[ Windows 10 x64中的RFG(Return Flow Guard)技术研究 ]5

但我们这样的猜测只能保证找到一个“影子栈”的边界，并不能知道你想要利用的漏洞具体的对应的那个一个线程。当然理想的情况下，你对所有
的“影子栈”都进行修改，保证漏洞触发shellcode能够运行，然后进程非常“理想”的crash掉。 

   我们继续看一下14986之后的版本，从15002之后微软修改了“影子栈”内存区域。Edge也开始支持RFG保护了。整体上512G的“影子栈”内存区域变成
了一个reserved的区域，而不是上述能看到的独立的具有边界的“影子栈”区域。这样导致用NtQueryVirtualMemory/VirtualQueryEx 或者其它工具看到的都是一个整体区域，我们不清楚里面的内存布局。见下面布局 ，15002版本中的Edge,
 

"Process:"	"MicrosoftEdgeCP.exe"
"PID:"	"6100"

"Type"	"Size"	"Committed"	"Private"	"Total WS"	"Private WS"	"Shareable WS"	"Shared WS"	"Locked WS"	"Blocks" 	
"Total"	"2,718,077,236"	"119,620"	"5,632"	"24,340"	"4,996"	"19,344"	"19,308"	""	"617"	""
"Image"	"95,100"	"95,100"	"1,896"	"19,388"	"1,544"	"17,844"	"17,808"	""	"393"	"24,504"
"Mapped File"	"4,080"	"4,080"	""	"352"	""	"352"	"352"	""	"2"	"3,292"
"Shareable"	"2,147,513,376"	"16,640"	""	"1,364"	"224"	"1,140"	"1,140"	""	"106"	"2,147,483,648"
"Heap"	"4,304"	"1,276"	"1,212"	"1,208"	"1,204"	"4"	"4"	""	"37"	"1,024"
"Managed Heap"	""	""	""	""	""	""	""	""	""	""
"Stack"	"17,408"	"424"	"424"	"216"	"216"	""	""	""	"51"	"1,024"
-------------------------------
"Private Data"	"570,438,044"	"512"	"512"	"224"	"220"	"4"	"4"	""	"28"	"536,870,912"
-------------------------------
"Page Table"	"1,588"	"1,588"	"1,588"	"1,588"	"1,588"	""	""	""	""	""
"Unusable"	"3,336"	""	""	""	""	""	""	""	""	"60"
"Free"	"134,720,877,760"	""	""	""	""	""	""	""	"51"	"131,739,939,968"

"Address"	"Type"	"Size"	"Committed"	"Private"	"Total WS"	"Private WS"	"Shareable WS"	"Shared WS"	"Locked WS"	"Blocks"	"Protection"	"Details"	
"000000007FFE0000"	"Private Data"	"4"	"4"	"4"	"4"	""	"4"	"4"	""	"1"	"Read"	""
"  000000007FFE0000"	"Private Data"	"4"	"4"	"4"	"4"	""	"4"	"4"	""	""	"Read"	""
"000000007FFE1000"	"Private Data"	"60"	""	""	""	""	""	""	""	"1"	"Reserved"	""
"  000000007FFE1000"	"Private Data"	"60"	""	""	""	""	""	""	""	""	"Reserved"	""
"0000006435A00000"	"Private Data"	"2,048"	"140"	"140"	"140"	"140"	""	""	""	"3"	"Read/Write"	"Thread Environment Block ID: 6104"
"  0000006435A00000"	"Private Data"	"956"	""	""	""	""	""	""	""	""	"Reserved"	"Thread Environment Block ID: 6104"
"  0000006435AEF000"	"Private Data"	"140"	"140"	"140"	"140"	"140"	""	""	""	""	"Read/Write"	"Thread Environment Block ID: 6104"
"  0000006435B12000"	"Private Data"	"952"	""	""	""	""	""	""	""	""	"Reserved"	"Thread Environment Block ID: 6104"
...
"  000001C6BD4C0000"	"Private Data"	"4"	"4"	"4"	"4"	"4"	""	""	""	""	"Read/Write"	""
"000001C6BD4D0000"	"Private Data"	"4"	"4"	"4"	"4"	"4"	""	""	""	"1"	"Read/Write"	""
"  000001C6BD4D0000"	"Private Data"	"4"	"4"	"4"	"4"	"4"	""	""	""	""	"Read/Write"	""
"000001C6BD620000"	"Private Data"	"128"	"128"	"128"	"4"	"4"	""	""	""	"1"	"Read/Write"	""
"  000001C6BD620000"	"Private Data"	"128"	"128"	"128"	"4"	"4"	""	""	""	""	"Read/Write"	""
"000001C6BF400000"	"Private Data"	"33,554,432"	"12"	"12"	""	""	""	""	""	"7"	"Read/Write"	""
"  000001C6BF400000"	"Private Data"	"465,652"	""	""	""	""	""	""	""	""	"Reserved"	""
"  000001CEBF601000"	"Private Data"	"8,188"	""	""	""	""	""	""	""	""	"Reserved"	""
"000001CEBFE00000"	"Private Data"	"1,024"	"4"	"4"	"4"	"4"	""	""	""	"2"	"Read/Write"	""
"  000001CEBFE00000"	"Private Data"	"4"	"4"	"4"	"4"	"4"	""	""	""	""	"Read/Write"	""
"  000001CEBFE01000"	"Private Data"	"1,020"	""	""	""	""	""	""	""	""	"Reserved"	""
----------------------------------------------------
"00007A0000000000"	"Private Data"	"536,870,912"	""	""	""	""	""	""	""	"1"	"Reserved"	""
"  00007A0000000000"	"Private Data"	"536,870,912"	""	""	""	""	""	""	""	""	"Reserved"	""
----------------------------------------------------
"00007FFFFFFE0000"	"Private Data"	"64"	""	""	""	""	""	""	""	"1"	"Reserved"	""
"  00007FFFFFFE0000"	"Private Data"	"64"	""	""	""	""	""	""	""	""	"Reserved"	""