This paper addresses the failure of conventional hammering-based Rowhammer exploitation on modern Intel architectures (e.g., Alder Lake and Raptor Lake), where traditional load-driven methods no longer reliably induce bit flips. To resolve this, we propose ρHammer—the first efficient, architecture-aware Rowhammer attack framework for contemporary x86 processors. Its core contributions are: (1) a DRAM address mapping reverse-engineering technique leveraging selective pairwise measurement and structured inference; (2) a prefetch-driven hammering paradigm exploiting the asynchronous execution semantics of hardware prefetch instructions; and (3) a speculation-resilient mitigation countermeasure integrating control-flow obfuscation and NOP-based pseudo-memory barriers. Evaluation across four latest Intel microarchitectures demonstrates end-to-end exploitability: ρHammer achieves a stable bit-flip rate of 2,291 flips/minute on Raptor Lake and improves flip rates by 112× on Comet Lake and Rocket Lake, triggering over 200,000 additional bit flips within two hours.

Rowhammer is a critical vulnerability in dynamic random access memory (DRAM) that continues to pose a significant threat to various systems. However, we find that conventional load-based attacks are becoming highly ineffective on the most recent architectures such as Intel Alder and Raptor Lake. In this paper, we present $ρ$Hammer, a new Rowhammer framework that systematically overcomes three core challenges impeding attacks on these new architectures. First, we design an efficient and generic DRAM address mapping reverse-engineering method that uses selective pairwise measurements and structured deduction, enabling recovery of complex mappings within seconds on the latest memory controllers. Second, to break through the activation rate bottleneck of load-based hammering, we introduce a novel prefetch-based hammering paradigm that leverages the asynchronous nature of x86 prefetch instructions and is further enhanced by multi-bank parallelism to maximize throughput. Third, recognizing that speculative execution causes more severe disorder issues for prefetching, which cannot be simply mitigated by memory barriers, we develop a counter-speculation hammering technique using control-flow obfuscation and optimized NOP-based pseudo-barriers to maintain prefetch order with minimal overhead. Evaluations across four latest Intel architectures demonstrate $ρ$Hammer's breakthrough effectiveness: it induces up to 200K+ additional bit flips within 2-hour attack pattern fuzzing processes and has a 112x higher flip rate than the load-based hammering baselines on Comet and Rocket Lake. Also, we are the first to revive Rowhammer attacks on the latest Raptor Lake architecture, where baselines completely fail, achieving stable flip rates of 2,291/min and fast end-to-end exploitation.