Hells Hollow introduces a novel technique for SSDT hooking, leveraging Alt Syscalls to bypass Microsoft’s PatchGuard protections on Windows 11. This method allows rootkits to intercept and manipulate system calls by modifying the KTRAP_FRAME, thus enabling a range of malicious activities while highlighting the vulnerabilities within the Windows kernel. Limitations of the technique are discussed, including its resistance to certain security measures like Hyper-V and HVCI.

NovaHypervisor is a defensive x64 Intel hypervisor designed to protect against kernel-based attacks by safeguarding memory structures and defense products on Windows 10 and later. Written in C++ and Assembly, it is in early development, not yet suitable for production, and includes instructions for setup, memory protection commands, and logging. Users must enable specific virtualization features to run the hypervisor effectively.

The article delves into the kernel-mode objects and structures that manage Windows registry hives, focusing on the complex relationship between the _CMHIVE and _HHIVE structures. It explores their roles in memory management, synchronization, and transaction states, while discussing the implications for security and performance. Detailed insights on their layouts and functionalities are provided, along with the challenges of reverse-engineering undocumented structures.