⚔️ JJ INFO — Technical Overview
🧩 CR3 Swap Read — Zero Handle
The target process memory is accessed by directly writing to the CR3 register (PDBR), using the physical PML4 value of the target. This operation is performed at IRQL DISPATCH_LEVEL through a dedicated DPC routine. No NtOpenProcess calls are made, no handles are created in the kernel handle table, and no entries are added to the process VAD tree. The result is a fully stealth approach, invisible to any scanner relying on PsLookupProcessByProcessId or handle table inspection via ObQueryNameString.
🛡️ NMI Callback Spoof — Stack Sanitization
Anti-cheat systems such as EAC and BE register NMI callbacks through KeRegisterNmiCallback to inspect thread stacks during non-maskable interrupts, aiming to detect return addresses outside legitimate modules. This mechanism is handled through stack spoofing and sanitization techniques, ensuring the call stack appears consistent and legitimate during such inspections.
📡 Shared Memory IPC — No IOCTL
Communication between the kernel-mode driver and the user-mode renderer is handled via an anonymous Section object created with ZwCreateSection and mapped into both address spaces using MmMapLockedPagesSpecifyCache. No IRPs, no DeviceIoControl calls, and no visible Device object are involved. This removes one of the primary detection surfaces used by anti-cheat systems to identify unauthorized kernel↔user communication.
💎 Security Integrity
- Invisible to PDBR/VAD Scanners
- Spoofed NMI Return Addresses
- Zero-Trace Communication (No IOCTL)