When VBS and HVCI are enabled, an unsigned code cannot be loaded into kernel. This project demonstrates another approach to call a kernel function and handle process creation callback when HVCI is enabled.
Note: This project is only tested on Windows 11 22H2 on Intel 10th gen.
- Drivers - see Required Drivers
- Windows HVCI is enabled
- Administrative privilege
I'm not comfortable redistributing the driver. The program requires following drivers (with sha1 hash) in an executable directory.
- procmon391.sys - 6b95d0e221ea17c59590d94eb9ffdd706f3e1ea6
- Process Monitor Driver version 3.91 (extracted from Process Monitor version 3.92)
- Older versions are usable too because they are not compiled with CFG enabled but gadget offsets must be changed
- Dell BIOS driver version 2.7 which contains following files (version 2.5 should work too)
- DBUtilDrv2.cat - 06f2b629e7303ac1254b52ec0560c34d72b46155
- dbutildrv2.inf - 19f8da3fe9ddbc067e3715d15aed7a6530732ab5
- DBUtilDrv2.sys - b03b1996a40bfea72e4584b82f6b845c503a9748
- WdfCoInstaller01009.dll - c1e821b156dbc3feb8a2db4fdb9cf1f5a8d1be6b
The program allows only 2 options.
-dse : the option for setting a callback to CI!CiValidateImageHeader. 0 (default value) means the value will be changed to nt!rand. The effect is same as disable Driver Signature Enforcement.
-cb : the demonstration of process creation callback. The callback does only block notepad.exe and msedge.exe. You have to modify the code to change the callback functionality.
- does not work when Intel Virtualization Technology Redirect Proection (VT-rp) is used. The CPU feature is in Intel 12th gen and later.
- cannot do chained calls.