Techly NewsGet the app

Get the latest tech news

0x01 – Killing Windows Kernel Mitigations


This post was made possible through hard work and determination. Do not feel frustrated if this stuff does not click immediately and remember, the source of truth will always be the source code. For us, our source code is raw assembly. That said it’s important you understand these techniques in detail because when Microsoft releases new mitigations your foundation is what will allow you to develop bypasses. So, if something is not clear take your time and step through it in the debugger.

In addition, this post will include the release of my PoC ROP chain - Violet Phosphorus, a universal VBS/SMEP bypass technique. So basically we have to place this value into CR4 to turn off SMEP… While researching this I came across a blog post by fluidattacks and noticed he used a ROP gadget in the nt module, specifically KeFlushCurrentTb. However, with a little bit of research you’ll find there are multiple methods to obtain the base address of nt(or any other loaded module for that matter) from medium integrity (default user configuration).

Get the Android app

Or read this on Hacker News

« The Pentium FDIV bug, reverse-engineered
Computer Graphics Archaeology: The HP 9845C Demo (2013) »