Results 1 to 4 of 4

Thread: Disabling Memory Protection for crash analysis Share/Save - My123World.Com!

  1. #1
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744

    Disabling Memory Protection for crash analysis

    With the recent June-July 2014 M$ IE patches, things have changed a lot.
    Less crashes, random stack trace, memory bogging & delay in crash!

    For analysis purpose, Memory Protection could be disabled with following ways:

    1.
    In WinDbg, this can be done via the following command:

    ed MSHTML!MemoryProtection::CMemoryProtector::tlsSlot ForInstance 0xffffffff
    http://h30499.www3.hp.com/t5/HP-Secu...4#.U_9Lv0g5vdR

    But, it hasn't worked for me till date.

    2.
    Turn off Memory Protector through registry (http://hitcon.org/2014/downloads/P2_...20Explorer.pdf)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN
    \FeatureControl\FEATURE_MEMPROTECT_MODE] "iexplore.exe"=dword:00000000

    You need to create the key FEATURE_MEMPROTECT_MODE. Within it, create DWord iexplore.exe and set it value 0 to disable MemProtection. Set it 1 to enable it.
    It being disabled, UAFs could be analysed the same way as they used to be before recent mitigation techniques.
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  2. #2
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744
    Mind it, user could think of disabling memProtect while fuzzing but with my experience, I've seen some crashes obtaining only on default condition i.e. when value is set to '1'.
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  3. #3
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3
    Once you get crash after disabling memory protect you can follow this blog and try to make this crash stable

    http://k33nteam.org/blog-4-use-after...rer-part-1.htm

  4. #4
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3
    Once you get crash after disabling memory protect you can follow this blog and try to make this crash stable

    http://k33nteam.org/blog-4-use-after...rer-part-1.htm

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •