a Code Coverage Tool
.axoCover/*
!.axoCover/settings.json
# Coverlet is a free, cross platform Code Coverage Tool
coverage*.json
coverage*.xml
coverage*.info
# Visual Studio code coverage results
*.coverage
*.coveragexml
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# Note: Comment the next line if you want to checkin your web deploy settings,
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# NuGet Symbol Packages
*.snupkg
# The packages folder can be ignored because of Package Restore
**/[Pp]ackages/*
# except build/, which is used as an MSBuild target.
!**/[Pp]ackages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/[Pp]ackages/repositories.config
# NuGet v3's project.json files produces more ignorable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
*.appx
*.appxbundle
*.appxupload
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!?*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
orleans.codegen.cs
# Including strong name files can present a security risk
# (https://github.com/github/gitignore/pull/2483#issue-259490424)
#*.snk
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
ServiceFabricBackup/
*.rptproj.bak
# SQL Server files
*.mdf
*.ldf
*.ndf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
*.rptproj.rsuser
*- [Bb]ackup.rdl
*- [Bb]ackup ([0-9]).rdl
*- [Bb]ackup ([0-9][0-9]).rdl
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
node_modules/
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# CodeRush personal settings
.cr/personal
# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc
# Cake - Uncomment if you are using it
# tools/**
# !tools/packages.config
# Tabs Studio
*.tss
# Telerik's JustMock configuration file
*.jmconfig
# BizTalk build output
*.btp.cs
*.btm.cs
*.odx.cs
*.xsd.cs
# OpenCover UI analysis results
OpenCover/
# Azure Stream Analytics local run output
ASALocalRun/
# MSBuild Binary and Structured Log
*.binlog
# NVidia Nsight GPU debugger configuration file
*.nvuser
# MFractors (Xamarin productivity tool) working folder
.mfractor/
# Local History for Visual Studio
.localhistory/
# BeatPulse healthcheck temp database
healthchecksdb
# Backup folder for Package Reference Convert tool in Visual Studio 2017
MigrationBackup/
# Ionide (cross platform F# VS Code tools) working folder
.ionide/
# Fody - auto-generated XML schema
FodyWeavers.xsd
================================================
FILE: LICENSE
================================================
MIT License
Copyright (c) 2023 zer0condition
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
================================================
FILE: README.md
================================================
<h1>ZeroThreadKernel</h1>
<p>ZeroThreadKernel allows you to execute arbitrary code recursively at kernel-level without a system thread creation.</p>
<h2>How It Works</h2>
<p>It works by hooking a non-KPP protected function exported by the DirectX graphics kernel subsystem (dxgkrnl). The function is called in our user-mode program using the export from win32u.dll, which serves as a thread for recursive code execution.</p>
<h2>Detection</h2>
<p>One way to detect is by integrity checking the .text section of the specified module. Writing our shellcode in the function modifies the original hash of the module. <br>
Possible circumvention: Hide the hooked driver from the LDR/LoadedModuleList?</p>
<h2>Contributing</h2>
<p>Contributions are always welcome!</p>
<h2>Demo</h2>
---
## Disclaimer
For educational and authorized security research only. Don't use on systems you don't own or have explicit permission to test. I'm not responsible for misuse. Use at your own risk.
================================================
FILE: ZeroThreadCaller/ZeroThreadCaller.cpp
================================================
#include <Windows.h>
#include <iostream>
/* Keep this running, it serves as a "system thread" for the loop in the hook */
#define STARTZEROTHREAD 0x1337
typedef __int64(*NtCreateCompositionSurfaceHandle_t)(__int64 a1, unsigned int a2, unsigned __int64 a3);
NtCreateCompositionSurfaceHandle_t oNtCreateCompositionSurfaceHandle;
int main()
{
HMODULE hModule = LoadLibraryA("win32u.dll");
if (hModule) {
oNtCreateCompositionSurfaceHandle = (NtCreateCompositionSurfaceHandle_t)GetProcAddress(hModule, "NtCreateCompositionSurfaceHandle");
printf("NtCreateCompositionSurfaceHandle: %p\n", oNtCreateCompositionSurfaceHandle);
oNtCreateCompositionSurfaceHandle((int)STARTZEROTHREAD, NULL, NULL);
getchar();
}
return 0;
}
================================================
FILE: ZeroThreadCaller/ZeroThreadCaller.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{b1a4c64e-4ffd-485a-ad7a-90672c9aaa9a}</ProjectGuid>
<RootNamespace>ZeroThreadCaller</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)</OutDir>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
<UACExecutionLevel>HighestAvailable</UACExecutionLevel>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="ZeroThreadCaller.cpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
================================================
FILE: ZeroThreadCaller/ZeroThreadCaller.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="ZeroThreadCaller.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
</Project>
================================================
FILE: ZeroThreadKernel/Includes.h
================================================
#pragma once
#include <ntifs.h>
#include <stdarg.h>
#include <windef.h>
extern "C" NTKERNELAPI PVOID NTAPI RtlFindExportedRoutineByName(PVOID ImageBase, PCCH RoutineName);
extern "C" NTKERNELAPI NTSTATUS ZwQuerySystemInformation(ULONG InfoClass, PVOID Buffer, ULONG Length, PULONG ReturnLength);
#include "ZeroUtils/ZeroUtils.h"
#include "ZeroHook/ZeroHook.h"
================================================
FILE: ZeroThreadKernel/ZeroHook/ZeroHook.cpp
================================================
#include "ZeroHook.h"
BYTE JMPShell[] = {
/*
* jmp RIP ; JMP to RIP
* dq 0 ; ABS Address
* dq 0 ; ABS Address
*/
0xFF, 0x25, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
SIZE_T ZeroHook::GetHookSize(PVOID Function)
{
SIZE_T Length = sizeof(JMPShell);
while (true) {
if (*(BYTE*)((PBYTE)Function + Length) == 0x45) break; // 0x45 (MOV)
if (*(BYTE*)((PBYTE)Function + Length) == 0x48) break; // 0x48 (MOV)
if (*(BYTE*)((PBYTE)Function + Length) == 0xC3) break; // 0xC3 (RET)
Length++;
};
return Length;
}
PVOID ZeroHook::HookFunction(PVOID OriginalFunction, PVOID HookFunction, SIZE_T* HookLength)
{
if (!OriginalFunction) {
Print("[HookFunction] Failed to get function");
return NULL;
}
*HookLength = GetHookSize(OriginalFunction);
PVOID Trampoline = ExAllocatePool(NonPagedPoolExecute, *HookLength + sizeof(JMPShell));
if (!Trampoline) {
Print("[HookFunction] Failed to allocate trampoline");
return NULL;
}
if (!NT_SUCCESS(ZeroUtils::MdlRtlCopyMemory(Trampoline, OriginalFunction, *HookLength))) {
Print("[HookFunction] Failed to copy function to trampoline");
ExFreePoolWithTag(Trampoline, 0);
return NULL;
}
*(PBYTE*)&JMPShell[6] = (PBYTE)OriginalFunction + *HookLength;
if (!NT_SUCCESS(ZeroUtils::MdlRtlCopyMemory((PBYTE)Trampoline + *HookLength, &JMPShell[0], sizeof(JMPShell)))) {
Print("[HookFunction] Failed to write JMPShell on trampoline");
ExFreePoolWithTag(Trampoline, 0);
return NULL;
}
*(PBYTE*)&JMPShell[6] = (PBYTE)HookFunction;
if (!NT_SUCCESS(ZeroUtils::MdlRtlCopyMemory(OriginalFunction, &JMPShell[0], sizeof(JMPShell)))) {
Print("[HookFunction] Failed to write JMPShell");
ExFreePoolWithTag(Trampoline, 0);
return NULL;
}
if (sizeof(JMPShell) > *HookLength) { /* NOP the remaining bytes */
if (!NT_SUCCESS(ZeroUtils::MdlRtlFillMemory((PBYTE)OriginalFunction + sizeof(JMPShell), 0x90 /* (NOP) */, *HookLength - sizeof(JMPShell)))) {
Print("[HookFunction] Failed to NOP the remaining bytes");
}
}
Print("[HookFunction] Function Hooked");
return Trampoline;
}
NTSTATUS ZeroHook::UnhookFunction(PVOID Trampoline, PVOID OriginalFunction, SIZE_T HookLength)
{
if (!NT_SUCCESS(ZeroUtils::MdlRtlCopyMemory(OriginalFunction, Trampoline, HookLength))) {
Print("[UnhookFunction] Failed to restore original bytes");
return STATUS_UNSUCCESSFUL;
}
ExFreePoolWithTag(Trampoline, 0);
Print("[UnhookFunction] Function Unhooked");
}
================================================
FILE: ZeroThreadKernel/ZeroHook/ZeroHook.h
================================================
#include "../ZeroUtils/ZeroUtils.h"
namespace ZeroHook
{
SIZE_T GetHookSize(PVOID Function);
PVOID HookFunction(PVOID OriginalFunction, PVOID HookFunction, SIZE_T* HookLength);
NTSTATUS UnhookFunction(PVOID Trampoline, PVOID OriginalFunction, SIZE_T HookLength);
}
================================================
FILE: ZeroThreadKernel/ZeroThreadKernel.cpp
================================================
#include "Includes.h"
#define STARTZEROTHREAD 0x1337
typedef __int64(*NtCreateCompositionSurfaceHandle_t)(__int64 a1, unsigned int a2, unsigned __int64 a3);
NtCreateCompositionSurfaceHandle_t oNtCreateCompositionSurfaceHandle;
NtCreateCompositionSurfaceHandle_t TrampolineNtCreateCompositionSurfaceHandle;
SIZE_T oNtCreateCompositionSurfaceHandleBytes;
int Times = 0;
__int64 __fastcall hkNtCreateCompositionSurfaceHandle(__int64 a1, unsigned int a2, unsigned __int64 a3)
{
Print("[ZeroThreadKernel] hkNtCreateCompositionSurfaceHandle!");
if ((int)a1 == (int)STARTZEROTHREAD) /* Sanity check. */
{
while (true) {
Print("[ZeroThreadKernel] %i", Times);
Times++;
}
}
return TrampolineNtCreateCompositionSurfaceHandle(a1, a2, a3);
}
VOID DriverUnload(PDRIVER_OBJECT DriverObject)
{
ZeroHook::UnhookFunction((PVOID)TrampolineNtCreateCompositionSurfaceHandle, (PVOID)oNtCreateCompositionSurfaceHandle, oNtCreateCompositionSurfaceHandleBytes);
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING DriverName)
{
DriverObject->DriverUnload = DriverUnload;
/* Store the original */
oNtCreateCompositionSurfaceHandle = (NtCreateCompositionSurfaceHandle_t)ZeroUtils::GetKernelModuleExport("dxgkrnl.sys", "NtCreateCompositionSurfaceHandle");
Print("NtCreateCompositionSurfaceHandle: %p", oNtCreateCompositionSurfaceHandle);
TrampolineNtCreateCompositionSurfaceHandle = (NtCreateCompositionSurfaceHandle_t)ZeroHook::HookFunction((PVOID)oNtCreateCompositionSurfaceHandle, (PVOID)hkNtCreateCompositionSurfaceHandle, &oNtCreateCompositionSurfaceHandleBytes);
return STATUS_SUCCESS;
}
================================================
FILE: ZeroThreadKernel/ZeroThreadKernel.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}</ProjectGuid>
<TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
<Configuration>Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
<RootNamespace>KeHook64</RootNamespace>
<WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<IntDir>$(Platform)\$(Configuration)\</IntDir>
<TargetName>$(ProjectName)</TargetName>
<OutDir>$(SolutionDir)$(Platform)</OutDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<LanguageStandard>stdcpp17</LanguageStandard>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
<Link>
<TreatLinkerWarningAsErrors>false</TreatLinkerWarningAsErrors>
<EntryPointSymbol>DriverEntry</EntryPointSymbol>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<FilesToPackage Include="$(TargetPath)" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="ZeroHook\ZeroHook.cpp" />
<ClCompile Include="ZeroThreadKernel.cpp" />
<ClCompile Include="ZeroUtils\ZeroUtils.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="Includes.h" />
<ClInclude Include="ZeroHook\ZeroHook.h" />
<ClInclude Include="ZeroUtils\ZeroUtils.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
================================================
FILE: ZeroThreadKernel/ZeroThreadKernel.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="ZeroHook">
<UniqueIdentifier>{a073fe2c-66fe-433a-9201-5bd34f65ef0c}</UniqueIdentifier>
</Filter>
<Filter Include="ZeroUtils">
<UniqueIdentifier>{d23680e8-b4b4-445c-96e5-3fb79fa51945}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="ZeroUtils\ZeroUtils.cpp">
<Filter>ZeroUtils</Filter>
</ClCompile>
<ClCompile Include="ZeroThreadKernel.cpp" />
<ClCompile Include="ZeroHook\ZeroHook.cpp">
<Filter>ZeroHook</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="ZeroHook\ZeroHook.h">
<Filter>ZeroHook</Filter>
</ClInclude>
<ClInclude Include="ZeroUtils\ZeroUtils.h">
<Filter>ZeroUtils</Filter>
</ClInclude>
<ClInclude Include="Includes.h" />
</ItemGroup>
</Project>
================================================
FILE: ZeroThreadKernel/ZeroUtils/ZeroUtils.cpp
================================================
#include "ZeroUtils.h"
NTSTATUS ZeroUtils::MdlRtlCopyMemory(PVOID Destination, const VOID * Source, SIZE_T Length) {
PMDL Mdl = IoAllocateMdl(Destination, (ULONG)Length, 0, 0, 0);
if (!Mdl) return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(Mdl);
PVOID Mapped = MmMapLockedPages(Mdl, KernelMode);
if (!Mapped) {
IoFreeMdl(Mdl);
return STATUS_UNSUCCESSFUL;
}
KIRQL OldIrql = KeRaiseIrqlToDpcLevel();
RtlCopyMemory(Mapped, Source, Length);
KeLowerIrql(OldIrql);
MmUnmapLockedPages(Mapped, Mdl);
IoFreeMdl(Mdl);
return STATUS_SUCCESS;
}
NTSTATUS ZeroUtils::MdlRtlFillMemory(PVOID Destination, BYTE Value, SIZE_T Length) {
PMDL Mdl = IoAllocateMdl(Destination, Length, 0, 0, 0);
if (!Mdl) return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(Mdl);
PVOID Mapped = (PVOID)MmMapLockedPages(Mdl, KernelMode);
if (!Mapped) {
IoFreeMdl(Mdl);
return STATUS_UNSUCCESSFUL;
}
KIRQL OldIrql = KeRaiseIrqlToDpcLevel();
RtlFillMemory(Mapped, Length, Value);
KeLowerIrql(OldIrql);
MmUnmapLockedPages(Mapped, Mdl);
IoFreeMdl(Mdl);
return STATUS_SUCCESS;
}
PVOID ZeroUtils::GetKernelModuleExport(const char* ModuleName, const char* FunctionName)
{
PVOID ModuleBase = 0;
ULONG Bytes = 0;
NTSTATUS Status = ZwQuerySystemInformation(SystemModuleInformation, NULL, Bytes, &Bytes);
if (Bytes == 0) {
Print("[GetKernelModuleExport] ZwQuerySystemInformation[1] failed");
return NULL;
}
PRTL_PROCESS_MODULES Modules = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, Bytes, 'NeiH');
Status = ZwQuerySystemInformation(SystemModuleInformation, Modules, Bytes, &Bytes);
if (!NT_SUCCESS(Status)) {
Print("[GetKernelModuleExport] ZwQuerySystemInformation[2] failed");
return NULL;
}
PRTL_PROCESS_MODULE_INFORMATION Module = Modules->Modules;
for (ULONG i = 0; i < Modules->NumberOfModules; i++)
{
if (strcmp((char*)(Module[i].OffsetToFileName + Module[i].FullPathName), ModuleName) == 0)
{
ModuleBase = Module[i].ImageBase;
break;
}
}
if (Modules) {
ExFreePoolWithTag(Modules, 'NeiH');
}
if (ModuleBase == 0) {
Print("[GetKernelModuleExport] Failed to get module base");
return NULL;
}
return RtlFindExportedRoutineByName(ModuleBase, FunctionName);
}
================================================
FILE: ZeroThreadKernel/ZeroUtils/ZeroUtils.h
================================================
#pragma once
#include "../Includes.h"
#define Print( content, ... ) DbgPrintEx( 0, 0, "[>] " content, __VA_ARGS__ )
namespace ZeroUtils
{
NTSTATUS MdlRtlCopyMemory(PVOID Destination, const VOID* Source, SIZE_T Length);
NTSTATUS MdlRtlFillMemory(PVOID Destination, BYTE Value, SIZE_T Length);
PVOID GetKernelModuleExport(const char* ModuleName, const char* FunctionName);
}
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
typedef struct _RTL_PROCESS_MODULE_INFORMATION
{
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES
{
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
================================================
FILE: ZeroThreadKernel.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30503.244
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ZeroThreadKernel", "ZeroThreadKernel\ZeroThreadKernel.vcxproj", "{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ZeroThreadCaller", "ZeroThreadCaller\ZeroThreadCaller.vcxproj", "{B1A4C64E-4FFD-485A-AD7A-90672C9AAA9A}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Release|x64.ActiveCfg = Release|x64
{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Release|x64.Build.0 = Release|x64
{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Release|x64.Deploy.0 = Release|x64
{B1A4C64E-4FFD-485A-AD7A-90672C9AAA9A}.Release|x64.ActiveCfg = Release|x64
{B1A4C64E-4FFD-485A-AD7A-90672C9AAA9A}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {A6F2B95C-BF8F-4ADE-8739-872BE439CA61}
EndGlobalSection
EndGlobal
gitextract_1qo32x91/ ├── .gitattributes ├── .gitignore ├── LICENSE ├── README.md ├── ZeroThreadCaller/ │ ├── ZeroThreadCaller.cpp │ ├── ZeroThreadCaller.vcxproj │ └── ZeroThreadCaller.vcxproj.filters ├── ZeroThreadKernel/ │ ├── Includes.h │ ├── ZeroHook/ │ │ ├── ZeroHook.cpp │ │ └── ZeroHook.h │ ├── ZeroThreadKernel.cpp │ ├── ZeroThreadKernel.vcxproj │ ├── ZeroThreadKernel.vcxproj.filters │ └── ZeroUtils/ │ ├── ZeroUtils.cpp │ └── ZeroUtils.h └── ZeroThreadKernel.sln
SYMBOL INDEX (15 symbols across 6 files) FILE: ZeroThreadCaller/ZeroThreadCaller.cpp function main (line 10) | int main() FILE: ZeroThreadKernel/ZeroHook/ZeroHook.cpp function SIZE_T (line 14) | SIZE_T ZeroHook::GetHookSize(PVOID Function) function PVOID (line 26) | PVOID ZeroHook::HookFunction(PVOID OriginalFunction, PVOID HookFunction,... function NTSTATUS (line 72) | NTSTATUS ZeroHook::UnhookFunction(PVOID Trampoline, PVOID OriginalFuncti... FILE: ZeroThreadKernel/ZeroHook/ZeroHook.h function namespace (line 3) | namespace ZeroHook FILE: ZeroThreadKernel/ZeroThreadKernel.cpp function __int64 (line 12) | __int64 __fastcall hkNtCreateCompositionSurfaceHandle(__int64 a1, unsign... function VOID (line 28) | VOID DriverUnload(PDRIVER_OBJECT DriverObject) function NTSTATUS (line 33) | NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING Driver... FILE: ZeroThreadKernel/ZeroUtils/ZeroUtils.cpp function NTSTATUS (line 3) | NTSTATUS ZeroUtils::MdlRtlCopyMemory(PVOID Destination, const VOID * Sou... function NTSTATUS (line 24) | NTSTATUS ZeroUtils::MdlRtlFillMemory(PVOID Destination, BYTE Value, SIZE... function PVOID (line 45) | PVOID ZeroUtils::GetKernelModuleExport(const char* ModuleName, const cha... FILE: ZeroThreadKernel/ZeroUtils/ZeroUtils.h function namespace (line 6) | namespace ZeroUtils type SYSTEM_INFORMATION_CLASS (line 13) | typedef enum _SYSTEM_INFORMATION_CLASS type RTL_PROCESS_MODULE_INFORMATION (line 29) | typedef struct _RTL_PROCESS_MODULE_INFORMATION type RTL_PROCESS_MODULES (line 43) | typedef struct _RTL_PROCESS_MODULES
Condensed preview — 16 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (41K chars).
[
{
"path": ".gitattributes",
"chars": 2518,
"preview": "###############################################################################\n# Set default behavior to automatically "
},
{
"path": ".gitignore",
"chars": 6223,
"preview": "## Ignore Visual Studio temporary files, build results, and\n## files generated by popular Visual Studio add-ons.\n##\n## G"
},
{
"path": "LICENSE",
"chars": 1070,
"preview": "MIT License\n\nCopyright (c) 2023 zer0condition\n\nPermission is hereby granted, free of charge, to any person obtaining a c"
},
{
"path": "README.md",
"chars": 1000,
"preview": "<h1>ZeroThreadKernel</h1>\n<p>ZeroThreadKernel allows you to execute arbitrary code recursively at kernel-level without a"
},
{
"path": "ZeroThreadCaller/ZeroThreadCaller.cpp",
"chars": 766,
"preview": "#include <Windows.h>\n#include <iostream>\n\n/* Keep this running, it serves as a \"system thread\" for the loop in the hook "
},
{
"path": "ZeroThreadCaller/ZeroThreadCaller.vcxproj",
"chars": 7174,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/msb"
},
{
"path": "ZeroThreadCaller/ZeroThreadCaller.vcxproj.filters",
"chars": 515,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "ZeroThreadKernel/Includes.h",
"chars": 361,
"preview": "#pragma once\n#include <ntifs.h>\n#include <stdarg.h>\n#include <windef.h>\n\nextern \"C\" NTKERNELAPI PVOID NTAPI RtlFindExpor"
},
{
"path": "ZeroThreadKernel/ZeroHook/ZeroHook.cpp",
"chars": 2717,
"preview": "#include \"ZeroHook.h\"\n\nBYTE JMPShell[] = {\n /*\n * jmp RIP ; JMP to RIP\n * dq 0 ; ABS Address\n "
},
{
"path": "ZeroThreadKernel/ZeroHook/ZeroHook.h",
"chars": 277,
"preview": "#include \"../ZeroUtils/ZeroUtils.h\"\n\nnamespace ZeroHook\n{\n SIZE_T GetHookSize(PVOID Function);\n PVOID HookFunction"
},
{
"path": "ZeroThreadKernel/ZeroThreadKernel.cpp",
"chars": 1618,
"preview": "#include \"Includes.h\"\n\n#define STARTZEROTHREAD 0x1337\n\ntypedef __int64(*NtCreateCompositionSurfaceHandle_t)(__int64 a1, "
},
{
"path": "ZeroThreadKernel/ZeroThreadKernel.vcxproj",
"chars": 8220,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"12.0\" xmlns=\"http://schemas.micros"
},
{
"path": "ZeroThreadKernel/ZeroThreadKernel.vcxproj.filters",
"chars": 961,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "ZeroThreadKernel/ZeroUtils/ZeroUtils.cpp",
"chars": 2455,
"preview": "#include \"ZeroUtils.h\"\n\nNTSTATUS ZeroUtils::MdlRtlCopyMemory(PVOID Destination, const VOID * Source, SIZE_T Length) {\n "
},
{
"path": "ZeroThreadKernel/ZeroUtils/ZeroUtils.h",
"chars": 1376,
"preview": "#pragma once\n#include \"../Includes.h\"\n\n#define Print( content, ... ) DbgPrintEx( 0, 0, \"[>] \" content, __VA_ARGS__ )\n\nna"
},
{
"path": "ZeroThreadKernel.sln",
"chars": 1309,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.3050"
}
]
About this extraction
This page contains the full source code of the zer0condition/ZeroThreadKernel GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 16 files (37.7 KB), approximately 10.5k tokens, and a symbol index with 15 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.