HVCI comptability

[krispybyte]

Currently - this project is not HVCI compatible.
The reason for this is our approach to calling kernel functions in order to bootstrap our kernel ROP implant thread.
In order to bootstrap into it, we currently invoke calls to PsCreateSystemThread, ExAllocatePool2, RtlZeroMemory and memcpy.
Those calls can be found in MemoryManager::AllocateMemory(), MemoryManager::InitializeMemory(...), RopThreadManager::SpawnThread().

The way those calls are currently performed are implemented inside of Driver::ArbitraryCaller, where we patch the function NtReadFileScatter (this was arbitrarily chosen as this function is not called often, and supports fastcall stack arguments passing).

The function is patched to jmp into whatever address of the target function we want to call. This is obviously not HVCI compliant as HVCI enforces the W^X protection.

My idea of solving this, is by performing a "data pointer swap" into a function callable from usermode, to temporarily have it call into what ever syscall we want. After running some demos in my own test driver, it is possible to do under Win11 25H2.
However the current issue is that the vulnerable driver this project uses, athpexnt.sys only allows for writing into kernel, not performing any reads, and so finding the actual function data pointer in heap is not trivial without any memory reading primitives.