Update README.md

merge-requests/1/head
_xeroxz 4 years ago
parent 2b2d77366d
commit f9a6fc93ab

@ -50,21 +50,21 @@ processor executing kernel code cannot access usermode controlled pages (user su
This is an issue with ROP as RSP after a syscall contains a usermode address. Interfacing with this usermode stack in any way will cause a fault. However, you can essentially disable SMAP from usermode. There is a bit in the RFLAGS register which can be set to nullify SMAP. The instruction to set this bit is called `STAC` (Set AC Flag in EFLAGS Register). However this instruction is privilaged and will throw a #UD. However as @drew pointed out, you can `POPFQ` an RFLAGS value with that bit set and the CPU will not throw any exceptions. I assumed that since `STAC` cannot be used in usermode, that `POPFQ` would also throw an exception, however this is not the case... Again thank you @drew, without this key information the project would have been a complete mess as there are no useable `mov cr4, [non rax registers] ; ret` gadgets which exist across windows versions.
```nasm
pushfq ; thank you drew :)
pop rax ; this will set the AC flag in RFLAGS which "disables SMAP"...
or rax, 040000h ;
push rax ;
popfq ;
pushfq ; thank you drew :)
pop rax ; this will set the AC flag in RFLAGS which "disables SMAP"...
or rax, 040000h ;
push rax ;
popfq ;
```
RFLAGS is restored after the syscall instruction. The original RFLAGS value is pushed onto the stack prior to all of the gadgets and other values.
```nasm
syscall ; LSTAR points at a pop rcx gadget...
; it will put m_smep_off into rcx...
syscall ; LSTAR points at a pop rcx gadget...
; it will put m_smep_off into rcx...
finish:
popfq ; restore EFLAGS...
pop r10 ; restore r10...
popfq ; restore EFLAGS...
pop r10 ; restore r10...
ret
```

Loading…
Cancel
Save