ZeroHVCI accomplishes arbitrary kernel read/writes/function calling in Hypervisor-Protected Code Integrity (HVCI) protected environments calling without admin permissions or kernel drivers.
- Full non-privileged kernel read/writes: Kernel read/writes are achieved by leveraging CVE-2024-26229 which requires no process elevation.
- Arbitrary Function Calling: Calls any arbitrary kernel functions with desired params fully from user land.
To get started with ZeroHVCI, you can clone this repository and build the project.
//
// Read kernel memory example:
//
ReadKernelMemory(source_address, buffer_address, size);
//
// Write kernel memory example:
//
WriteKernelMemory(source_address, buffer_address, size);
//
// Kernel function calling example via name:
//
KF::CallKernelFunctionViaName<kernel_param_type1, kernel_param_type2, kernel_param_type3>(
"kernel_function_name",
param1,
param2,
param3);
//
// ExAllocatePool example:
//
KF::CallKernelFunctionViaName<PVOID, POOL_TYPE, SIZE_T>("ExAllocatePool", PoolType, Size);
//
// memcpy example:
//
KF::CallKernelFunctionViaName<PVOID, PVOID, PVOID, SIZE_T>("memcpy", Dst, Src, Size);
//
// PsLookupProcessByProcessId example:
//
PEPROCESS Process;
KF::CallKernelFunctionViaName<NTSTATUS, HANDLE, PEPROCESS*>("PsLookupProcessByProcessId", ProcessHandle, &Process);
Two main projects are responsible for making this possible
- CVE-2024-26229- All credits to Eric Egsgard, this exploit allows us to gain kernel read/write by abusing a IOCTL with METHOD_NEITHER in csc.sys (a windows module, resources will be linked below if you want to read-up more.
- KernelForge- All credits to Dmytro Oleksiuk, his project allows us to gain HVCI-compliant kernel function calling by abusing the heirarchy of thread executions and construction rop chains without truly patching anything.
This is a multi-purpose project which will help people in many sectors, this includes memory-hacking against anti-cheats like Riot Vanguard as we've seen with the HVCI enforcements, this can also be used as a toolkit against AVs/EDRs/XDRs due to the nature that it requires no escalation to achieve arbitrary read/writes and calling kernel functions.
Cr4sh for KernelForge
varwara for his POC
Eric Egsgard for his talk