feat: make Core Isolation options functional

Atlas-OS · Jul 9, 2023 · 60e3e87 · 60e3e87
1 parent 5be99ed
commit 60e3e87
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 0 deletions.
diff --git a/src/Configuration/tweaks.yml b/src/Configuration/tweaks.yml
@@ -332,6 +332,7 @@ features:
   # -----------------------------------------------------
   - tweaks\statuses\status-scripts.yml
   - tweaks\scripts\script-storage-sense.yml
+  - tweaks\scripts\script-core-isolation.yml
   - tweaks\scripts\script-devices.yml
   - tweaks\scripts\script-cleanup.yml
   - tweaks\scripts\script-startmenu.yml

diff --git a/src/Configuration/tweaks/scripts/script-core-isolation.yml b/src/Configuration/tweaks/scripts/script-core-isolation.yml
@@ -0,0 +1,11 @@
+---
+title: Disable Core Isolation
+description: Disables Core Isolation (VBS) based on the user's options
+privilege: TrustedInstaller
+actions:
+  - !run:
+    exe: 'powershell.exe'
+    args: '-NoP -File "C:\Users\Default\Desktop\Atlas\3. Configuration\5. Security\Core Isolation (VBS)\Current Configuration.ps1" -DisableAllVBS'
+    exeDir: true
+    wait: true
+    option: 'vbs-disable'
diff --git a/...utables/Atlas/3. Configuration/5. Security/Core Isolation (VBS)/Current Configuration.ps1 b/...utables/Atlas/3. Configuration/5. Security/Core Isolation (VBS)/Current Configuration.ps1
@@ -1,5 +1,46 @@
+[CmdletBinding()]
+param (
+    [Parameter()][Switch]$DisableAllVBS,
+    [Parameter()][Switch]$EnableMemoryIntegrity
+)
+
 # https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity#validate-enabled-vbs-and-memory-integrity-features
 
+$memIntegrity = "HKLM:\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
+$kernelShadowStacks = "HKLM:\System\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelShadowStacks"
+$credentialGuard = "HKLM:\System\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard"
+
+if ($DisableAllVBS) {
+	Write-Warning "Disabling VBS features..."
+
+	# Memory Integrity
+	if (Test-Path $memIntegrity) {
+		New-ItemProperty -Path $memIntegrity -Name "Enabled" -Value 0 -PropertyType DWORD -Force
+		Remove-ItemProperty -Path $memIntegrity -Name "ChangedInBootCycle" -ErrorAction SilentlyContinue
+		Remove-ItemProperty -Path $memIntegrity -Name "WasEnabledBy" -ErrorAction SilentlyContinue
+	}
+
+	# Kernel-mode Hardware-enforced Stack Protection (Windows 11 only)
+	if (Test-Path $kernelShadowStacks) {
+		New-ItemProperty -Path $kernelShadowStacks -Name "Enabled" -Value 0 -PropertyType DWORD -Force
+		Remove-ItemProperty -Path $kernelShadowStacks -Name "ChangedInBootCycle" -ErrorAction SilentlyContinue
+		Remove-ItemProperty -Path $kernelShadowStacks -Name "WasEnabledBy" -ErrorAction SilentlyContinue
+	}
+
+	# Credential Guard (Windows 11 only)
+	if (Test-Path $credentialGuard) {
+		New-ItemProperty -Path $credentialGuard -Name "Enabled" -Value 0 -PropertyType DWORD -Force
+		Remove-ItemProperty -Path $credentialGuard -Name "ChangedInBootCycle" -ErrorAction SilentlyContinue
+		Remove-ItemProperty -Path $credentialGuard -Name "WasEnabledBy" -ErrorAction SilentlyContinue
+	}
+	exit
+} elseif ($EnableMemoryIntegrity) {
+	Write-Warning "Enabling memory integrity..."
+	Set-ItemProperty -Path $memIntegrity -Name "Enabled" -Value 1 -Type DWord
+	Set-ItemProperty -Path $memIntegrity -Name "WasEnabledBy" -Value 2 -Type DWord
+	exit
+}
+
 $pages = @(
 	@{
 		Title = "VBS Features Running"