Ah, it does have a .reloc section (from dumpbin). I didn't expect a .exe from 2000 to have that. My apologies. ASLR will work.
-
-
Replying to @0xdabbad00 @markwo
What's confusing to me is why despite having a relocation section, system-wide ASLR does *NOT* randomize the loaded address. It's loaded at 0x10000 every time for me, even if mandatory ASLR is enabled system-wide using either EMET or WDEG.
@epakskape2 replies 1 retweet 2 likes -
The entropy for force relocated images comes from bottom-up ASLR which is only enabled by default if the EXE was built with /dynamicbase. Try turning on bottom-up ASLR as well.
1 reply 0 retweets 2 likes -
Thanks. I'm pretty sure that Bottom-up ASLR is enabled along with Mandatory ASLR. But eqnedt32.exe is always loaded at the same location.pic.twitter.com/zFgmbByCEP
1 reply 0 retweets 0 likes -
I believe "on by default" means "use the default system policy" which means bottom-up ASLR will only be enabled if the EXE was linked with /dynamicbase (which this one does not, I believe). Sound right,
@markwo?3 replies 0 retweets 1 like -
Yeah, that's right. I was seeing what Will describes last night until I enabled bottom-up ASLR for this process in Exploit Guard
1 reply 0 retweets 0 likes -
Is there any way to enable Bottom-up ASLR on a system-wide basis? If not, then it would seem that Mandatory ASLR only really adds protection for apps that opt in. Which seems sort of non-Mandatory to me...
1 reply 0 retweets 3 likes -
It is possible to enable bottom-up ASLR system-wide, but I'm not sure if it can be done via the WDEG UI,
@markwo might know. Agree with your feedback here. I passed it on to the team.1 reply 0 retweets 2 likes -
Actually, with Windows 7 and EMET System-wide ASLR, the loaded address for eqnedt32.exe is different on every reboot. But with Windows 10 with either EMET or WDEG, the base for eqnedt32.exe is 0x10000 EVERY TIME. Conclusion: Win10 cannot be enforce ASLR as well as Win7!pic.twitter.com/Jp10nqk1NQ
4 replies 60 retweets 100 likes -
Replying to @wdormann @epakskape and
Patch by
@BleepinComputer breaks#PhpStorm (maybe other products of#JetBrains and any#Java application too) on#Windows (Windows 8.1, x64)1 reply 0 retweets 0 likes
I don't see any problems with Java applications in general when mandatory ASLR is enabled. PhpStorm in particular appears to be written in a way that is not compatible with the ASLR exploit mitigation, though.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.