This is a generic mitigation bypass technique for Windows kernel exploitation. It requires a kernel mode vulnerability that enables certain control over values at arbitrary virtual addresses, and when triggered, enables a full & generic bypass of both SMEP, KASLR & DEP. In my PoC I relied on a Vulnerable Driver I wrote (http://bit.ly/2TDvOzp) which exposes a write-what-where vulnerability.
It relies on a deterministic procedure that allows deducing of PTE address of every virtual address; the technique describes such procedure that requires no vulnerability.
It was found by MWR intern Jérémy Fetiveau, detailed in an article named Windows 8 Kernel Memory Protections Bypass.
I implemented this technique in my Privilege Escalation Framework project.
Windows had only fixed this issue in Windows 10 Redstone 1. This fix, along with really interesting background on page table management in general under Windows, can also be found on my notebook, here: http://bit.ly/2T6M2vC Or as PDF: http://bit.ly/2F5xPdx
For the complete OneNote exported as PDFs: http://bit.ly/2HjkySp
Feel free to ask questions!