In my previous blog, I mention that MADV_DONTFORK is set to the virtual memory region, which is used as the physical memory of guest machine. In another word, the memory set to MADV_DONTFORK will not be passed to the forked process. In this post, I will prove this hypothesis by undoing the MADV_DONTFORK flag of the memory region and display the flag.
In the exploit given in  and , the author first changes the protection flag of the PHY_MEM to RWX and prepares the shellcode in PHY_MEM to undo the MADV_DONTFORK flag of PHY_MEM. From my perspective, such a method is tedious for the purpose of this post. Alternatively, I choose to prove the hypothesis via code reuse attack directly.