Lodestone had tricked the hypervisor into bypassing itself. It then wrote a single instruction into the kernel’s security callback: JMP 0xFFFF... — a jump to the malware’s own shellcode.
The exploitation was trivial—the RWX GPAs did not change across reboot or when test-signing was enabled. A driver was written to remap a linear address onto one of these RWX GPAs and place shellcode there, successfully executing the shellcode.
Houses the standard Windows user mode and kernel mode. Even the NT kernel ( ntoskrnl.exe ) runs within VTL 0.
To understand how an HVCI bypass operates, one must first comprehend the security model it protects: . Virtualization-Based Security (VBS) and Trust Levels
Developers building kernel mode components should review the official Microsoft documentation on HVCI compatibility to ensure code compliance with strict Hvci Bypass
This article explores what HVCI is, why it is a high-value target for attackers, and the common techniques used to circumvent these protections. What is HVCI?
1. Exploiting Signed Drivers (BYOVD - Bring Your Own Vulnerable Driver)
HVCI uses Second Level Address Translation (SLAT) to mark memory pages.
The field of HVCI bypass continues to evolve rapidly. Recent developments suggest several emerging trends: Lodestone had tricked the hypervisor into bypassing itself
She loaded a clean VM with HVCI enabled and executed Lodestone. Nothing happened. No crash, no process. But over three hours, she saw it: a single, deliberate page fault.
Modern iterations of Windows require drivers to be validated through the Windows Hardware Quality Labs (WHQL) ecosystem. Drivers must conform to strict security guidelines, including complete compatibility with HVCI requirements, virtually eliminating legacy programming shortcuts like ad-hoc RWXcap R cap W cap X allocations. 4. The Future of Kernel Security
But Lodestone had broken it.
Hyper-Virtualization-Based Code Integrity (HVCI), commonly known as Memory Integrity in Windows, represents one of Microsoft’s most robust modern security boundaries. By leveraging hardware virtualization, HVCI ensures that only digitally signed, trusted code can execute within the Windows kernel. However, as defensive boundaries harden, offensive researchers and malware developers aggressively seek methods to circumvent them. The exploitation was trivial—the RWX GPAs did not
If you want, I can:
Where the standard Windows kernel, user applications, and third-party drivers execute.
HVCI, also known as Memory Integrity, is a virtualization-based security feature that prevents attackers from executing unsigned code in the Windows kernel by preventing readable, writable, and executable memory (RWX) in kernel mode. Despite these robust protections, security researchers have demonstrated numerous methods to circumvent HVCI entirely.
Perhaps the most theoretically devastating bypass involves exploiting the hypervisor or the Secure Kernel itself. If a vulnerability exists within the Virtualization-Based Security stack, an attacker could escape the confines of the guest OS and compromise the hypervisor. This would grant the attacker the highest possible privilege level—ring -1—allowing them to disable HVCI protections entirely. While such exploits are rare and incredibly complex, they represent the theoretical ceiling of vulnerability in a virtualized environment.
As techniques for bypassing or working around HVCI evolve, Microsoft continuously updates the Windows security architecture to mitigate these vectors:
Similarly, the technique, while itself blocked by HVCI from writing to PspServiceDescriptorGroupTable , demonstrates how attackers continue developing novel approaches to kernel manipulation that force security researchers to evolve countermeasures.