madshi.net

I have verified this issue has been fixed.

Thanks.

Good news, but my subscription has expired.

Would you send test program to verify?

You can make the test program like this.
Create "sc.exe" process and Inject the dll which hooks NtTerminateProcess API.

Yes, I think only RET. Windows seems to support Shadow Stack, not Indirect Branch Tracking of CET. Control-flow Enforcement Technology (CET) provides the following capabilities to defend against ROP/JOP style control-flow subversion attacks:  Shadow Stack – return address protection to defend again...

I don't see anything about CALL and JMP instructions being watched in the first link. Yes, CALL instructions get special handling, but only for the purpose of "filling" the shadow stack, so that the RET return address can be verified successfully. Other than that, I don't see any special ...

Currently, only critical processes seem to be activated. But some svchost are activated and others are disabled. https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257465iC3F558E0B3ADE6FD/image-size/large?v=1.0&px=999 To enable shadow stack enforcement statically, you need to compi...

In Windows 10 2004 (19041.622) on 11th Gen Intel CPU When I call next hook inside my callback funtion in 64-bit native windows process (sc.exe, svchost.exe, ..), the process crashed with C0000409 (Security check failure or Stack buffer overrun) I verified it is Hardware-enforced Stack Protection. ht...