Clik here to view.
Quickpost: Checking ASLR
Some people asked me for a simple way to check shell extensions for their ASLR support. You can do this with Process Explorer. Start Process Explorer, and set the lower pane to display DLLs. Select...
View ArticleClik here to view.
Windows Security Center: Under the Hood
I’m sure you’ve seen the following warning before: But have you ever wondered where the Windows Security Center gets its info? (BTW, Microsoft renamed it Windows Action Center in Windows 7). It gets...
View ArticleClik here to view.
So How Good is Pseudo-ASLR?
Let me first define what I mean with pseudo-ASLR. Address Space Layout Randomization (introduced in Windows Vista) loads executable files at different memory addresses. Studies have shown that ASLR...
View ArticleClik here to view.
Bottom Up Randomization Saves Mandatory ASLR
I recently found out that pseudo-ASLR (or mandatory ASLR in EMET) has a lower entropy than real ASLR. While real ASLR has a 8-bit entropy for base addresses, mandatory ASLR turned out only to have...
View ArticleClik here to view.
Add Bottom Up Randomization To (Your Own) Source Code
EMET’s new Bottom Up Randomization spectacularly increased the entropy of DLL’s base addresses loaded into my test program. Instead of 15 different addresses, I had more than 200. Matt Miller told me...
View ArticleClik here to view.
Using DLLCHARACTERISTICS’ FORCE_INTEGRITY Flag
I discovered the flag FORCE_INTEGRITY last year when I released my tool setdllcharacteristics. This flag will force a check of the executable’s digital signature (on Windows Vista and Windows 7) and...
View ArticleClik here to view.
Ariad 64-bit
You can now download a 64-bit version of my Ariad driver. I’ve been using this driver on my x64 Windows 7 test machine only for a couple of days, so this is still beta software. As for the installation...
View ArticleClik here to view.
Hotfix For SRP/AppLocker Bypass
Remember Microsoft has features to bypass its own Software Restriction Policies and AppLocker: Circumventing SRP and AppLocker, By Design and Circumventing SRP and AppLocker to Create a New Process, By...
View ArticleClik here to view.
LoadDLLViaAppInit with FORCE_INTEGRITY
In Windows 7 and Windows Server 2008 R2, Microsoft added a feature to the AppInit_DLLs mechanism. When the REG_DWORD RequireSignedAppInit_DLLs is set to 1, the DLLs to be loaded via AppInit_DLLs have...
View ArticleClik here to view.
FORCE_INTEGRITY With DLLs
I’ve talked about using the FORCE_INTEGRITY flag with EXEs, but how about DLLs? Its effect is similar. If flag FORCE_INTEGRITY is set for a DLL, and the DLL is not signed or the signature is invalid,...
View ArticleClik here to view.
MSI: The Case Of The Invalid Signature
I found a suspicious file on a Windows XP machine. I was able to trace its origin back to a Windows Installer package (.msi). This package in c:\windows\installer had an invalid digital signature. Like...
View Article
