Gadgets Zoo: Bypassing Control Flow Guard in Windows 10

DerbyCon V - Unity

Presented by: Jared DeMott, Rafal Wojtczuk
Date: Friday September 25, 2015
Time: 14:00 - 14:50
Location: Track 1
Track: Break Me

Modern memory corruption exploits gain arbitrary code execution by overwriting a function pointer with a controlled value and triggering a code path that dereferences it. Recent compilers attempt to prevent this by emitting additional checks before dereferencing code pointers, thus placing restrictions on the control flow graph. This makes exploitation more difficult. In VC++ 2015, Microsoft has implemented “Control Flow Guard” (CFG), which disallows certain indirect function calls. Windows 8.1 and 10 binaries are compiled with this option enabled, and contain the kernel extensions required to perform the extra checks. (LLVM/Clang offers control flow protection as well, but they are experimental and not currently used in real world apps for Mac or Linux at this point.) In this talk, we briefly describe known information on CFG implementation and weaknesses. The meat of our research is providing a generic CFG bypass. We have partnered with Microsoft to safely coordinate this release.

Rafal Wojtczuk

Jared DeMott


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats