Defeating ASLR and DEP with JIT Spraying and how to mitigate

Discussion in 'other software & services' started by Hungry Man, Nov 24, 2011.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Well for starters a program can turn DEP off on its own with a simple call. Creating addressable space (VirtualAlloc() et al) shouldn't be caught by a HIPS, programs do this all the time. I doubt a HIPS would catch any of this until maybe somewhere later in the exploit ie: the payload.

    Virtualization of the registry isn't important until you have your payload. Sandboxie with full virtualization would protect you from most exploits barring kernel level/ sandboxie exploits.

    And since this is XP and it can gain Admin I don't see why it couldn't just turn everything off (unless it's in Sandboxie.)

    I do hope it's purely the OS that's not being updated and that plugins like Flash are.

    I also don't see how default-deny can stop a payload if you launch it from, say, Flash, which will have already disabled defenses like DEP and can read/write to (now) executable memory. But that's becuase I'm not sure how default-deny actually ensures denial.
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Default Deny - Antiexe/dll demo

    I tried to run a newer version of GMER that i havn't included in ProcessGuards database yet.

    g1.gif

    PG refuses to even allow it to even TRY to run, due to these settings, & in particular this one.

    pg1.gif

    I then need to uncheck that for the duration ONLY & try again, then choose Permit. I can also choose to permanently allow it.

    pg2.gif

    If i went further with GMER's install, PG would need me to Allow Driver/Service too.

    So any Malware that tried to run on it's own, or that someone double clicked on accidently, would be automatically blocked = :)
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes, but if I have control of your browser and I use your browser to disable DEP and allocate as much executable address space as I like I'm wondering if it would be able to stop me from then loading it into address space since the browser is whitelisted and I now have as much rwx space as I want.
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Write the code for the exploit, or PM me a Working www one, or a link to such an exploit nasty, & i'll run it & we'll see.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'll get on that. Expect a PM in a few years.
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Standing by ;)
     
  7. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Hi, sorry i missed your post until now :(

    Yeah you're correct :thumb: NS maxed out = :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.