Bypass Control Flow Guard Comprehensively

by Yunhai Zhang
Sept. 18, 2017 1 comment Black Hat belen_caty Pen Testing & Audits

Control Flow Guard (CFG) is an exploit mitigation technique that Microsoft enabled in Windows 8.1 Update 3 and Windows 10 technical preview. CFG checks the target of indirect call and raises an exception if the target is invalid, thus preventing a vital step of many exploit techniques. This talk analyses the weak-point of CFG and presents a new technique that can be used to bypass CFG comprehensively and make the prevented exploit techniques exploitable again. Furthermore, this technique is based on a generic capability, thus more exploit techniques can be developed from that capability.

Steven Ulm 8 months, 1 week ago

Short but comprehensive. The Control Flow Guard has a lot of vulnerabilities in my opinion - faced with problems several times already....