Kernel memory write via ROP gadget
Evasi0n cannot set the destination pointer in a
memmove() operation to an arbitrary value because the vtable pointer is necessary to call the wanted function. This problem is solved by searching for a
STR R1, [R2]; BX LR gadget in memory and that is being used to write four bytes at a time. With this all patches can be made.
- Kernel Patches (like