10 comments on “Bypassing Microsoft Windows ASLR with a little help by MS-Help

  1. How exactly did you scan all your Dlls to find the non-ASLR ones ? Do ou have a script for this ? It could be usefull :)


  2. Hi Max, I created a tool in C to check the file headers for IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE value. I thought using a simple exe tool keeping a low footprint on the machine than installing Perl or Python. Here in an example of the steps I took

    1. List out all dll files on system to a file
    >dir c:\*.dll /b /s >dll_win7sp1.txt

    2. Check which dll files are non ASLRed and output to file
    >aslrchk.exe -l dll_win7sp1.txt 1 >dll_win7sp1_nonaslr.txt

    3. Check which non ALSR files have clsid string in them
    >findstr /i /m /c:”clsid =” /f:dll_win7sp1_nonaslr.txt >clsids.txt

    You can download the tool from here http://www.greyhathacker.net/tools/aslrchk.exe
    md5hash – 65328200dc0bd19d4fbbb77bf57beb97

  3. Hi Flx, that is a good question and I do not know, the JavaScript error does give “Permission denied” yet the library still gets loaded

  4. i tested it on win7 with office 2010 and the dll is aslr-compiled. maybe you’re using some old office version?

  5. Hi Haxor, this is an MSDN version I used, I cant say if its an old version, anyway to verify? Maybe its the different favours of Office, I got two machines with Office installed here, one “Microsoft Office Professional Plus 2010″ and another “Microsoft Office Standard 2010″ fully up-to-date with the hxds.dll library non-aslred

  6. Hi Eric, thanks for the info, I need to get hold of Windows 7 64bit OS but after checking one 64bit machine it seems the library hxds.dll is alsred as you pointed out, thanks

  7. I haven’t used EMET before. Am I right in assuming that EMET complements standard anti-virus s/w on a user PC? If so, are you aware of any anti-virus suites that already provide this feature?

  8. Hi Roshan, yes you are right in assuming EMET compliments av software. Some of the av products I know of and come across do have some added mitigation like buffer overflow protection, built in IPS, etc but nothing with all the features that EMET has so I would highly recommend install EMET have a look, after all it is free :-)

Leave a Reply

Your email address will not be published. Required fields are marked *

× 5 = forty five

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>