It seems that est since build 18922 Microsoft turned on retpoline
This is implemented as RFG relocations with 3 new type:
Type 3
Looks like IAT function calling patch:
Type 4
Looks like call reg patch:
Type 5
Looks like call reg in switch patch:
I patched today my RFG plugin to IDA Pro to support this new types
This is implemented as RFG relocations with 3 new type:
Type 3
typedef struct _IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION {
DWORD PageRelativeOffset : 12;
DWORD IndirectCall : 1;
DWORD IATIndex : 19;
} IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION;
Looks like IAT function calling patch:
call cs:__imp_PshedFreeMemory
nop dword ptr [rax+rax+00h]
Type 4
typedef struct _IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION {
WORD PageRelativeOffset : 12;
WORD IndirectCall : 1;
WORD RexWPrefix : 1;
WORD CfgCheck : 1;
WORD Reserved : 1;
} IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION;
Looks like call reg patch:
call rax
nop dword ptr [rax]
Type 5
typedef struct _IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION {
WORD PageRelativeOffset : 12;
WORD RegisterNumber : 4;
} IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION;
Looks like call reg in switch patch:
mov ecx, ds:rva off_14000DEBC[rdx+rdi*4]
add rcx, rdx
jmp rcx ; switch jump
db 4 dup(0CCh)
I patched today my RFG plugin to IDA Pro to support this new types