Data Only attack using [Superfetch] + RDMSR Info Leak

Windows Kernel data-only manipulation attacks with VBS/HVCI using Superfetch and L_STAR (rdmsr) for https://exploitpack.com

User-mode and Kernel code runs in VTL0 (Virtual Trust level 0) and VBS/HVCI hardens this with Kernel Mode Code Integrity and an enhanced PatchGuard/HyperGuard.

VBS/HVCI does not stop data‑only attacks via trusted vulnerable drivers, nor does it block APIs like Superfetch PFN queries, so can I play within those rules?

Last week I shown how using a signed, but vulnerable driver, a Windows kernel data-only manipulation can be achieved within VTL0 boundaries via arbitrary physical R/W using a CR3 walker (DTB) for PA to VA translation.

This time instead, the translation from VA to PA is done via Superfetch (VA to PA map from PFN data), and the Kernel base address is obtained via L_STAR (rdmsr aligned to page, and scan downward for the ntoskrnl MZ/PE header to recover the base).

This is an assumed-breach scenario for a post-exploitation operation, where the malicious user would have already a shell and depending on the environment and access (admin or not) will use an already-loaded driver or will BYO-S-VD (Bring Your Own "Signed" Vulnerable Driver) into the table.