Title: An EAF guard driver to prevent shellcode from removing guard pages
Abstract: Prevention of shellcode execution can be located at the last defense line against cyberattacks on vulnerabilities. Export address filtering (EAF), a security feature of Windows Defender Exploit Guard in Windows 10, prevents shellcode execution by guarding access to export address tables using guard pages. To prevent and raise awareness of a new bypass technique, we show a proof-of-concept of the new bypass technique that, by calling the NT!NtProtectVirtualMemory function, removes guard pages created by EAF. Windows shellcode with the proof-of-concept code is compatible with various versions of Windows 7 or later. To prevent the new bypass technique, we propose an EAF guard driver that prevents shellcode from removing guard pages. In tests, the driver prevented, without false alarms, the removal of the guard pages.