пятница, 9 октября 2015 г.

using CFG on more old windows

As you may know support for CodeFlow Guard exists only since windows 10. But it seems that you still can gain some profit from CFG on more old versions of windows (for example in fuzzers/honeypots)

1) you need inject your code in target process
2) you must check if CFG presents in your target module. It seems that MS linker has a bug - DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size eq 0x40. but IMAGE_LOAD_CONFIG_DIRECTORY.Size contains right value
3) you must just patch pointer in *(IMAGE_LOAD_CONFIG_DIRECTORY.GuardCFCheckFunctionPointer) to your handler. Prototype of handler:
void __fastcall my_check_icall(PBYTE addr)
4) now you can check addr parameter. One possible check - just see if this addr located in some loaded module, so you can traverse on PEB_LDR_DATA

Have fun !