Skip to content

Achieve arbitrary kernel read/writes/function calling in Hypervisor-Protected Code Integrity (HVCI) protected environments calling without admin permissions or kernel drivers.

Notifications You must be signed in to change notification settings

zer0condition/ZeroHVCI

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ZeroHVCI - Defeating HVCI without admin privileges or a kernel driver

ZeroHVCI accomplishes arbitrary kernel read/writes/function calling in Hypervisor-Protected Code Integrity (HVCI) protected environments calling without admin permissions or kernel drivers. tab

Features

  • Full non-privileged kernel read/writes: Kernel read/writes are achieved by leveraging CVE-2024-26229 which requires no process elevation.
  • Arbitrary Function Calling: Calls any arbitrary kernel functions with desired params fully from user land.

Getting Started

To get started with ZeroHVCI, you can clone this repository and build the project.

Usage

//
// Read kernel memory example:
//
ReadKernelMemory(source_address, buffer_address, size);
//
// Write kernel memory example:
//
WriteKernelMemory(source_address, buffer_address, size);
//
// Kernel function calling example via name:
//
KF::CallKernelFunctionViaName<kernel_param_type1, kernel_param_type2, kernel_param_type3>(
  "kernel_function_name",
  param1,
  param2,
  param3);
//
// ExAllocatePool example:
//
KF::CallKernelFunctionViaName<PVOID, POOL_TYPE, SIZE_T>("ExAllocatePool", PoolType, Size);
//
// memcpy example:
//
KF::CallKernelFunctionViaName<PVOID, PVOID, PVOID, SIZE_T>("memcpy", Dst, Src, Size);
//
// PsLookupProcessByProcessId example:
//
PEPROCESS Process;
KF::CallKernelFunctionViaName<NTSTATUS, HANDLE, PEPROCESS*>("PsLookupProcessByProcessId", ProcessHandle, &Process);

How it works

Two main projects are responsible for making this possible

  • KernelForge- All credits to Dmytro Oleksiuk, his project allows us to gain HVCI-compliant kernel function calling by abusing the heirarchy of thread executions and construction rop chains without truly patching anything.
  • CVE-2024-26229- All credits to Eric Egsgard, this exploit allows us to gain kernel read/write by abusing a IOCTL with METHOD_NEITHER in csc.sys (a windows module, resources will be linked below if you want to read-up more.
  • CVE-2024-35250- All credits to Devcore team, this exploit allows us to gain kernel read/write by abusing RtlClearAllBits in ks.sys (a windows module, resources will be linked below if you want to read-up more.

What is this for?

This is a multi-purpose project which will help people in many sectors, this includes memory-hacking against anti-cheats like Riot Vanguard as we've seen with the HVCI enforcements, this can also be used as a toolkit against AVs/EDRs/XDRs due to the nature that it requires no escalation to achieve arbitrary read/writes and calling kernel functions.

Acknowledgements

Cr4sh for KernelForge
varwara for his POC POC2
Eric Egsgard for his talk

About

Achieve arbitrary kernel read/writes/function calling in Hypervisor-Protected Code Integrity (HVCI) protected environments calling without admin permissions or kernel drivers.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published