From 625463f2b5085b9210196b2b6858c8c31008e50b Mon Sep 17 00:00:00 2001 From: Chris Jackson Date: Mon, 17 Aug 2020 18:00:38 -0500 Subject: [PATCH] Updated StackPivot Added APIs intercepted --- .../exploit-protection-reference.md | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index aa43a35300..5cb4b38dd1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -672,6 +672,43 @@ The *validate stack integrity (StackPivot) mitigation helps protect against the This mitigation intercepts a number of Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated. +The APIs intercepted by this mitigation are: + +- LoadLibraryA +- LoadLibraryW +- LoadLibraryExA +- LoadLibraryExW +- LdrLoadDll +- VirtualAlloc +- VirtualAllocEx +- NtAllocateVirtualMemory +- VirtualProtect +- VirtualProtectEx +- NtProtectVirtualMemory +- HeapCreate +- RtlCreateHeap +- CreateProcessA +- CreateProcessW +- CreateProcessInternalA +- CreateProcessInternalW +- NtCreateUserProcess +- NtCreateProcess +- NtCreateProcessEx +- CreateRemoteThread +- CreateRemoteThreadEx +- NtCreateThreadEx +- WriteProcessMemory +- NtWriteVirtualMemory +- WinExec +- CreateFileMappingA +- CreateFileMappingW +- CreateFileMappingNumaW +- NtCreateSection +- MapViewOfFile +- MapViewOfFileEx +- MapViewOfFileFromApp +- LdrGetProcedureAddressForCaller + ### Compatibility considerations Compatibility issues are uncommon. Applications which are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.