Exploit prevention techniques
3 August 2023
ID 146656
Exploit prevention techniques
Exploit prevention technique | Description |
---|---|
Data Execution Prevention (DEP) | Data execution prevention blocks execution of arbitrary code in protected areas of memory. |
Address Space Layout Randomization (ASLR) | Changes to the layout of data structures in the address space of the process. |
Structured Exception Handler Overwrite Protection (SEHOP) | Replacement of exception records or replacement of the exception handler. |
Null Page Allocation | Prevention of redirecting the null pointer. |
LoadLibrary Network Call Check (Anti ROP) | Protection against loading DLLs from network paths. |
Executable Stack (Anti ROP) | Blocking of unauthorized execution of areas of the stack. |
Anti RET Check (Anti ROP) | Check that the CALL instruction is invoked safely. |
Anti Stack Pivoting (Anti ROP) | Protection against relocation of the ESP stack pointer to an executable address. |
Simple Export Address Table Access Monitor (EAT Access Monitor & EAT Access Monitor via Debug Register) | Protection of read access to the export address table for kernel32.dll, kernelbase.dll, and ntdll.dll |
Heap Spray Allocation (Heapspray) | Protection against allocating memory to execute malicious code. |
Execution Flow Simulation (Anti Return Oriented Programming) | Detection of potentially dangerous chains of instructions (potential ROP gadget) in the Windows API component. |
IntervalProfile Calling Monitor (Ancillary Function Driver Protection (AFDP)) | Protection against escalation of privileges through a vulnerability in the AFD driver (execution of arbitrary code in ring 0 through a QueryIntervalProfile call). |
Attack Surface Reduction (ASR) | Blocking the start of vulnerable add-ins via the protected process. |
Anti Process Hollowing (Hollowing) | Protection against creating and executing the malicious copies of trusted processes. |
Anti AtomBombing (APC) | Global atom table exploit via Asynchronous Procedure Calls (APC). |
Anti CreateRemoteThread (RThreadLocal) | Another process has created a thread in protected process. |
Anti CreateRemoteThread (RThreadRemote) | Protected process has created a thread in another process. |