Rowhammer is a hardware vulnerability in DRAM memory, where repeated access to memory (i.e., hammer rows) can induce bit flips in neighboring memory locations (i.e., victim rows). Being a hardware vulnerability, rowhammer bypasses all of the system memory protection, allowing adversaries to compromise the integrity and confidentiality of data. To defend against the rowhammer attacks, a class of recent software-only countermeasures suggests exploiting the spatial proximity between the accessed memory location and the location of the bit flip. Particularly, these countermeasures deny the attacker's permission to access exploitable hammer rows that are adjacent to rows of sensitive data. As an example, CATT is the first practical software-only defense. It enforces static physical kernel isolation to prevent attackers from accessing hammer rows next to rows of kernel data. In this thesis, we propose two new rowhammer attacks to defeat the above software-only defenses. We first present CATTmew that breaks CATT and gains privilege escalation. CATTmew is motivated by a key observation that modern OSes have kernel buffers that can be accessed by unprivileged users. The existence of such kernel buffers invalidates the physical kernel isolation enforced by CATT. CATTmew still requires access permission to exploitable hammer rows (i.e., the kernel buffers) and it can be mitigated by other defenses. To this end, we propose a new class of deputy-confused rowhammer attacks, termed Implicit Hammer that has no such requirement. To demonstrate the practicality of implicit hammer, we provide a concrete instance, called PThammer, that overcomes multiple software-only defenses and results in a system compromise. To mitigate the rowhammer attacks as well as the rowhammer effect, we present two countermeasures accordingly. One countermeasure is SoftTRR that defends against page table based privilege escalation attacks, as we observe that rowhammer kernel privilege escalation attacks including CATTmew and PThammer focus on corrupting Level-1 page tables. The other countermeasure is a rowhammer test tool, DRAMDig, that detects rowhammer vulnerability. As understanding a DRAM address mapping is a necessity to perform efficient and effective rowhammer tests, it is not publicly available in Intel-based microarchitectures. DRAMDig efficiently and deterministically uncovers the DRAM address mapping on any Intel-based machine, thus inducing a significant number of rowhammer bit flips.