diff --git a/README.md b/README.md index b8c6abb..3b52748 100644 --- a/README.md +++ b/README.md @@ -50,8 +50,8 @@ processor executing kernel code cannot access usermode controlled pages (user su This is an issue with ROP as RSP after a syscall contains a usermode address. Interfacing with this usermode stack in any way will cause a fault. However, you can essentially disable SMAP from usermode. There is a bit in the RFLAGS register which can be set to nullify SMAP. The instruction to set this bit is called `STAC` (Set AC Flag in EFLAGS Register). However this instruction is privilaged and will throw a #UD. However as @drew pointed out, you can `POPFQ` an RFLAGS value with that bit set and the CPU will not throw any exceptions. I assumed that since `STAC` cannot be used in usermode, that `POPFQ` would also throw an exception, however this is not the case... Again thank you @drew, without this key information the project would have been a complete mess as there are no useable `mov cr4, [non rax registers] ; ret` gadgets which exist across windows versions. ```nasm -pushfq ; thank you drew :) -pop rax ; this will set the AC flag in RFLAGS which "disables SMAP"... +pushfq ; thank you drew :) +pop rax ; this will set the AC flag in RFLAGS which "disables SMAP"... or rax, 040000h ; push rax ; popfq ; @@ -60,11 +60,11 @@ popfq ; RFLAGS is restored after the syscall instruction. The original RFLAGS value is pushed onto the stack prior to all of the gadgets and other values. ```nasm -syscall ; LSTAR points at a pop rcx gadget... +syscall ; LSTAR points at a pop rcx gadget... ; it will put m_smep_off into rcx... finish: -popfq ; restore EFLAGS... -pop r10 ; restore r10... +popfq ; restore EFLAGS... +pop r10 ; restore r10... ret ```