├── driver.cpp └── README.md /driver.cpp: -------------------------------------------------------------------------------- 1 | extern "C" 2 | { 3 | 4 | NTSYSAPI BOOLEAN NTAPI KeInterlockedSetProcessorAffinityEx(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); 5 | 6 | } 7 | 8 | bool disable_nmi_callbacks() { 9 | const auto ntoskrnl_base = (PVOID)utils::get_kernel_module(Crypt("ntoskrnl.exe")); 10 | 11 | if (!ntoskrnl_base) { 12 | DbgPrintEx(0, 0, Crypt("[-] ntoskrnl_base not found\n")); 13 | return 0; 14 | } 15 | else { 16 | DbgPrintEx(0, 0, Crypt("[+] ntoskrnl_base @ 0x%p\n"), ntoskrnl_base); 17 | 18 | } 19 | 20 | auto nmi_in_progress = reinterpret_cast(utils::find_pattern((uintptr_t)ntoskrnl_base, Crypt("\x81\x25\x00\x00\x00\x00\x00\x00\x00\x00\xB9\x00\x00\x00\x00"), Crypt("xx????????x????"))); 21 | 22 | if (!nmi_in_progress) { 23 | DbgPrintEx(0, 0, Crypt("[-] nmi_in_progress not found\n")); 24 | return 0; 25 | } 26 | else { 27 | DbgPrintEx(0, 0, Crypt("[+] nmi_in_progress @ 0x%p\n"), nmi_in_progress); 28 | } 29 | 30 | if (nmi_in_progress) { 31 | 32 | while (*nmi_in_progress != 0x48) { 33 | ++nmi_in_progress; 34 | } 35 | 36 | nmi_in_progress = impl::resolve_mov(nmi_in_progress); 37 | 38 | DbgPrintEx(0, 0, Crypt("[+] nmi_in_progress (resolved) @ 0x%p\n"), nmi_in_progress); 39 | 40 | if (!nmi_in_progress) { 41 | DbgPrintEx(0, 0, Crypt("[-] !nmi_in_progress\n")); 42 | } 43 | 44 | auto irql = KfRaiseIrql(0); 45 | 46 | ULONG cores = KeQueryActiveProcessorCount(NULL); 47 | 48 | for (auto i = 0ul; i < cores; ++i) { 49 | 50 | KeInterlockedSetProcessorAffinityEx((PKAFFINITY_EX)nmi_in_progress, i); 51 | InterlockedBitTestAndSet64((LONG64*)(nmi_in_progress), i); 52 | 53 | DbgPrintEx(0, 0, Crypt("[+] disabled nmi for proccessor %d\n"), i); 54 | 55 | } 56 | 57 | KeLowerIrql(irql); 58 | } 59 | 60 | DbgPrintEx(0, 0, Crypt("[+] Done disabled nmi callback\n")); 61 | return true; 62 | 63 | } 64 | 65 | 66 | extern "C" NTSTATUS DriverEntry() { 67 | 68 | BOOL status = disable_nmi_callbacks(); 69 | 70 | if (status == FALSE) { 71 | DbgPrintEx(0, 0, Crypt("[-] Failed disabling nmi callbacks.\n")); 72 | } 73 | else { 74 | DbgPrintEx(0, 0, Crypt("[+] Done disabled nmi callback\n")); 75 | } 76 | 77 | 78 | DbgPrintEx(0, 0, Crypt("[+] Driver loaded!\n")); 79 | 80 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Disable_nmi_callbacks 2 | # an old code 3 | # 4 | 5 | ```C 6 | 7 | extern "C" 8 | { 9 | 10 | NTSYSAPI BOOLEAN NTAPI KeInterlockedSetProcessorAffinityEx(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); 11 | 12 | } 13 | 14 | bool disable_nmi_callbacks() { 15 | const auto ntoskrnl_base = (PVOID)utils::get_kernel_module(Crypt("ntoskrnl.exe")); 16 | 17 | if (!ntoskrnl_base) { 18 | DbgPrintEx(0, 0, Crypt("[-] ntoskrnl_base not found\n")); 19 | return 0; 20 | } 21 | else { 22 | DbgPrintEx(0, 0, Crypt("[+] ntoskrnl_base @ 0x%p\n"), ntoskrnl_base); 23 | 24 | } 25 | 26 | auto nmi_in_progress = reinterpret_cast(utils::find_pattern((uintptr_t)ntoskrnl_base, Crypt("\x81\x25\x00\x00\x00\x00\x00\x00\x00\x00\xB9\x00\x00\x00\x00"), Crypt("xx????????x????"))); 27 | 28 | if (!nmi_in_progress) { 29 | DbgPrintEx(0, 0, Crypt("[-] nmi_in_progress not found\n")); 30 | return 0; 31 | } 32 | else { 33 | DbgPrintEx(0, 0, Crypt("[+] nmi_in_progress @ 0x%p\n"), nmi_in_progress); 34 | } 35 | 36 | if (nmi_in_progress) { 37 | 38 | while (*nmi_in_progress != 0x48) { 39 | ++nmi_in_progress; 40 | } 41 | 42 | nmi_in_progress = impl::resolve_mov(nmi_in_progress); 43 | 44 | DbgPrintEx(0, 0, Crypt("[+] nmi_in_progress (resolved) @ 0x%p\n"), nmi_in_progress); 45 | 46 | if (!nmi_in_progress) { 47 | DbgPrintEx(0, 0, Crypt("[-] !nmi_in_progress\n")); 48 | } 49 | 50 | auto irql = KfRaiseIrql(0); 51 | 52 | ULONG cores = KeQueryActiveProcessorCount(NULL); 53 | 54 | for (auto i = 0ul; i < cores; ++i) { 55 | 56 | KeInterlockedSetProcessorAffinityEx((PKAFFINITY_EX)nmi_in_progress, i); 57 | InterlockedBitTestAndSet64((LONG64*)(nmi_in_progress), i); 58 | 59 | DbgPrintEx(0, 0, Crypt("[+] disabled nmi for proccessor %d\n"), i); 60 | 61 | } 62 | 63 | KeLowerIrql(irql); 64 | } 65 | 66 | DbgPrintEx(0, 0, Crypt("[+] Done disabled nmi callback\n")); 67 | return true; 68 | 69 | } 70 | 71 | ``` 72 | 73 | # Example Usage 74 | 75 | ```C 76 | 77 | extern "C" NTSTATUS DriverEntry() { 78 | 79 | BOOL status = disable_nmi_callbacks(); 80 | 81 | if (status == FALSE) { 82 | DbgPrintEx(0, 0, Crypt("[-] Failed disabling nmi callbacks.\n")); 83 | } 84 | else { 85 | DbgPrintEx(0, 0, Crypt("[+] Done disabled nmi callback\n")); 86 | } 87 | 88 | 89 | DbgPrintEx(0, 0, Crypt("[+] Driver loaded!\n")); 90 | 91 | } 92 | 93 | ``` 94 | --------------------------------------------------------------------------------