From 190fc90e65adc9a8e73c62dd11559be0db6b2587 Mon Sep 17 00:00:00 2001 From: katlogic Date: Mon, 1 Aug 2016 16:56:44 +0200 Subject: [PATCH 1/2] Update README.md --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e95b4b1..0376147 100644 --- a/README.md +++ b/README.md @@ -117,9 +117,8 @@ policy with whatever we want. There are some differences too: * Custom signed driver 0day is used. * 32bit support (Win8+ secureboot). -* It can actually coexist with vbox, does not depend on VT support in CPU - and it even triggers if the driver is already present as we try to load it - under different name. +* Can coexist with vmware/vbox as the exploit is not based on those (and hence + does not need CPU with VT support either). * The vulnerable driver is WHQL signed, so it works even on systems restricted to WHQL via secureboot env. * We automate `reset ci_Options` -> `load unsigned` -> `ci_Options restore` From 8096e3e09abc30c595a105794fd53f692e57fd47 Mon Sep 17 00:00:00 2001 From: katlogic Date: Mon, 1 Aug 2016 16:58:28 +0200 Subject: [PATCH 2/2] Update README.md explain prot flags --- README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 0376147..dc32a6c 100644 --- a/README.md +++ b/README.md @@ -100,10 +100,12 @@ buffer in bytes, including terminating zeros. `WIND_IOCTL_PROT` - set/unset process protection. buffer points to `wind_prot_t` typed buffer. -`buf->pid` - set to pid you want to change protection flags for. -`buf->prot` - contents of this struct are copied to process protection flags, -but original protection flags of process will be returned back in the same -buffer - ie contents will be swapped. +* `buf->pid` - set to pid you want to change protection flags for. +* `buf->prot` - contents of this struct are copied to process protection flags, + but original protection flags of process will be returned back in the same + buffer - ie contents will be swapped. + +To unprotect a process, just clear all its flags - bzero(&buf->prot). You can re-protect a process after you're done with it, simply by calling the ioctl again with same buffer (it holds the original flags) and the `buf->prot`