Skip to content
TopicTracker
From HackerNewsView original
TranslationTranslation

No Code Exec? No Problem Living the Age of VBS, HVCI, and Kernel CFG (2022)

A technical deep-dive into kernel exploitation techniques that bypass VBS, HVCI, and Kernel CFG on modern Windows, showing attackers can read memory or disable defenses without needing full code execution.

Background

- HVCI (Hypervisor-Protected Code Integrity) and VBS (Virtualization-Based Security) are Windows 10/11 security features that use hardware virtualization to prevent untrusted code from running in the kernel — even if an attacker has admin rights. - Kernel CFG (Control Flow Guard) is another Microsoft mitigation that restricts indirect function calls in the kernel to only approved targets, making traditional exploitation techniques harder. - The article is written by a prominent offensive security researcher (Connor McGarr) known for bypassing state-of-the-art Windows defenses. It demonstrates practical kernel exploitation against HVCI-enabled systems, which many assume are "unhackable." - This is significant because HVCI/VBS are increasingly mandated by enterprises (e.g., Microsoft's Secured-core PCs) and are considered the gold standard for Windows kernel security. Showing they can be bypassed — even without arbitrary code execution — has major implications for how seriously we take these defenses.

Related stories

  • The article contrasts the open-source software model, where a single maintainer handles ten million weekly downloads for free, with the invisible hand of market economics, highlighting the sustainability challenges and unpaid labor behind widely used digital infrastructure.