From f9a6fc93abe75f49cc368b64d27409ded4289790 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 23 Feb 2021 21:45:53 +0000 Subject: [PATCH] Update README.md --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 48538cd..b8c6abb 100644 --- a/README.md +++ b/README.md @@ -50,21 +50,21 @@ processor executing kernel code cannot access usermode controlled pages (user su This is an issue with ROP as RSP after a syscall contains a usermode address. Interfacing with this usermode stack in any way will cause a fault. However, you can essentially disable SMAP from usermode. There is a bit in the RFLAGS register which can be set to nullify SMAP. The instruction to set this bit is called `STAC` (Set AC Flag in EFLAGS Register). However this instruction is privilaged and will throw a #UD. However as @drew pointed out, you can `POPFQ` an RFLAGS value with that bit set and the CPU will not throw any exceptions. I assumed that since `STAC` cannot be used in usermode, that `POPFQ` would also throw an exception, however this is not the case... Again thank you @drew, without this key information the project would have been a complete mess as there are no useable `mov cr4, [non rax registers] ; ret` gadgets which exist across windows versions. ```nasm -pushfq ; thank you drew :) -pop rax ; this will set the AC flag in RFLAGS which "disables SMAP"... -or rax, 040000h ; -push rax ; -popfq ; +pushfq ; thank you drew :) +pop rax ; this will set the AC flag in RFLAGS which "disables SMAP"... +or rax, 040000h ; +push rax ; +popfq ; ``` RFLAGS is restored after the syscall instruction. The original RFLAGS value is pushed onto the stack prior to all of the gadgets and other values. ```nasm -syscall ; LSTAR points at a pop rcx gadget... - ; it will put m_smep_off into rcx... +syscall ; LSTAR points at a pop rcx gadget... + ; it will put m_smep_off into rcx... finish: -popfq ; restore EFLAGS... -pop r10 ; restore r10... +popfq ; restore EFLAGS... +pop r10 ; restore r10... ret ```