When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults. https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html …pic.twitter.com/kKS5MWW7ra
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Which sample?
https://www.virustotal.com/intelligence/search/?query=8f0751c3917dba885f4bffc7dadefe698214e3553a08412be61d8cff1f5f2ad8 … for example. It's Dynamic base and has its relocation table. Yet it's always loaded at 0x20000000, unless mandatory ASLR is enabled for it, or system-wide. 8664a5ebace292d347002a8434440feb93e69acd46e364a67c9975fc6e701aad OTOH is also WIBU, but ASLR-compat
All of this, and especially the WIBU case (and others), makes me think that there's not a trivial static way to check that code will be randomized with ASLR. Process Explorer checks *only* for "Dynamic base", which is clearly not sufficient due to the relocations table aspect.
Sounds like it. Again, /cc @markrussinovich
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.