: A newly revealed open-source project exploits a legitimate but vulnerable driver, wsftprm.sys, which is not on Microsoft's blocklist, to terminate critical antivirus (AV) and endpoint detection and response (EDR) processes. This BYOVD attack works even on fully patched Windows 11 systems with HVCI and Secure Boot enabled, bypassing some of Microsoft's strongest kernel protections.
HVCI does not block signed kernel drivers. It blocks modification of driver code. However, a driver that is already signed and has a vulnerability can be used as a proxy to execute arbitrary code without violating HVCI.
: Kernel Pack's latest version introduced DOG, a post-exploitation toolkit that achieves kernel-level access without loading custom drivers. This driverless approach bypasses modern kernel protections like PatchGuard, HVCI, and VBS by manipulating data rather than hijacking control flow. Hvci Bypass
The most direct (and rarest) bypass is a bug in hvix64.exe (the Windows Hypervisor) or the . If an researcher finds a way to "escape" the guest OS and execute code in VTL1, the entire HVCI system collapses. These vulnerabilities are worth hundreds of thousands of dollars on the exploit market. The Impact of KCFG (Kernel Control Flow Guard)
Perhaps the most elegant HVCI bypass technique involves avoiding code execution altogether. Data-only attacks manipulate kernel memory without injecting executable code, bypassing HVCI's restrictions on unsigned code execution. : A newly revealed open-source project exploits a
For a deep dive into the technical mechanics, researchers often reference Connor McGarr’s blog for a breakdown of memory protections or Outflank’s research on process hiding in HVCI environments. AI responses may include mistakes. Learn more
The "Secure Kernel" (which manages HVCI) now runs in VTL1, completely separate from the normal kernel. This defeats any "disable HVCI from within the normal kernel" attack unless the attacker has a VTL0 → VTL1 exploit (a far rarer and more difficult bug class). It blocks modification of driver code
Windows 11 on certain hardware (Intel Control-flow Enforcement Technology – CET) introduces and indirect branch tracking , making call table hijacking (data-only attacks) much harder because the return addresses are validated by the hypervisor.
Whoever wrote this wasn't a thief. They were a cartographer, mapping the last unmapped territory: the hypervisor’s blind spot. And now they knew the way.