This blog post is part two of Bypassing Control Flow Guard in Windows 10. It is also the result of some research I did back in July of 2016, but did not have the possibility to publish before now. The same Internet Explorer vulnerability is used with the same original proof of concept by Theori. This blog post will present another method of bypassing CFG, which also still works on Internet Explorer, but not in Microsoft Edge, due to suppressed API’s. It is assumed that the reader has read the previous blog post, so the details of CFG are not explained, and I jump right to the point of having an arbitrary read/write primitive.

Looking for Another CFG Bypass

In the last blog post I leaked the registers, including a stack pointer, thus allowing me to overwrite the return address of the write primitive. Another generic approach to bypassing CFG would be to start a ROP chain, where the first gadget comes from a DLL which is compiled without CFG. This method would work since the CFG validation bitmap corresponding to a module that is compiled without CFG is to allow all addresses. The problem is however that Microsoft has compiled all the modules loaded by Internet Explorer and Microsoft Edge with CFG. If some plugin or third-party application is installed which has a loaded module in the process and that module is compiled without CFG then that would be an attack vector. I wanted to find a native way to do it without relying on any third-party modules. This then raises the question, are all native modules in C:WindowsSystem32 compiled with CFG, the answer is actually no, not by a long shot. To find the non CFG compiled native modules I wrote the following python script: