Windows 11 Security Features Bypassed to Obtain Arbitrary Code Execution in Kernel Mode

Security researchers have discovered vulnerabilities in Windows 11’s core security features that could allow attackers to bypass multiple protection mechanisms and achieve arbitrary code execution at the kernel level.

The affected security components include Virtualization-based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI), which are enabled by default in Windows 11.

VBS creates an isolated memory environment that acts as a root of trust for the operating system, while HVCI prevents unauthorized drivers and system files from being loaded into system memory.

Researchers demonstrated that an arbitrary pointer dereference vulnerability could be transformed into a powerful read/write primitive, enabling data-only attacks that don’t trigger traditional security controls. This technique allows attackers to:

• Elevate token privileges
• Swap token addresses
• Disable EDR kernel callbacks
• Modify process protection levels

The exploit begins by turning an arbitrary pointer dereference vulnerability into an arbitrary read/write primitive. This transformation allows attackers to manipulate kernel memory without injecting executable code, bypassing HVCI’s restrictions on unsigned code execution. By gaining control over kernel memory, attackers can perform data-only attacks such as:

• Elevating privileges by modifying token structures.
• Disabling Endpoint Detection and Response (EDR) callbacks.
• Manipulating Protected Process Light (PPL) features for specific processes.

These attacks exploit the inherent trust Windows places in its kernel processes, enabling adversaries to operate with elevated privileges or disable security mechanisms undetected.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Researchers documented a proof-of-concept environment using VMware that demonstrates the vulnerability. The setup requires specific configuration steps:

1. Disable Memory integrity in the host machine’s Core isolation settings.
2. Enable VBS Support in VMware’s virtual machine settings.
3. Modify the VM’s UEFI Secure Boot settings while maintaining VBS functionality.
4. Re-enable Memory integrity within the guest OS.

Microsoft’s Response

While Microsoft has patched several kernel address leak vulnerabilities in Windows 11 24H2, some remain exploitable for users with administrative privileges.

The vulnerability affects multiple versions of Windows, including:

• Windows 11 21H2 and later versions
• Windows Server 2016 through 2022
• Various platforms including x86, x64, and ARM64-based systems

The company continues to strengthen its security features, with VBS and HVCI playing crucial roles in protecting against sophisticated malware attacks.

“This discovery highlights the ongoing challenge of securing modern operating systems against data-only attacks,” notes the research team. “Even with advanced security features enabled by default in Windows 11, determined attackers can still find ways to manipulate system behavior without triggering traditional protection mechanisms.”

The findings underscore the importance of maintaining comprehensive security measures beyond built-in operating system protections, as even sophisticated features like VBS can potentially be circumvented through creative exploit techniques.