How a Browser Silently Blocks RWX Execution
2025-01-08
A security researcher discovered a browser's EDR-like mechanism that blocks RWX shellcode execution. By hooking the BaseThreadInitThunk() API, the browser intercepts thread creation and checks if the shellcode memory attributes are PAGE_EXECUTE_READ. If not, it redirects the thread's execution to a 'sinkhole', preventing malicious code from running. While simple, this unexpected feature highlights a browser's proactive security measures, significantly increasing the difficulty of exploiting RWX memory regions.
Read more