Jump to content

regenpyp

Members
  • Posts

    1
  • Joined

  • Last visited

Everything posted by regenpyp

  1. In the past month I did some research on the exploit mitigations present in Malwarebytes Anti-Exploit based on behavior and log analysis. Below you will find a list of my findings. NB: It is very likely that this list is incomplete due to undocumented mitigations. Generic mitigations: - DEP / ASLR Ensures that OS mitigations are enabled on protected processes. - Stack pivot mitigation Triggers when a critical function (like VirtualProtect) is being called from an address outside of the current stack boundaries. This address could have been pivoted into ESP to create a fake stack. Will often be the first mitigation to block exploits relying on memory corruption vulnerabilities used in the wild against web browsers / Flash Player - Stack Execution Prevention Triggers when critical function (like WinExec) are being called from executable memory on for example the stack or the heap. Prevents the execution of shellcode. - Caller check Triggers when certain functions / ROP gadgets want to return to 'unusual' parts of memory. Prevents the execution of certain critical functions from user controlled memory. - TEB integrity check Triggers when an entry of the TEB has been overwritten with for example 0x7fffffff. - Heap spray mitigation Behavior witnessed: Prevents allocation of heap chunks in multiple areas on the heap. Prevents jumps to large ranges of heap memory commonly used by exploits. Will also break a large amount of exploits present in Exploit Kits which would rely on memory leaks to bypass ASLR. - Java specific mitigations Triggers when an executable has been downloaded trough Java and is being executed locally. Triggers when critical processes (like cmd.exe) are being executed. Prevents the execution of malicious code/commands through Java applets. All in all I am impressed by the capacity of MBAE to block exploits used in the wild. An exploit targeting Flash Player or Internet Explorer could for example be blocked by at least four/five different mitigations. Keep it going, pbust! Best regards, Regenpijp
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.