
Really impressive work. What stood out to me is that this isn't just another IDT hook demonstration—it shows that even with VBS, HVCI and kCET enabled, data-only manipulation remains an interesting research direction.
Using an FWA-backed cloned IDT instead of modifying the live table directly significantly reduces the footprint and highlights how page-table translation itself can become part of the attack surface. The distinction between changing the physical backing while preserving the same virtual IDTR mapping is particularly elegant.
Another interesting takeaway is the separation between the interrupt dispatch path and the Windows x64 ABI. Many people conflate the legacy INT 0x2E mechanism with modern syscall execution, but using it purely as a controlled dispatch bridge while restoring both the service table entry and the original mapping demonstrates a much deeper understanding of Windows internals.
Research like this is also a reminder that modern mitigations increasingly protect control-flow, while attackers and researchers keep exploring data-flow assumptions instead. That's where many of the most interesting future kernel mitigations will likely have to evolve.
Great write-up. The kernel never seems to run out of ways to humble us.
English

























