conti_sample
94bdec109405050d31c2748fe3db32a357f554a441e0eae0af015e8b6461553e
| Analysis Signal | Status | Details |
|---|---|---|
| Address Space Layout Randomization | DynamicBase | Address Space Layout Randomization (ASLR) randomizes the memory locations used by system executables and DLLs, making it more difficult for attackers to predict target addresses. |
| Data Execution Prevention | Enabled | Data Execution Prevention (DEP) prevents code execution from data pages, making buffer overflow attacks more difficult by marking memory regions as non-executable. |
| Control Flow Guard | Disabled | Control Flow Guard (CFG) is a Microsoft security feature that helps prevent memory corruption vulnerabilities by checking that indirect calls only target valid destinations. |
| Return Flow Guard (RFG) | Disabled | Ensures return addresses resolve to valid destinations, defeating ROP gadgets that pivot via RET. |
| Stack Buffer Security Check | Disabled | Stack Buffer Security Check (GS) provides protection against stack-based buffer overflows by placing a security cookie on the stack that is verified before a function returns. |
| Structured Exception Handler Overwrite Protection | Disabled | Structured Exception Handler (SEH) Overwrite Protection prevents the exploitation of exception handlers by verifying they are registered properly before they are called. |
| Safe Exception Handlers (SafeSEH) | Disabled | Restricts exception handler pointers to a linker-verified table, blocking many SEH-overwrite exploits on 32-bit images. |
| High Entropy ASLR | Disabled | High Entropy ASLR increases the randomization space of 64-bit processes, making it substantially more difficult for attackers to predict memory addresses. |
| Dynamic Base | Enabled | Allows the Windows loader to relocate the image to a random base address at every launch instead of loading it at its preferred RVA |
| Authenticode Signature | Disabled | A Microsoft PKI signature that allows the OS to verify publisher identity and tamper-proof the binary. |
| Force Integrity | Disabled | Prevents the loader from starting the file if the Authenticode signature is missing or invalid, stopping unsigned patching attacks. |
| Manifest Isolation | Enabled | Embeds a manifest that isolates the app from side-by-side DLL hijacking, favouring strong-named versioned assemblies. |
| CLR (.NET) | Native | Indicates if the binary is a managed .NET assembly; changes exploit surface (JIT, GC, etc.). |