@epakskape Apparently CreateRemoteThread is now covered by CFG?
When I do CreateRemoteThread(..., 0x41414141, ....) in cmd.exe [10.0.16299.19], I no longer get STATUS_ACCESS_VIOLATION, but STATUS_STACK_BUFFER_OVERRUN instead.
Unfortunately, I didn't save it. I started using it in BugId to break into the debugger because I was unable to reliably distinguish a breakpoint caused by the application from one caused by DebugBreakProcess.
-
-
CreateRemoteThread gives you the thread id and I knew what exception to expect (AV), so I could easily distinguish it from other exceptions caused by the application itself. Crude but effective. Recently this broke when CFG started interfering, I do not know when exactly.
-
I was just curious what real-life attack this would mitigate, as I could not think of anything that does not involve a catch-22 of having to execute code to execute code... except perhaps sandbox escapes? Anyway, thanks for confirming!
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.