ALSR and NX-bit in modern Windows?
How is NX-bit protection turned off when the attacker gains control over
the instruction pointer in Windows on x86-64, protected with both NX-bit
and ASLR? I'm assuming that the system call to disable this feature is
simply at a non-ASLRed address, and can be called directly?
It seems that heap spraying is frequently used to exploit modern Windows
machines (e.g. with bugs in Javascript implementations), obviously this
entails an executable heap, so how is the heap made executable prior to
the heap spray? Is there some paper that clearly shows how this is done,
on Windows?
No comments:
Post a Comment