Closed gabriellandau closed 8 months ago
It's possible to reset the MEMORY_WORKING_SET_EX_INFORMATION.Shared bit, hiding the fact that a memory region is CoW. Microsoft accounted for this when implementing module tampering protection. Moneta can easily do the same.
MEMORY_WORKING_SET_EX_INFORMATION.Shared
Example bypass: https://x.com/KlezVirus/status/1758428205285785698?s=20 That bypass doesn't defeat SharedOriginal: https://x.com/ilove2pwn_/status/1724176577506722150?s=20
SharedOriginal
Here is this branch (left) detecting a bypass that v1.0 (right) doesn't:
v1.0
It's possible to reset the
MEMORY_WORKING_SET_EX_INFORMATION.Sharedbit, hiding the fact that a memory region is CoW. Microsoft accounted for this when implementing module tampering protection. Moneta can easily do the same.Example bypass: https://x.com/KlezVirus/status/1758428205285785698?s=20 That bypass doesn't defeat
SharedOriginal: https://x.com/ilove2pwn_/status/1724176577506722150?s=20Here is this branch (left) detecting a bypass that
v1.0(right) doesn't: