Some people asked me for a simple way to check shell extensions for their ASLR support. You can do this with Process Explorer.
Start Process Explorer, and set the lower pane to display DLLs. Select process explorer.exe, and add column ASLR to the lower pane view. Then sort on column ASLR.
You will see this:
Notice that on a default Windows 7 32-bits install all DLLs (with code) support ASLR. The n/a is for resource DLLs, they don’t contain code, and ASLR doesn’t apply to them.
Now open an explorer window and right-click a file, like this:
This action will load the context menu shell extensions.
Take a look at Process Explorer:
Now you see the shell extensions without ASLR support.
Quickpost info
Full story: Didier Stevens
Related Posts
- Quickpost: “It Does No Harm…” or Does It?
You often read about people who use many different security applications to protect their systems. Not only anti-virus, anti-spyware, firewall, HIPS, …, but also some other tools like anti-keyl... - Quickpost: Adobe Reader X
In case you’ve not read Adobe’s announcement: Adobe Reader X is out. Use Adobe’s FTP server if you want to avoid their download manager.
Protected Mode Adobe Reader comes with a sand... - Quickpost: Adding Certificates to the Certificate Store
A couple of people asked me how to get self-signed certificates recognized by Windows.
For example, when you check the digital signature of one of my programs (like ariad.exe), you’ll see this:
... - PDF, DEP, ASLR and Integrity Levels
Frequently targeted document handling applications should be coded defensively and protect themselves with Windows security features like DEP, ASLR and Integrity Levels, just to name a few.
I tested a... - Quickpost: Ariad & DLL Preloading
I’m writing this quickpost just in case you hadn’t figured this out for yourself: the techniques I described to protect machines from the .LNK vulnerability also help you mitigate the DLL ... - Quickpost: .LNK Template Update
I updated my .LNK template with info I got from comments from WndSks and Forrest Gump. This new version identifies well-known Shell GUIDs:
Quickpost info
View full post on Didier Steven... - Quickpost: 2 .LNK Tools
Microsoft has issued an emergency patch (MS10-046) for the .LNK file vulnerability (CVE-2010-2568).
I’m releasing two small tools I developed to help me investigate this vulnerability.
First one... - Quickpost: Preventing the /Launch Action “cmd.exe” Bypass
Adobe has released a new Adobe Reader version that contains functionality to block my /Launch action PoC, but Bkis found a bypass: just put double quotes around cmd.exe, like this: “cmd.exeR... - Quickpost: No Escape From PDF
Adobe has released a new Adobe Reader version with a fix for my /Launch action PoC PDF.
Before version 9.3.3:
Since version 9.3.3:
Not only is the dialog box fixed, but the /Launch action is also di... - Quickpost: More Malformed PDFs
Here’s a heads up for some malicious PDF samples that are deliberately malformed to avoid detection.
The most important case is the missing endobj keyword:
Adobe Reader will happily parse a PDF...
Posted on 19 January 2011. Tags: ASLR, Checking, Quickpost
