I don't have my win10 VM booted right now, but if I remember right there's a second ASLR setting that you need to set to force execbase randomization. My recollection could be wrong, though.
-
-
Bottom-up ASLR?
2 replies 0 retweets 1 like -
No, the Bottom-up ASLR + Mandatory ASLR combination (either app-specific or system-wide) doesn't appear to randomize vlc.exe on my system.pic.twitter.com/3tyh2RtDyA
1 reply 0 retweets 2 likes -
Very interesting. By the way, how did you get per-app settings? I can't seem to find that in my Windows Defender Security Center application.
1 reply 0 retweets 0 likes -
Try these steps Win10 WDEG. The problem with VLC (and probably other apps too) is that with the relocation table stripped, Windows doesn't appear to be able to randomize where the EXE is loaded, no matter how hard it tries.pic.twitter.com/vNUsTbjxIz
1 reply 1 retweet 2 likes -
Ah, that did the trick! I didn't realize that "App Settings" was a separate tab. The difference between the gray and black font colors is too small.
1 reply 0 retweets 0 likes -
I'll play around with vlc in my Win10 VM, see if I can reproduce your results and possibly figure out why.
1 reply 0 retweets 0 likes -
I think it's simply that Windows cannot load an EXE at an arbitrary location if its relocation information has been stripped. See also: https://www1.cs.columbia.edu/~angelos/Papers/2014/dynamic.pdf …
1 reply 0 retweets 0 likes -
That paper and this discussion have me a little amazed. I've read or listened to who knows how many experts talk about ASLR, sometimes in excruciating detail, and honestly can't recall the point ever being discussed. But it makes immediate sense once you think about it.
1 reply 0 retweets 0 likes -
But why would VLC be compiled with /DYNAMICBASE set enabling ASLR but stripping the .reloc info needed to make it work? That's bizzare.
1 reply 0 retweets 0 likes
Indeed. They claim that it was built with Mingw / gcc and then stripped of debug symbols. I doubt any visual studio compiler would output such a combination. I'll have to whip up a script to help to see how prevalent this situation is.
-
-
So, FWIW/FYI, I can confirm that this is what happens on my setup as well. Last two versions of VLC.exe (at least), trying to require ASLR does nothing. Base address 0x400000, every time. Except if you tick the "Do not allow stripped images" checkbox in WDEG. Then EG just blocks:pic.twitter.com/zLHhHSS09X
0 replies 0 retweets 3 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.