EMET 5.1 + Windows 8.1 Disable ASLR? RRS feed

  • Question

  • I recently upgraded to windows 8.1 from windows 7. On win7 I used EMET to disable system ASLR so that I could work on binaries that react if they are modified. Now with windows 8.1 it seems that the setting inside EMET to disable system wide ASLR does nothing. Is there a workaround or another way to disable ASLR on 8.1?
    Tuesday, January 13, 2015 11:32 PM

All replies

  • I'm not sure if this can be disabled in Windows 8.1, but you might want to try a couple of things.  First verify the ASLR value from the command line using the "emet_conf --list_system" command to make sure it is as expected there too. 

    The registry setting EMET changes in Windows 8.1 for system-wide ASLR is the REG_QWORD HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\MitigationOptions.  The full description of this setting appears to be at the end of the paper http://0xdabbad00.com/wp-content/uploads/2013/11/emet_4_1_uncovered.pdf.

    The last three number in the value are for ASLR, SEHOP, and DEP respectively.  6=Disabled, 5=Enabled, 2=OptIn, 1=OptOut.  For example, it may look something like 0x00000022, which is unspecified for ASLR, and SEHOP and DEP set to OptIn.  Manually changing it to 0x00000622 will set ASLR to Disabled, and SEHOP and DEP will be OptIn.

    Another quirk in Windows 8 is that "Reboot" is typically the only clean way to power down+restart.  Doing a "Shut Down" caches a few things to disk I believe instead of the actions done with a full shut down in previous versions.

    Another avenue to try if Windows 8.1 can't disable ASLR system-wide would be to modify the binary's header value for Dynamic Base using mt.exe from Microsoft (takes a little bit of work) or another third party tool.  This SANS blog has information on that: http://digital-forensics.sans.org/blog/2014/02/17/malware-analysis-and-aslr-on-windows-8-1

    Thursday, January 15, 2015 4:40 PM
  • Modifying the binary is not possible. It does a checksum of its PE header. Even with all the values of MitigationOptions set to 6 for disabled, and processhacker reporting ASLR disabled, the address of programs are still being randomized. 
    Friday, January 16, 2015 5:38 AM
  • Just tried the windows 10 TP as well. Same results MitigationOptions has no effect.
    Friday, January 16, 2015 6:13 AM
  • Sorry I don't know if there is a way.

    There do appears to be other ASLR settings in the MitigationOptions registry value mentioned in the http://0xdabbad00.com/wp-content/uploads/2013/11/emet_4_1_uncovered.pdf paper, that could be looked at on a test computer without any other data on it that could be rebuilt if it breaks things.  I don't know if that would help or even if it would break the OS, so test at your own risk if you do.  For example 0x00666666 would disable the items documented in the paper.  I also don't know the purpose of the first two QWords, for example 0x66666666, or what the values 3, 4, and 7 would do.  Again, I don't know if that would help or if it would break the OS potentially and lose data.

    Friday, January 16, 2015 2:58 PM
  • Yes, I tried all the combinations, including filling everything with 6 and it showed no change. Also tried messing with the image file execution options and got no results. Its ridiculous that I cannot disable ASLR globally or for a single file without having to modify it.
    Friday, January 16, 2015 5:32 PM