eXtended Flow Guard Under The Microscope

Microsoft seems to be continuously expanding and evolving its set of mitigations designed and implemented for 10. In this blog post, we’ll examine an upcoming security called eXtended Flow Guard (XFG).

XFG has not yet been released, and will not be part of the upcoming 21H1 version of Windows 10. It is, however, present in the Dev Channel of the insider preview1. At this time, the only public mention of XFG by Microsoft was in 2019 at Bluehat Shanghai2.

Although XFG has not been released yet, it is nevertheless possible to compile applications with XFG using Visual Studio 2019 Preview while targeting the insider preview version of Windows 10. A few blog posts on how XFG works have been released3, but these mainly consider how XFG can be compiled into a custom application rather than examining common exploitation scenarios in depth.

The aim of this blog post is to cast more light on whether XFG is truly a more secure and hardened version of Control Flow Guard (CFG). We’ll get started with a short recap on how both CFG and XFG work.

Setting The Baseline

CFG was introduced with Windows 10 in 2015 and has undergone

Read More: https://www.offensive-security.com/offsec/extended-flow-guard/