Modern memory corruption exploits gain arbitrary code execution by overwriting a function pointer with a controlled value and triggering a code path that dereferences it. Recent compilers attempt to prevent this by emitting additional checks before dereferencing code pointers, thus placing restrictions on the control flow graph. This makes exploitation more difficult. In VC++ 2015, Microsoft has implemented “Control Flow Guard” (CFG), which disallows certain indirect function calls. Windows 8.1 and 10 binaries are compiled with this option enabled, and contain the kernel extensions required to perform the extra checks. (LLVM/Clang offers control flow protection as well, but they are experimental and not currently used in real world apps for Mac or Linux at this point.) In this talk, we briefly describe known information on CFG implementation and weaknesses. The meat of our research is providing a generic CFG bypass. We have partnered with Microsoft to safely coordinate this release.