ZeroHVCI - Defeating HVCI without admin privileges or a kernel driver

ZeroHVCI accomplishes arbitrary kernel read/writes/function calling in Hypervisor-Protected Code Integrity (HVCI) protected environments calling without admin permissions or kernel drivers. tab

Features

Full non-privileged kernel read/writes: Kernel read/writes are achieved by leveraging CVE-2024-26229 which requires no process elevation.
Arbitrary Function Calling: Calls any arbitrary kernel functions with desired params fully from user land.

Getting Started

To get started with ZeroHVCI, you can clone this repository and build the project.

Usage

```C++ // // Read kernel memory example: // ReadKernelMemory(source_address, buffer_address, size); ``` ```C++ // // Write kernel memory example: // WriteKernelMemory(source_address, buffer_address, size); ``` ```C++ // // Kernel function calling example via name: // KF::CallKernelFunctionViaName( "kernel_function_name", param1, param2, param3); ``` ```C++ // // ExAllocatePool example: // KF::CallKernelFunctionViaName("ExAllocatePool", PoolType, Size); ``` ```C++ // // memcpy example: // KF::CallKernelFunctionViaName("memcpy", Dst, Src, Size); ``` ```C++ // // PsLookupProcessByProcessId example: // PEPROCESS Process; KF::CallKernelFunctionViaName("PsLookupProcessByProcessId", ProcessHandle, &Process); ```

How it works

Two main projects are responsible for making this possible

CVE-2024-26229- All credits to Eric Egsgard, this exploit allows us to gain kernel read/write by abusing a IOCTL with METHOD_NEITHER in csc.sys (a windows module, resources will be linked below if you want to read-up more.
KernelForge- All credits to Dmytro Oleksiuk, his project allows us to gain HVCI-compliant kernel function calling by abusing the heirarchy of thread executions and construction rop chains without truly patching anything.

What is this for?

This is a multi-purpose project which will help people in many sectors, this includes memory-hacking against anti-cheats like Riot Vanguard as we've seen with the HVCI enforcements, this can also be used as a toolkit against AVs/EDRs/XDRs due to the nature that it requires no escalation to achieve arbitrary read/writes and calling kernel functions.

Acknowledgements

Cr4sh for [KernelForge](https://github.com/Cr4sh/KernelForge)
varwara for his [POC](https://github.com/varwara/CVE-2024-26229)
Eric Egsgard for his [talk](https://www.youtube.com/watch?v=2eHsnZ4BeDI)