can1357
commented
4 years ago "We cannot predict which half of XMM15 will get hit due to the mask we apply to comply with the movaps alignment requirement, so first two pointers should simply point at a [RETN] instruction"
Refer to https://github.com/can1357/CVE-2018-8897/blob/master/Main.cpp#L289. We need a write what where but it needs to be aligned by 16 bytes due to "movaps" instruction. So we pad the actual ROP gadgets with RETN.
You have disabled cpu smep
We wrote a "working" CR4 in https://github.com/can1357/CVE-2018-8897/blob/master/Main.cpp#L343, which doesnt necessarily need to be equal to actual CR4 system uses so we restore the original.
Waterman178
"We cannot predict which half of XMM15 will get hit due to the mask we apply to comply with the movaps alignment requirement, so first two pointers should simply point at a [RETN] instruction"
I didn’t understand this paragraph.
Another question: `NON_PAGED_CODE void KernelShellcode() { __writedr( 7, 0 );
}` You have disabled cpu smep, why disable smep again in KernelShellcode? In addition, the operating system automatically restores smep every time a thread switch occurs(KiSwapContext). At this point, when your thread starts executing the remaining instructions, an exception will be thrown.