JIT Spraying Never Dies
JIT%20Spraying%20Never%20Dies%20-%20Bypass%20CFG%20By%20Leveraging%20WARP%20Shader%20JIT%20Spraying
JIT%20Spraying%20Never%20Dies%20-%20Bypass%20CFG%20By%20Leveraging%20WARP%20Shader%20JIT%20Spraying
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
The Weakness of WARP Shader<br />
<strong>JIT</strong> Engine (cont’d)<br />
• No Randomization of <strong>JIT</strong> Page Allocation and<br />
Code Generation<br />
– WARP <strong>JIT</strong> code page is allocated by<br />
kernel32!VirtualAlloc with MEM_TOP_DOWN flag. As a<br />
result, the repeated <strong>JIT</strong> call can eventually generate<br />
continuous RX pages at the high address end. After<br />
spraying a big enough space (about 19M), certain<br />
address will become stable and predictable.<br />
– The same Shader will always generate the same <strong>JIT</strong>ed<br />
code on the same OS (i.e. the same version of WARP).<br />
• No CFG for <strong>JIT</strong>ed Code<br />
– All bits in CFG bitmap are set by default, meaning any<br />
address in <strong>JIT</strong> code page will be treated as a valid call<br />
target.