Data Only attack via Physical R/W and [CR3 Walker PA to VA translation]

What is VBS/HVCI?
VBS (Virtualization-based Security) and HVCI (Hypervisor-Protected Code Integrity) are Windows security features that use the CPU's virtualization to create a secure, isolated memory area to protect the operating system kernel from malware by ensuring only trusted, signed code runs at the lowest levels, preventing exploits and driver-based attacks.

How this works using R/W primitives:
Scan early PFN ranges to find a CR3/DTB candidate (validated by translating a known ntoskrnl VA).
Once found, set that DTB and use it to walk the page tables: VA to PA and read/write via the physical IOCTLs: PsInitialSystemProcess, tokens, etc.
PsInitialSystemProcess: export RVA + ntoskrnl base, read via CR3 walker once DTB is found.
Current and System EPROCESS: traverse ActiveProcessLinks starting from PsInitialSystemProcess until PID matches. Offsets for Windows 11 resolved via symbols: PID 0x1d0, APLinks 0x1d8, Token 0x248.
Tokens: read/write via CR3 walker, Token is stolen, then restored after spawning cmd.exe.

Step by step:
1. Resolved kernel base and exports (ntoskrnl base, PsGetCurrentProcess, PsLookupProcessByProcessId, PsReferencePrimaryToken, etc).
2. VA to PA via CR3 walker
3. Resolve PsInitialSystemProcess: read via CR3 walker (DTB)
4. Find current/system EPROCESS: ActiveProcessLinks starting at PsInitialSystemProcess until PID matches current PID.
5. Read system/current tokens via CR3 walker (using the DTB obtained earlier)
6. Write the current token to SYSTEM, spawn cmd.exe, then restore the original token.