Control Flow Guard (CFG) is an exploit mitigation technique that Microsoft enabled in Windows 8.1 Update 3 and Windows 10 technical preview. CFG checks the target of indirect call and raises an exception if the target is invalid, thus preventing a vital step of many exploit techniques.
This talk analyses the weak-point of CFG and presents a new technique that can be used to bypass CFG comprehensively and make the prevented exploit techniques exploitable again. Furthermore, this technique is based on a generic capability, thus more exploit techniques can be developed from that capability.
Yunhai Zhang is a security researcher of NSFOCUS security team. He has worked on computer security for 10 years. He won the Microsoft Mitigation Bypass Bounty in 2014.