Kernel Protections: Bypassing Virtual Asset-Based Security #shorts

Let's talk about protections in kernel first. The most scary one that that still you can bypass is the BBS virtual asset based security is coming from the hypervisor is hypervisor protected code integrity known as memory integrity. What it basically does if you if you are talking about vanilla stack overflows you always want to push a shell code into the stack. You want to mark the stack as a executable and then you want to run it from it. Right? So you want to be to have write an executation e exact permissions. Right? In the most simple way what the hypervisor does is that you can either have a memory section writable or executable. Right? So you

cannot have both. So isolate and enforce code integrity policy for kernel enabled by default on many Windows 11. Then you have enforces stack protection that is control flow and all of the all of these protection they go mix it together. So you have control flow that is basically checking the flow is similar as you as what you have on user mode and then you have shadow stack in kernel mode. I think there is something similar as well in in user mode but basically shadow stack is having a a shadow stack of your the stack that you are using and then comparing the flow the returns of the flow and if doesn't match then blue screen of