ZeroThreadKernel allows you to execute arbitrary code recursively at kernel-level without a system thread creation.
It works by hooking a non-KPP protected function exported by the DirectX graphics kernel subsystem (dxgkrnl). The function is called in our user-mode program using the export from win32u.dll, which serves as a thread for recursive code execution.
One way to detect is by integrity checking the .text section of the specified module. Writing our shellcode in the function modifies the original hash of the module.
Possible circumvention: Hide the hooked driver from the LDR/LoadedModuleList?
Contributions are always welcome!
