Update README.md

merge-requests/1/head
_xeroxz 4 years ago
parent 4847957ed5
commit 0dbc223aab

@ -35,7 +35,7 @@ ret
However, when the syscall instruction is executed, the address of the next instruction (the one after the syscall instruction) is placed into RCX. In order to preserve RIP, it should be placed onto the stack before any addresses of gadgets are placed onto the stack.
```asm
```nasm
lea rax, finish
push rax
```
@ -44,6 +44,30 @@ changing IA32_LSTAR to a ROP chain as described above will work just fine on CPU
### SMAP - Supervisor Mode Access Prevention
SMAP or Supervisor Mode Access Prevention is a CPU protection which prevents accessing data controlled by a higher CPL. In other words, if SMAP is set in CR4, a logical
processor executing kernel code cannot access usermode controlled pages (user supervisor).
This is an issue with ROP as RSP after a syscall contains a usermode address. Interfacing with this usermode stack in any way will cause a fault. However, you can essentially disable SMAP from usermode. There is a bit in the RFLAGS register which can be set to nullify SMAP. The instruction to set this bit is called `STAC` (Set AC Flag in EFLAGS Register). However this instruction is privilaged and will throw a #UD. However as @drew pointed out, you can `POPFQ` an RFLAGS value with that bit set and the CPU will not throw any exceptions. I assumed that since `STAC` cannot be used in usermode, that `POPFQ` would also throw an exception, however this is not the case... Again thank you @drew, without this key information the project would have been a complete mess as there are no useable `mov cr4, [non rax registers] ; ret` gadgets which exist across windows versions.
```nasm
pushfq ; thank you drew :)
pop rax ; this will set the AC flag in RFLAGS which "disables SMAP"...
or rax, 040000h ;
push rax ;
popfq ;
```
RFLAGS is restored after the syscall instruction. The original RFLAGS value is pushed onto the stack prior to all of the gadgets and other values.
```nasm
syscall ; LSTAR points at a pop rcx gadget...
; it will put m_smep_off into rcx...
finish:
popfq ; restore EFLAGS...
pop r10 ; restore r10...
ret
```
# Lisence
TL;DR: if you use this project, rehost it, put it on github, include `_xeroxz` in your release.

Loading…
Cancel
Save