Jump to content

Recommended Posts

Is MBAE still able to achieve enforcement of bottom-up ASLR for Google Chrome?  In other words, does bottom-up ASLR enforcement not require dll injection?

Edited by hake
Link to post
Share on other sites

Thank you AndrewPP.  I have read that.

I note that Windows 10 imposes a default of 'enabled' for Bottom-up ASLR. I guess that this permissible by the developers of Google Chrome and so I guess that no dll injection is entailed. Windows 7 apparently does not impose such a default of 'enabled' for Bottom-up ASLR and so I am hoping that MBAE would be able to do this, notwithstanding the Google Chrome ban on dll injections into Google Chrome.

Link to post
Share on other sites

I don't know if this is of any help to you or not, but I'm using SRWare Iron (a Chromium based browser like Google Chrome) and added it as a custom shielded application using the 'Web Browser' preset, and at least based on a cursory examination of the chrome.exe processes it creates, mbae64.dll is loaded into its processes.  I suspect this works because SRWare has not implemented the same policy of restricting third party DLLs from loading into its processes as Google has for Chrome.  I assume this means that it will benefit from the same level of protection provided to other browsers, and formerly provided to Google Chrome before the change was made by Google to prevent DLLs from being injected into their browser's processes, though we would likely need confirmation from a member of the Malwarebytes staff to know for certain.

Link to post
Share on other sites

Thank you exile360 for your trouble and interest.  I have been trying to get my head round the uncertainty of the operation of ASLR with Windows 8, 8.1 and 10.  I think that the issue is centred round the difficulty of forcing ASLR for unsupported (old) applications.  There is no authoritative opinion on this subject and many comments on the web are dated around the end of 2017.  The really strange thing is that Windows 7 is exempt from the issues.  I use EMET 5.52 to enable bottom up ASLR for as many running processes in Windows 7 as I can without any adverse effects.

Google Chrome 76 accepts injection of EMET 5.52's emet64.dll.  I can thus assure myself of adequate ASLR entropy for Google Chrome in Windows 7.

Edited by hake
Link to post
Share on other sites

  • 1 month later...

It appears that to enable bottom-up ASLR for MBAE protected Google Chrome in Windows 7, it is necessary to install EMET.  Version 5.52 specifically enables system-wide ASLR which automatically enables system-wide bottom-up ASLR.  In other words  EMET creates the settings which produce the system-wide ASLR effects.  No applications need to be individually protected by EMET so I guess that MBAE protected applications are unaffected.  Process Explorer shows no results in the search for handles for emet64.dll.  There is no protest by MBAE.

My references are: -
1. EMET 5.52 User Guide
2. Clarifying the behavior of mandatory ASLR - Microsoft Security Response Center

EMET_system-wide_settings.jpg

Edited by hake
Link to post
Share on other sites

39 minutes ago, hake said:

It appears that to enable bottom-up ASLR for MBAE protected Google Chrome in Windows 7, it is necessary to install EMET.  Version 5.52 specifically enables system-wide ASLR which automatically enables system-wide bottom-up ASLR.  In other words  EMET creates the settings which produce the system-wide ASLR effects.  No applications need to be individually protected by EMET so I guess that MBAE protected applications are unaffected.  Process Explorer shows no results in the search for handles for emet64.dll.  There is no protest by MBAE.

I have no available method at my disposal of inspecting process base addresses to see confirmation that my suppositions are correct.  This is the first time that I have wanted to do this.

My references are: -
1. EMET 5.52 User Guide
2. Clarifying the behavior of mandatory ASLR - Microsoft Security Response Center

To ensure that Windows 8, 8.1 and 10 have bottom-up ASLR enabled, see the following link: -
Windows 8 and Later Fail to Properly Apply ASLR. Here's How to Fix.

39 minutes ago, hake said:

EMET_system-wide_settings.jpg

 

Edited by hake
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.