JIT Spraying Never Dies
22.09.2016 Views
Share Embed Flag

JIT Spraying Never Dies

JIT%20Spraying%20Never%20Dies%20-%20Bypass%20CFG%20By%20Leveraging%20WARP%20Shader%20JIT%20Spraying

JIT%20Spraying%20Never%20Dies%20-%20Bypass%20CFG%20By%20Leveraging%20WARP%20Shader%20JIT%20Spraying

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
haifeili

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

The Weakness of WARP Shader<br />

<strong>JIT</strong> Engine (cont’d)<br />

• No Randomization of <strong>JIT</strong> Page Allocation and<br />

Code Generation<br />

– WARP <strong>JIT</strong> code page is allocated by<br />

kernel32!VirtualAlloc with MEM_TOP_DOWN flag. As a<br />

result, the repeated <strong>JIT</strong> call can eventually generate<br />

continuous RX pages at the high address end. After<br />

spraying a big enough space (about 19M), certain<br />

address will become stable and predictable.<br />

– The same Shader will always generate the same <strong>JIT</strong>ed<br />

code on the same OS (i.e. the same version of WARP).<br />

• No CFG for <strong>JIT</strong>ed Code<br />

– All bits in CFG bitmap are set by default, meaning any<br />

address in <strong>JIT</strong> code page will be treated as a valid call<br />

target.

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!