PDA

View Full Version : Disabling Memory Protection for crash analysis



b0nd
08-29-2014, 01:24 PM
With the recent June-July 2014 M$ IE patches, things have changed a lot.
Less crashes, random stack trace, memory bogging & delay in crash!

For analysis purpose, Memory Protection could be disabled with following ways:

1.

In WinDbg, this can be done via the following command:

ed MSHTML!MemoryProtection::CMemoryProtector::tlsSlot ForInstance 0xffffffff
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Efficacy-of-MemoryProtection-against-use-after-free/ba-p/6556134#.U_9Lv0g5vdR

But, it hasn't worked for me till date.

2.
Turn off Memory Protector through registry (http://hitcon.org/2014/downloads/P2_01_Keen%20Team%20-%20New%20Exploit%20Mitigation%20In%20Internet%20Ex plorer.pdf)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN
\FeatureControl\FEATURE_MEMPROTECT_MODE] "iexplore.exe"=dword:00000000

You need to create the key FEATURE_MEMPROTECT_MODE. Within it, create DWord iexplore.exe and set it value 0 to disable MemProtection. Set it 1 to enable it.
It being disabled, UAFs could be analysed the same way as they used to be before recent mitigation techniques.

b0nd
10-16-2014, 06:05 AM
Mind it, user could think of disabling memProtect while fuzzing but with my experience, I've seen some crashes obtaining only on default condition i.e. when value is set to '1'.

41.w4r10r
02-23-2015, 04:39 PM
Once you get crash after disabling memory protect you can follow this blog and try to make this crash stable

http://k33nteam.org/blog-4-use-after-free-not-dead-in-internet-explorer-part-1.htm

41.w4r10r
02-23-2015, 04:40 PM
Once you get crash after disabling memory protect you can follow this blog and try to make this crash stable

http://k33nteam.org/blog-4-use-after-free-not-dead-in-internet-explorer-part-1.htm