Skip to content
/ UTKModule Public

Modifies the code of the RtlUserThreadStart callback and reads the arguments passed to it. Then it changes the initial execution argument for the thread to a different location, but with the same executable memory. Bypasses some generic memory integrity checks.

License

MIT license
13 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

johnsonjason/UTKModule

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
Driver.c
Driver.c
 
 
LICENSE
LICENSE
 
 
PeImg.h
PeImg.h
 
 
README.md
README.md
 
 

Repository files navigation

UTKModule

Ports the PE headers which are used from user API into the kernel code when reading memory from the process in a LOAD_IMAGE_NOTIFY_ROUTINE callback to resolve the PE headers with the given base address, points the copy module IAT to the correct one in the virtual process.

Modifies the code of the RtlUserThreadStart callback and reads the arguments passed to it. Then it changes the initial execution argument for the thread to a different location, but with the same executable memory. Bypasses some generic memory integrity checks.

About

Modifies the code of the RtlUserThreadStart callback and reads the arguments passed to it. Then it changes the initial execution argument for the thread to a different location, but with the same executable memory. Bypasses some generic memory integrity checks.

Resources

Readme

License

MIT license
Activity

Stars

13 stars

Watchers

3 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages