PreviousMode Manipulation
Overwriting KTHREAD.PreviousMode to bypass user/kernel boundary checks.
Description
ExGetPreviousMode() returns the PreviousMode field from the current KTHREAD structure, which indicates whether a system call originated from user mode or kernel mode. If an attacker can overwrite this field to KernelMode (0), all subsequent ProbeForRead/ProbeForWrite calls become no-ops, and the thread gains kernel-level access to system calls.
Related CVEs
| CVE | Driver | Description |
|---|---|---|
| CVE-2024-26229 | csc.sys |
Missing access check allows EoP |
AutoPiff Detection
previous_mode_gating_addedaccess_mode_enforcement_added