Monday, November 18, 2013

ASLR Woes for Malware Analysts using Windows 7

For those of us that have made the move from XP to 7 for their malware analysis, you may have noticed that when trying to use IDA Pro and Olly or another debugger that the virtual addresses are not matching. This is because Windows 7 ships with Address space layout randomization (ASLR) enabled.

We can use Microsoft's Enhanced Mitigation Experience Toolkit to easily toggle ASLR on and off with a reboot. This way you don't have to make any manual registry settings and you can also control DEP, SEHOP and Certificate Trust if you need to.

You can download EMET 4.1 here: http://www.microsoft.com/en-us/download/details.aspx?id=41138


To disable ASLR:

Simply select the drop down next so ASLR and choose disable. You will need to reboot after that.

No comments:

Post a Comment