Nullify

Nullify is a state-of-the-art research tool designed to bypass Windows Driver Signature Enforcement (DSE) for legitimate security research and academic purposes. It leverages kernel memory manipulation via a known vulnerable driver (RTCore64.sys) to patch the SeCiCallbacks structure in ntoskrnl.exe, effectively disabling DSE at runtime.

---

How It Works

1. Vulnerable Driver — The tool installs and loads the RTCore64.sys driver, which exposes arbitrary kernel memory read/write IOCTLs.
2. Symbol Resolution — It downloads the exact PDB symbols for the running ntoskrnl.exe from Microsoft's public symbol server to resolve the SeCiCallbacks and ZwFlushInstructionCache offsets dynamically — no hardcoded offsets, no per-build breakage.
3. Offset Validation — Resolved offsets are validated against the PE .text section bounds and verified via live kernel memory reads.
4. Kernel Patching — The CI callback pointer inside SeCiCallbacks is overwritten with the address of ZwFlushInstructionCache (a harmless always-success function), disabling signature enforcement.
5. Driver Load — With DSE disabled, unsigned kernel drivers can be loaded. DSE is automatically restored after loading.
6. Restore — Original callback values are saved to the registry and used to restore DSE on demand.

Architecture

┌─────────────────────────────────────────────────────┐
│                  Nullify (User Mode)                │
│  ┌──────────┐  ┌──────────┐  ┌───────────────────┐ │
│  │ CLI/UI   │  │ Symbol   │  │ Offset Resolution │ │
│  │ Handler  │  │ Download │  │ & Validation      │ │
│  └──────────┘  └──────────┘  └───────────────────┘ │
│                        │                            │
│  ┌─────────────────────┴──────────────────────────┐ │
│  │           RTCore64 IOCTL Interface             │ │
│  └─────────────────────┬──────────────────────────┘ │
└────────────────────────┼────────────────────────────┘
                         │ DeviceIoControl
┌────────────────────────┼────────────────────────────┐
│          RTCore64.sys (Kernel ── ⚠ Vulnerable)     │ │
│  ┌─────────────────────┴──────────────────────────┐ │
│  │     Arbitrary Kernel Memory Read/Write         │ │
│  └─────────────────────┬──────────────────────────┘ │
└────────────────────────┼────────────────────────────┘
                         │ Direct memory access
              ┌──────────┴──────────┐
              │   ntoskrnl.exe      │
              │  ┌────────────────┐ │
              │  │ SeCiCallbacks  │◄─┼── Patch target
              │  │ (CI callback)  │ │
              │  └────────────────┘ │
              └─────────────────────┘

---

Prerequisites

• Windows 10/11 x64 (with Memory Integrity disabled — see below)
• Administrator privileges
• Go 1.21+ installed
• RTCore64.sys (the vulnerable MSI Afterburner driver) — not included

Memory Integrity / HVCI

Hypervisor-Protected Code Integrity (HVCI) / Memory Integrity must be disabled for this tool to work, because HVCI locks kernel memory pages against modification.

The tool will detect if it is enabled and offer to disable it (requires a reboot).

Navigate to:
Windows Security → Device Security → Core Isolation → Memory Integrity → Off

---

Project Name

The project is named Nullify — a reflection of its core mechanism: nullifying the Driver Signature Enforcement callback to permit unsigned driver loading.

---

Build

git clone <repo-url>
cd Nullify
go build -ldflags="-s -w" -o nullify.exe

For a smaller binary:

go build -ldflags="-s -w -H=windowsgui" -o nullify.exe

---

Usage

Quick Start

nullify.exe

Without arguments, Nullify will:

1. Elevate to Administrator (if not already)
2. Check Memory Integrity status
3. Enter interactive menu mode

Interactive Menu

[1] Patch DSE (disable driver signature enforcement)
[2] Load unsigned driver (auto DSE patch/unpatch)
[3] Show and save offset information for external tools
[4] Exit

CLI Commands

nullify bypass          # Disable DSE permanently (until reboot)
nullify restore         # Re-enable DSE
nullify status          # Check current DSE status
nullify load <driver>   # Load an unsigned driver (auto patch/restore)
nullify load <driver> -s 3   # Load with specific StartType
nullify reload <driver> # Stop, re-patch, start, restore
nullify stop <driver>   # Stop a running driver service
nullify remove <driver> # Stop and delete a driver service
nullify history         # Show driver load history
nullify offsets         # Dump kernel offsets for external tools
nullify help            # Show help
nullify autoload        # Auto-load iamroot.sys from the same folder

Quiet Mode

Suppress all non-essential output (useful for scripting):

nullify -q bypass
nullify -q status
nullify -q load mydriver.sys

Putting a Driver in driver/ Folder

Place a .sys file in the driver/ subfolder and run Nullify with no arguments — it will auto-detect, install, and load all drivers found:

mkdir driver
copy mydriver.sys driver/
nullify.exe

---

StartType Values

Value	Name	Description
0	BOOT	Loaded by boot loader
1	SYSTEM	Loaded during kernel initialization
2	AUTO	Loaded by service control manager
3	DEMAND	Started on demand (default)
4	DISABLED	Service is disabled

---

Obtaining RTCore64.sys

Important: RTCore64.sys is a legitimate driver signed by Microsoft. It is part of the MSI Afterburner software package. You must obtain it legally from:

1. Install MSI Afterburner
2. Locate RTCore64.sys in the installation directory (C:\Program Files (x86)\MSI Afterburner\)
3. Place it in the same folder as nullify.exe

---

Offset Persistence

Nullify provides multiple mechanisms for saving and reusing resolved offsets:

Mechanism	Location	Persistence
Registry	HKCU\Software\Nullify\History	Across sessions
drivers.ini	C:\Windows\drivers.ini	For external tools
Mini-PDB	%ProgramData%\dbg\sym\ntkrnlmp.pdb\<GUID>\ntkrnlmp.mpdb	For BootBypass
CLI dump	nullify offsets	Manual

---

Registry Artifacts

HKCU\Software\Nullify\LatestState\
    OriginalCallback0..N    QWORD   Original CI callbacks
    CallbackCount           DWORD   Number of saved callbacks
    PatchTimestamp          STRING  When the patch was applied
    IsPatched               DWORD   1 = patched, 0 = restored

HKCU\Software\Nullify\History\<timestamp>\
    SeCiCallbacks           DWORD   Resolved offset (low 32 bits)
    SafeFunction            DWORD   ZwFlushInstructionCache offset
    BuildInfo               STRING  Windows build number

HKCU\Software\Nullify\LoadedDrivers\History\<timestamp>\
    DriverPath              STRING  Path to loaded driver
    ServiceName             STRING  Service name
    StartType               DWORD   Start type
    LoadResult              DWORD   1 = success, 0 = failure

---

Disclaimer

This tool is provided for educational and research purposes only. Unauthorized use of this tool to disable security features on systems you do not own or have explicit permission to test is illegal. The authors are not responsible for any damage or legal consequences arising from misuse.

---

Troubleshooting

"Failed to initialize symbol handler"

Run as Administrator and ensure you have internet access to reach msdl.microsoft.com.

Patch fails / "Kernel memory is READ-ONLY"

HVCI/Memory Integrity is enabled. Disable it in Windows Security and reboot.

BSOD after loading a driver

The unsigned driver itself is unstable under DSE bypass. Ensure Memory Integrity is disabled and the driver is compatible with your Windows version.

Offsets fail after Windows Update

Windows updates change kernel layout. Simply run Nullify again — it will re-download PDBs and resolve new offsets automatically.