Defeating ASLR and DEP with JIT Spraying and how to mitigate

Well for starters a program can turn DEP off on its own with a simple call. Creating addressable space (VirtualAlloc() et al) shouldn't be caught by a HIPS, programs do this all the time. I doubt a HIPS would catch any of this until maybe somewhere later in the exploit ie: the payload.

Virtualization of the registry isn't important until you have your payload. Sandboxie with full virtualization would protect you from most exploits barring kernel level/ sandboxie exploits.

And since this is XP and it can gain Admin I don't see why it couldn't just turn everything off (unless it's in Sandboxie.)

I do hope it's purely the OS that's not being updated and that plugins like Flash are.

I also don't see how default-deny can stop a payload if you launch it from, say, Flash, which will have already disabled defenses like DEP and can read/write to (now) executable memory. But that's becuase I'm not sure how default-deny actually ensures denial.

 

Default Deny - Antiexe/dll demo

I tried to run a newer version of GMER that i havn't included in ProcessGuards database yet.



PG refuses to even allow it to even TRY to run, due to these settings, & in particular this one.



I then need to uncheck that for the duration ONLY & try again, then choose Permit. I can also choose to permanently allow it.



If i went further with GMER's install, PG would need me to Allow Driver/Service too.

So any Malware that tried to run on it's own, or that someone double clicked on accidently, would be automatically blocked =

 

Yes, but if I have control of your browser and I use your browser to disable DEP and allocate as much executable address space as I like I'm wondering if it would be able to stop me from then loading it into address space since the browser is whitelisted and I now have as much rwx space as I want.

 

Write the code for the exploit, or PM me a Working www one, or a link to such an exploit nasty, & i'll run it & we'll see.

 

I'll get on that. Expect a PM in a few years.

 

Standing by

 

Why wait for few years, when one can immediately start spawning shell on the browser by exploiting browser side vulnerabilities using these exploit toolkits...

http://blog.andlabs.org/2010/07/shell-of-future-reverse-web-shell.html

http://www.fastandeasyhacking.com/manual

http://www.offensive-security.com/metasploit-unleashed/SET_Metasploit_Browser_Exploit

I think CloneRanger had his browser properly hardened(using NoScript, or sandboxing perhaps) to resist such attacks.

 

Hi, sorry i missed your post until now

Yeah you're correct NS maxed out =