Comments on: Quickpost: Another Funny Vista Trick with ASLR

By: Luciano Aibar

Luciano Aibar — Mon, 21 Apr 2008 07:23:59 +0000

Disabling ASLR is good for debugging, let’s say debugging windows DLLs (for ex. cracking).

I would suggest to create a simple DOS program that changes the bit.. let’s say “no_aslr.exe”
Boot from a USB Pen Drive with NTFS4DOS 1.9 Personal (it’s free and allows u read/write NTFS part.)
Use “no_aslr.exe file.dll” with any file.
Modifying files while in DOS do not affect the security permissions.

By: KJK::Hyperion

KJK::Hyperion — Thu, 29 Nov 2007 10:22:03 +0000

I’m sorry, I had a bad day.

By: Didier Stevens

Didier Stevens — Tue, 27 Nov 2007 08:58:43 +0000

Is this part of your therapy?

By: KJK::Hyperion

KJK::Hyperion — Mon, 26 Nov 2007 13:38:18 +0000

>I didn’t think it would, because you’re only touching the PE Header, which is not protected by the Authenticode signature.

That’s the most retarded thing I read in a long time. Of course the signature covers the header, moron. Hey, what do I know, the PE header “only” contains such irrelevant, purely advisory fields as the entry point offset, and it would take all of 10 minutes to check that flipping the DLL characteristics bit does indeed invalidate the signature anyway. BUT WHAT THE BLEEP DO I KNOW, I’m not a card-carrying IT Security Professional !

The sheer stupidity of certain statements just jumps at your face, screaming

By: Juanillo

Juanillo — Sun, 25 Nov 2007 14:58:39 +0000

Hi didier.
Yoy have an excelent blog!
Any executable can decide to participate in ASLR by setting bit 0×40 in the field DLL CHARACTERISTICS. You have a document write by the symantec team submitted in the blackhat 2007.
The thing is that any user with admin privileges, can disable this feature, making it easier an attack code execution for the executable.
Its a funny trick!!

http://www.blackhat.com/presentations/bh-dc-07/Whitehouse/Paper/bh-dc-07-Whitehouse-WP.pdf

Sorry for my English…. Spanglish its better for me….
regards