Known address of modprobe\_path (unaffected by FG-KASLR)
Known address of kpti\_trampoline (unaffected by FG-KASLR)
Arbitrary Write
We can write to modprobe_path the path of our own shellscript and then execute a file with unknown signature to trigger it. This technique bypasses SMEP/SMAP.