engaged_palladium_6461553e
conti_sample | 94bdec109405050d31c2748fe3db32a357f554a441e0eae0af015e8b6461553e
53.25 KB
PE Executable
DynamicBase
Address Space Layout Randomization
Address Space Layout Randomization (ASLR) randomizes the memory locations used by system executables and DLLs, making it more difficult for attackers to predict target addresses.
Enabled
Data Execution Prevention
Data Execution Prevention (DEP) prevents code execution from data pages, making buffer overflow attacks more difficult by marking memory regions as non-executable.
Disabled
Control Flow Guard
Control Flow Guard (CFG) is a Microsoft security feature that helps prevent memory corruption vulnerabilities by checking that indirect calls only target valid destinations.
Disabled
Return Flow Guard (RFG)
Ensures return addresses resolve to valid destinations, defeating ROP gadgets that pivot via RET.
Disabled
Stack Buffer Security Check
Stack Buffer Security Check (GS) provides protection against stack-based buffer overflows by placing a security cookie on the stack that is verified before a function returns.
Disabled
Structured Exception Handler Overwrite Protection
Structured Exception Handler (SEH) Overwrite Protection prevents the exploitation of exception handlers by verifying they are registered properly before they are called.
Disabled
Safe Exception Handlers (SafeSEH)
Restricts exception handler pointers to a linker-verified table, blocking many SEH-overwrite exploits on 32-bit images.
Disabled
High Entropy ASLR
High Entropy ASLR increases the randomization space of 64-bit processes, making it substantially more difficult for attackers to predict memory addresses.
Enabled
Dynamic Base
Allows the Windows loader to relocate the image to a random base address at every launch instead of loading it at its preferred RVA
Disabled
Authenticode Signature
A Microsoft PKI signature that allows the OS to verify publisher identity and tamper-proof the binary.
| Analysis Signal | Status | Details |
|---|---|---|
| Address Space Layout Randomization | DynamicBase | Address Space Layout Randomization (ASLR) randomizes the memory locations used by system executables and DLLs, making it more difficult for attackers to predict target addresses. |
| Data Execution Prevention | Enabled | Data Execution Prevention (DEP) prevents code execution from data pages, making buffer overflow attacks more difficult by marking memory regions as non-executable. |
| Control Flow Guard | Disabled | Control Flow Guard (CFG) is a Microsoft security feature that helps prevent memory corruption vulnerabilities by checking that indirect calls only target valid destinations. |
| Return Flow Guard (RFG) | Disabled | Ensures return addresses resolve to valid destinations, defeating ROP gadgets that pivot via RET. |
| Stack Buffer Security Check | Disabled | Stack Buffer Security Check (GS) provides protection against stack-based buffer overflows by placing a security cookie on the stack that is verified before a function returns. |
| Structured Exception Handler Overwrite Protection | Disabled | Structured Exception Handler (SEH) Overwrite Protection prevents the exploitation of exception handlers by verifying they are registered properly before they are called. |
| Safe Exception Handlers (SafeSEH) | Disabled | Restricts exception handler pointers to a linker-verified table, blocking many SEH-overwrite exploits on 32-bit images. |
| High Entropy ASLR | Disabled | High Entropy ASLR increases the randomization space of 64-bit processes, making it substantially more difficult for attackers to predict memory addresses. |
| Dynamic Base | Enabled | Allows the Windows loader to relocate the image to a random base address at every launch instead of loading it at its preferred RVA |
| Authenticode Signature | Disabled | A Microsoft PKI signature that allows the OS to verify publisher identity and tamper-proof the binary. |