Skip to content

Instantly share code, notes, and snippets.

@0x11DFE
Last active May 18, 2024 18:50
Show Gist options
  • Save 0x11DFE/09ee10cf42a5534b6626fe6e10cdaefa to your computer and use it in GitHub Desktop.
Save 0x11DFE/09ee10cf42a5534b6626fe6e10cdaefa to your computer and use it in GitHub Desktop.
###
# - @T3SL4
# This script automates the HVCI scan and removal of unsafe drivers.
###
# Ensure the script runs with administrative privileges
if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Host "Running script as administrator..." -ForegroundColor Cyan
Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs
exit
}
# Function to take ownership and grant permissions
function TakeOwnershipAndGrantPermission($path) {
takeown.exe /F $path /A /R /D Y > $null 2>&1
icacls.exe $path /grant:r 'Administrators:(F)' /T /C /Q > $null 2>&1
}
# Function to remove unsafe drivers
function RemoveUnsafeDrivers {
$hvciscan_exe = ".\hvciscan_amd64.exe"
$hvciscan_url = "https://download.microsoft.com/download/3/7/5/3754cbaa-4dff-469a-a9f0-ca501f3c0421/hvciscan_amd64.exe"
if (-not (Test-Path $hvciscan_exe)) {
Write-Host "File not found. Downloading $hvciscan_exe..." -ForegroundColor Yellow
Invoke-WebRequest -Uri $hvciscan_url -OutFile $hvciscan_exe -UserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124."
}
Write-Host "Running hvciscan tool..." -ForegroundColor Yellow
$hvciOutput = & $hvciscan_exe
$driverFilePaths = $hvciOutput | Select-String -Pattern 'HVCI: "(.*?)" failed' | ForEach-Object {
$_.Matches[0].Groups[1].Value
}
if ($driverFilePaths.Count -eq 0) {
Write-Host "No drivers to remove." -ForegroundColor Red
return
}
$driverFilePaths | ForEach-Object {
$sysDirectory = Split-Path $_
if (Test-Path $_) {
if ($sysDirectory -like '*\Windows\System32\drivers\*') {
TakeOwnershipAndGrantPermission $_
Write-Host "Found! " -ForegroundColor Green -NoNewline
Write-Host "Removing driver file $_..." -ForegroundColor Yellow
Remove-Item -Path $_ -Force
} else {
$searchDirectory = $sysDirectory
while ($null -eq (Get-ChildItem -Path $searchDirectory -Filter "*.inf" -Recurse | Select-Object -First 1) -and $searchDirectory -ne "C:\") {
$searchDirectory = Split-Path $searchDirectory
}
if ($searchDirectory -ne "C:\") {
TakeOwnershipAndGrantPermission $searchDirectory
Write-Host "Found! " -ForegroundColor Green -NoNewline
Write-Host "Removing driver directory $searchDirectory..." -ForegroundColor Yellow
Remove-Item -Path $searchDirectory -Recurse -Force
}
}
}
}
}
# Function to enable Core Isolation and Memory Integrity
function EnableCoreIsolationAndMemoryIntegrity {
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "RequirePlatformSecurityFeatures" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "HypervisorEnforcedCodeIntegrity" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "WasEnabledBy" -Value 2
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "LsaCfgFlags" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "ConfigureSystemGuardLaunch" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "ConfigureKernelShadowStacksLaunch" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "HVCIMATRequired" -Value 1
}
# Function to disable Core Isolation and Memory Integrity
function DisableCoreIsolationAndMemoryIntegrity {
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "RequirePlatformSecurityFeatures" -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "HypervisorEnforcedCodeIntegrity" -Value 0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "WasEnabledBy" -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "LsaCfgFlags" -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "ConfigureSystemGuardLaunch" -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "ConfigureKernelShadowStacksLaunch" -Value 0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "HVCIMATRequired" -Value 0
}
# Main script execution
$action_hvci = Read-Host "Scan and delete unsafe drivers? (y/n)"
if ($action_hvci -eq "y") {
RemoveUnsafeDrivers
}
$action_isolation = Read-Host "Enable Windows Defender Core Isolation and Memory Integrity? (y/n)"
if ($action_isolation -eq "y") {
EnableCoreIsolationAndMemoryIntegrity
} elseif ($action_isolation -eq "n") {
$disable_isolation = Read-Host "Disable Windows Defender Core Isolation and Memory Integrity? (y/n)"
if ($disable_isolation -eq "y") {
DisableCoreIsolationAndMemoryIntegrity
}
}
Write-Host "Script finished, please restart your computer." -ForegroundColor Cyan
pause
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment