Quickpost: Checking ASLR
Some people asked me for a simple way to check shell extensions for their ASLR support. You can do this with Process Explorer. Start Process Explorer, and set the lower pane to display DLLs. Select...
View ArticleWindows Security Center: Under the Hood
I’m sure you’ve seen the following warning before: But have you ever wondered where the Windows Security Center gets its info? (BTW, Microsoft renamed it Windows Action Center in Windows 7). It gets...
View ArticleSo How Good is Pseudo-ASLR?
Let me first define what I mean with pseudo-ASLR. Address Space Layout Randomization (introduced in Windows Vista) loads executable files at different memory addresses. Studies have shown that ASLR...
View ArticleBottom Up Randomization Saves Mandatory ASLR
I recently found out that pseudo-ASLR (or mandatory ASLR in EMET) has a lower entropy than real ASLR. While real ASLR has a 8-bit entropy for base addresses, mandatory ASLR turned out only to have...
View ArticleAdd Bottom Up Randomization To (Your Own) Source Code
EMET’s new Bottom Up Randomization spectacularly increased the entropy of DLL’s base addresses loaded into my test program. Instead of 15 different addresses, I had more than 200. Matt Miller told me...
View ArticleUsing DLLCHARACTERISTICS’ FORCE_INTEGRITY Flag
I discovered the flag FORCE_INTEGRITY last year when I released my tool setdllcharacteristics. This flag will force a check of the executable’s digital signature (on Windows Vista and Windows 7) and...
View ArticleAriad 64-bit
You can now download a 64-bit version of my Ariad driver. I’ve been using this driver on my x64 Windows 7 test machine only for a couple of days, so this is still beta software. As for the installation...
View ArticleHotfix For SRP/AppLocker Bypass
Remember Microsoft has features to bypass its own Software Restriction Policies and AppLocker: Circumventing SRP and AppLocker, By Design and Circumventing SRP and AppLocker to Create a New Process, By...
View ArticleLoadDLLViaAppInit with FORCE_INTEGRITY
In Windows 7 and Windows Server 2008 R2, Microsoft added a feature to the AppInit_DLLs mechanism. When the REG_DWORD RequireSignedAppInit_DLLs is set to 1, the DLLs to be loaded via AppInit_DLLs have...
View ArticleFORCE_INTEGRITY With DLLs
I’ve talked about using the FORCE_INTEGRITY flag with EXEs, but how about DLLs? Its effect is similar. If flag FORCE_INTEGRITY is set for a DLL, and the DLL is not signed or the signature is invalid,...
View ArticleMSI: The Case Of The Invalid Signature
I found a suspicious file on a Windows XP machine. I was able to trace its origin back to a Windows Installer package (.msi). This package in c:\windows\installer had an invalid digital signature. Like...
View Article