Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Supervisor Mode Execution Protection KERNEL_AREA_EXEC != USER_ARE_SHELLCODE
- Intel manual
- SMEP-Enable Bit (bit 20 of CR4) — Enables supervisor-mode execution prevention (SMEP) when set. See Section 4.6, “Access Rights”.
- For accesses in supervisor mode (CPL < 3):
- Instruction fetches.
- • For 32-bit paging or if IA32_EFER.NXE = 0, access rights depend on the value of CR4.SMEP:
- — If CR4.SMEP = 0, instructions may be fetched from any linear address with a valid translation.
- — If CR4.SMEP = 1, instructions may be fetched from any linear address with a valid translation for which the U/S flag (bit 2) is 0 in at least one of the paging-structure entries controlling the translation.
- • For PAE paging or IA-32e paging with IA32_EFER.NXE = 1, access rights depend on the value of CR4.SMEP:
- — If CR4.SMEP = 0, instructions may be fetched from any linear address with a valid translation for which the XD flag (bit 63) is 0 in every paging-structure entry controlling the translation.
- — If CR4.SMEP = 1, instructions may be fetched from any linear address with a valid translation for which (1) the U/S flag is 0 in at least one of the paging-structure entries controlling the translation; and (2) the XD flag is 0 in every paging-structure entry controlling the translation.
- For accesses in user mode (CPL = 3):
- Instruction fetches.
- • For 32-bit paging or if IA32_EFER.NXE = 0, instructions may be fetched from any linear address with a valid translation for which the U/S flag is 1 in every paging-structure entry controlling the translation.
- • For PAE paging or IA-32e paging with IA32_EFER.NXE = 1, instructions may be fetched from any linear address with a valid translation for which the U/S flag is 1 and the XD flag is 0 in every paging-structure entry controlling the translation.
- PTE flags:
- Bit 0 (P) is the Present flag.
- Bit 1 (R/W) is the Read/Write flag.
- Bit 2 (U/S) is the User/Supervisor flag.
- #################first method(I'm not sure :P)###################
- Nevertheless there are Intel Instruction set documentation, STAC instruction
- Set AC Flag in EFLAGS Register
- Description
- Sets the AC flag bit in EFLAGS register. This may enable alignment checking of user-mode data accesses. This allows explicit supervisor-mode data accesses to user-mode pages even if the SMAP bit is set in the CR4 register. WTF????
- ##secondary method
- ROP (Return oriented programming)
- nt!KiLoadMTRR+0x120:
- 8312ebae 0f09 wbinvd
- 8312ebb0 837c241400 cmp dword ptr [esp+14h],0
- 8312ebb5 0f20d8 mov eax,cr3
- 8312ebb8 0f22d8 mov cr3,eax
- 8312ebbb 8b442418 mov eax,dword ptr [esp+18h]
- 8312ebbf 0f22c0 mov cr0,eax
- 8312ebc2 7407 je nt!KiLoadMTRR+0x13d (8312ebcb)
- nt!KiLoadMTRR+0x136:
- 8312ebc4 8b44241c mov eax,dword ptr [esp+1Ch] <===========
- 8312ebc8 0f22e0 mov cr4,eax <===========
- nt!KiLoadMTRR+0x13d:
- 8312ebcb 853548e9f782 test dword ptr [nt!KeFeatureBits (82f7e948)],esi
- 8312ebd1 7508 jne nt!KiLoadMTRR+0x14d (8312ebdb)
- nt!KiLoadMTRR+0x145:
- 8312ebd3 8d4738 lea eax,[edi+38h]
- 8312ebd6 e815000000 call nt!KiLockStepExecution (8312ebf0)
- nt!KiLoadMTRR+0x14d:
- 8312ebdb 807c240b00 cmp byte ptr [esp+0Bh],0
- 8312ebe0 7401 je nt!KiLoadMTRR+0x155 (8312ebe3)
- nt!KiLoadMTRR+0x154:
- 0: kd> !pte 0x8312ebc8
- VA 8312ebc8
- PDE at C06020C0 PTE at C0418970
- contains 00000000030009E3 contains 0000000000000000
- pfn 3000 -GLDA--KWEV <=== kernel space LARGE PAGE pfn 312e
- #emingh
Add Comment
Please, Sign In to add comment