No Code Exec? No Problem Living the Age of VBS, HVCI, and Kernel CFG (2022)
A technical deep-dive into kernel exploitation techniques that bypass VBS, HVCI, and Kernel CFG on modern Windows, showing attackers can read memory or disable defenses without needing full code execution.
Background
- HVCI (Hypervisor-Protected Code Integrity) and VBS (Virtualization-Based Security) are Windows 10/11 security features that use hardware virtualization to prevent untrusted code from running in the kernel — even if an attacker has admin rights.
- Kernel CFG (Control Flow Guard) is another Microsoft mitigation that restricts indirect function calls in the kernel to only approved targets, making traditional exploitation techniques harder.
- The article is written by a prominent offensive security researcher (Connor McGarr) known for bypassing state-of-the-art Windows defenses. It demonstrates practical kernel exploitation against HVCI-enabled systems, which many assume are "unhackable."
- This is significant because HVCI/VBS are increasingly mandated by enterprises (e.g., Microsoft's Secured-core PCs) and are considered the gold standard for Windows kernel security. Showing they can be bypassed — even without arbitrary code execution — has major implications for how seriously we take these defenses.