If you can’t modify kernel memory then how do you overwrite function pointers? (I understand how rop works.) At some level you have to get privileged execution and doing so would be incredibly difficult if you can’t trick the kernel at some point after whatever amount of ropping you’ve done.