Skip to content
/ frame Public

POC Windows kernel driver that spoofs threads for NMI callbacks on x86-64.

15 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

lxkast/frame

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
machineframe
machineframe
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
machineframe.sln
machineframe.sln
 
 

Repository files navigation

Frame

A proof-of-concept Windows kernel driver that spoofs the current thread, machine frame and consequently the call stack for NMI callbacks on x86-64.

How it works

By hooking HalPreprocessNmi from the HAL private dispatch table, we can swap the current thread in the KPRCB for the core's idle thread, as well as swap the RIP and RSP from the machine frame to appropriate values for the idle thread. To restore the original machine frame and current thread, we can manually traverse the NMI callback linked list and add our restoration function to the end.

A full writeup with detailed explanation can be found here: https://lxkast.github.io/posts/Thread-and-call-stack-spoofing-for-NMI-callbacks-on-Windows/

Screenshots

image image

About

POC Windows kernel driver that spoofs threads for NMI callbacks on x86-64.

Topics

windows kernel nmi

Resources

Readme
Activity

Stars

15 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages