You make no mention of exploit mitigations like EMET or Windows Defender Exploit Guard. If your exploit requires that a "controlled address were jumped to", then even just mandatory ASLR (provided by both EMET and WDAG) would stop the exploit, no?
-
-
The entropy for force relocated images comes from bottom-up ASLR which is only enabled by default if the EXE was built with /dynamicbase. Try turning on bottom-up ASLR as well.
-
Thanks. I'm pretty sure that Bottom-up ASLR is enabled along with Mandatory ASLR. But eqnedt32.exe is always loaded at the same location.pic.twitter.com/zFgmbByCEP
- 11 more replies
New conversation -
-
-
My windows knowledge is stale, but historically it would only be randomized across reboots. Without rebooting, it will always load at the same address. So technically that 0x10000 is randomized. Just it was only randomized once. The exe would load at 0x40000 without ASLR.
-
Except it's loaded at 0x10000 for every reboot. And on every machine. So not really randomized. Just different than the default.
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.