Microsoft maintains a hypervisor-enforced driver blocklist. Even if a vulnerable driver is signed, Windows will refuse to load it if it is known to be abused in BYOVD attacks.
Once attackers bypass HVCI and gain kernel-level access, they can: Hvci Bypass
Contains standard user-mode applications and the standard Windows kernel. Microsoft maintains a hypervisor-enforced driver blocklist
The core mechanism of HVCI is the manipulation of Extended Page Tables (EPT) or Nested Page Tables (NPT), collectively known as SLAT. While the VTL 0 kernel manages its own virtual-to-physical memory mappings, the hypervisor intercepts these mappings using SLAT to enforce memory permissions. The W^X Principle The core mechanism of HVCI is the manipulation
It sounds like you're asking about a related to "HVCI Bypass" — likely in the context of security research, penetration testing, or rootkit/bootkit development.
Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP) bypass HVCI by utilizing code that is already marked as executable by the hypervisor.
Bypassing HVCI is difficult because the integrity checks occur at a higher privilege level (the hypervisor/Secure World) than the kernel itself. Bypass techniques usually fall into two categories: and Vulnerability Exploitation .