Didier Stevens

Tuesday 20 November 2007

Quickpost: Another Funny Vista Trick with ASLR

Filed under: Hacking,Quickpost — Didier Stevens @ 8:06

Dave Maynor’s Vista ASLR tricks post got me thinking. And today, after some inspiring presentations at TechEd last week, I took the time to do some testing. Set the appropriate bit (0x4000) in the DLL Characteristics field of the PE header, and you turn on ASLR for your program of choice. So clearing the bit will disable ASLR, but will Windows File Protection prevent you from changing the program? I didn’t think it would, because you’re only touching the PE Header, which is not protected by the Authenticode signature.

Turns out it does work: you can disable ASLR for a given program, like Internet Explorer. And WFP will not restore the file. But for another reason than I thought: with Vista, WFP is actually called Windows Resource Protection. And it works differently: files are protected by Security Descriptors, and are not replaced automatically when deleted or modified. So the neat trick of deleting a system-file in Windows XP (like utilman.exe) only to see it reappear a couple of seconds later, doesn’t work anymore with Vista. Change the Security Descriptor of the file in Vista (taking ownership and giving you delete rights), delete the file, and it’s gone. No more resurrection.

If you want to play with the ASLR toggle, you can use stud_pe to edit the PE Header and Process Explorer to test it.

So why would you disable ASLR? I don’t know, I just think it’s a funny trick 😉 . But maybe you got an idea? Let me know, post a comment.

Quickpost info

Blog at WordPress.com.