PDF Archive

Easily share your PDF documents with your contacts, on the Web and Social Networks.

Share a file Manage my documents Convert Recover Search Help Contact



Documenting the Undocumented Adding CFG Exceptions.pdf


Preview of PDF document documenting-the-undocumented-adding-cfg-exceptions.pdf

Page 1 2 34518

Text preview


6/24/2016

Documenting the Undocumented: Adding CFG Exceptions ­ Breaking Malware

For those who would like to get better acquainted with CFG internals I recommend looking into the following
reading material:
Exploring Control Flow Guard in Windows 10 – http://sjc1­te­ftp.trendmicro.com/assets/wp/exploring­
control­flow­guard­in­windows10.pdf (http://sjc1­te­ftp.trendmicro.com/assets/wp/exploring­control­flow­
guard­in­windows10.pdf)
Windows 10 Control Flow Guard Internals –http://www.powerofcommunity.net/poc2014/mj0011.pdf
(http://www.powerofcommunity.net/poc2014/mj0011.pdf)

It Always Starts with a Crash
I was working on a completely different project (a new Windows code injection technique which I will be posting
about in the coming weeks so stay tuned!) when I encountered CFG, which meant I had one more hurdle to
jump over.
I was able to successfully inject code into various 3rd party applications, such as VLC and Chrome; but when I
tried to inject code into mspaint.exe (on Windows 10 mspaint.exe is compiled with CFG support, while VLC and
Chrome are not), the application crashed.

(http://breakingmalware.com/wp­content/uploads/2016/06/Figure­2­Hijacking­Remote­Thread.png)
And this was the result:

http://breakingmalware.com/documentation/documenting­undocumented­adding­control­flow­guard­exceptions/

3/18