{"id":20755273,"url":"https://github.com/worawit/malk","last_synced_at":"2025-04-28T18:24:30.945Z","repository":{"id":147347535,"uuid":"580244575","full_name":"worawit/malk","owner":"worawit","description":"Demonstrate calling a kernel function and handle process creation callback against HVCI","archived":false,"fork":false,"pushed_at":"2022-12-21T07:02:47.000Z","size":32,"stargazers_count":51,"open_issues_count":0,"forks_count":9,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-30T11:51:11.179Z","etag":null,"topics":["hvci","windows"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/worawit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-12-20T04:26:25.000Z","updated_at":"2025-03-14T12:52:06.000Z","dependencies_parsed_at":"2023-07-03T00:45:56.029Z","dependency_job_id":null,"html_url":"https://github.com/worawit/malk","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/worawit%2Fmalk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/worawit%2Fmalk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/worawit%2Fmalk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/worawit%2Fmalk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/worawit","download_url":"https://codeload.github.com/worawit/malk/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251363336,"owners_count":21577612,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hvci","windows"],"created_at":"2024-11-17T09:24:20.087Z","updated_at":"2025-04-28T18:24:30.940Z","avatar_url":"https://github.com/worawit.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# malk\r\n\r\nWhen VBS and HVCI are enabled, an unsigned code cannot be loaded into kernel. This project demonstrates another approach to call a kernel function and handle process creation callback when HVCI is enabled.\r\n\r\n**Note**: This project is only tested on Windows 11 22H2 on Intel 10th gen.\r\n\r\n\r\n## Requirements\r\n- Drivers - see [Required Drivers](#required-drivers)\r\n- Windows HVCI is enabled\r\n- Administrative privilege\r\n\r\n\r\n## Required Drivers\r\n\r\nI'm not comfortable redistributing the driver. The program requires following drivers (with sha1 hash) in an executable directory.\r\n- procmon391.sys - 6b95d0e221ea17c59590d94eb9ffdd706f3e1ea6\r\n  - Process Monitor Driver version 3.91 (extracted from Process Monitor version 3.92)\r\n  - Older versions are usable too because they are not compiled with CFG enabled but gadget offsets must be changed\r\n- Dell BIOS driver version 2.7 which contains following files (version 2.5 should work too)\r\n  - DBUtilDrv2.cat - 06f2b629e7303ac1254b52ec0560c34d72b46155\r\n  - dbutildrv2.inf - 19f8da3fe9ddbc067e3715d15aed7a6530732ab5\r\n  - DBUtilDrv2.sys - b03b1996a40bfea72e4584b82f6b845c503a9748\r\n  - WdfCoInstaller01009.dll - c1e821b156dbc3feb8a2db4fdb9cf1f5a8d1be6b\r\n\r\n\r\n## Usages\r\n\r\nThe program allows only 2 options.\r\n\r\n-dse : the option for setting a callback to CI!CiValidateImageHeader. 0 (default value) means the value will be changed to nt!rand. The effect is same as disable Driver Signature Enforcement.\r\n\r\n-cb : the demonstration of process creation callback. The callback does only block notepad.exe and msedge.exe. You have to modify the code to change the callback functionality.\r\n\r\n\r\n## Limitations\r\n\r\n- does not work when Intel Virtualization Technology Redirect Proection (VT-rp) is used. The CPU feature is in Intel 12th gen and later.\r\n- cannot do chained calls.\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fworawit%2Fmalk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fworawit%2Fmalk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fworawit%2Fmalk/lists"}