A new security bug has been discovered on Windows 8 and above which makes ASLR useless. The bug was discovered by a security researcher named Will Dormann. He explained the issue in a detailed post on CERT:

How to Enable or Disable Windows Security in Windows 10 The Windows Security app is a client interface on Windows 10 version 1703 and later that makes it is easier for you to view and control the security protections you choose and better understand the security features already protecting you on your Windows 10 device. Windows 10, version 1607 Windows Server 2016 Windows 10 includes Group Policy-configurable “Process Mitigation Options” that add advanced protections against memory-based attacks, that is, attacks where malware manipulates memory to gain control of a system. In Windows 10, ASLR works just fine on programs that have opted in. That includes Office 2013 and Office 2016, every program in the Adobe Creative Cloud suite, modern browsers like Chrome. This tutorial covers how to disable ASLR in your debugging VM to speed up your debugging when using x64dbg and IDA Pro.We have a short blog post here: https.

Both EMET and Windows Defender Exploit Guard enable system-wide ASLR without also enabling system-wide bottom-up ASLR. Although Windows Defender Exploit guard does have a system-wide option for system-wide bottom-up-ASLR, the default GUI value of “On by default” does not reflect the underlying registry value (unset). This causes programs without /DYNAMICBASE to get relocated, but without any entropy. Chris young i%27m comin over free download. The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems.

For those who don’t know, Microsoft first implemented ASLR (Address Space Layout Randomization) in Windows Vista that helps prevent code-reuse attacks. ASLR uses a random memory address to execute code, but in Windows 8, Windows 8.1 and Windows 10 the feature is not always applied properly. In Windows 8, 8.1 and Windows 10, ASLR is not using random memory addresses, essentially rendering it useless.

Disable Aslr Windows 10

Actually, with Windows 7 and EMET System-wide ASLR, the loaded address for eqnedt32.exe is different on every reboot. But with Windows 10 with either EMET or WDEG, the base for eqnedt32.exe is 0x10000 EVERY TIME.
Conclusion: Win10 cannot be enforce ASLR as well as Win7! pic.twitter.com/Jp10nqk1NQ

— Will Dormann (@wdormann) November 15, 2017

The good thing though is, Will shared a manual Registry Edit to fix the issue. For this, you need to do the following.

• Create a text file with the following:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Managerkernel]
  “MitigationOptions”=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00
• Save the file with Registry extension (.reg)
• Open Registry Editor by typing “regedit” in the Start Menu
• Select File>Import and choose the .reg file you just created.

How To Disable Aslr Windows 10

This should be able to fix the issue until Microsoft sends an update to fix it completely.

Disable Aslr Windows 10 64-bit

Via: Bit-tech