Exploit Mitigations

SMEP

Will cause 0x000000fc ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY, depends on hardware to avoid executing userland pages from kernel land. Watch: https://www.abatchy.com/2018/01/kernel-exploitation-4.

KeCheckStackAndTargetAddress

Win10 build 15063+ calls KeCheckStackAndTargetAddress() to check current rsp and context rsp to be in the range of PsGetCurrentThread's stack limits

Last updated