[OWASP-Delhi] Thread closed: How to implement ASLR & DEP in C# thick client applications?

Vinil Menon vinilm at yahoo.com
Tue Jul 7 11:28:08 UTC 2015


Glad to have helped. Well, Code caves may not work - but if the app is not Authenticoded/signed - then you can always ildasm, inject your custom code, ilasm, update the modified app in the MSI tables and then ship the app. In fact, you can take it a step further and sign the code with a misspelt domain as well such as Miicrosoft :P

      From: sanjay kumar <sanjay1519841 at gmail.com>
 To: Vinil Menon <vinilm at yahoo.com> 
Cc: Dhruv Soi <dhruv.soi at owasp.org>; owasp-delhi <owasp-delhi at lists.owasp.org> 
 Sent: Tuesday, July 7, 2015 11:06 AM
 Subject: Thread closed: How to implement ASLR & DEP in C# thick client applications?
   
Thanks Vinil,
I got my answer & want to close this thread as C# applications cannot be tampered by code cave injection technique as mentioned in below refrence link:
http://home.inf.fh-rhein-sieg.de/~ikarim2s/how2injectcode/code_inject.html 


C# Winform application running on CLR has DEP and ASLR enabled by default.

Thanks everyone!









C#On Tuesday, July 7, 2015, Vinil Menon <vinilm at yahoo.com> wrote:
.NET since 2.0 has DEP on (via NXCOMPAT). And since the code is JIT, you don't need to worry about ASLR either. 

So in short - a C# Winform application running on CLR has DEP and ASLR enabled by default. 

 
From: sanjay kumar <sanjay1519841 at gmail.com>
 To: Dhruv Soi <dhruv.soi at owasp.org> 
Cc: owasp-delhi <owasp-delhi at lists.owasp.org> 
 Sent: Monday, July 6, 2015 12:05 PM
 Subject: Re: [OWASP-Delhi] How to implement ASLR & DEP in C# thick client applications?
   
Thanks Dhruv,
But the question is for c#, I dint find such specific result for tht. 



On Sunday, July 5, 2015, Dhruv Soi <dhruv.soi at owasp.org> wrote:

http://www.lmgtfy.com/?q=threats+of+no+aslr+in+applications

http://www.lmgtfy.com/?q=aslr+c%23

On Fri, Jul 3, 2015 at 12:16 PM, sanjay kumar <sanjay1519841 at gmail.com> wrote:
> Hi,
>
> Does anyone knows how to implement ASLR (Address Space Layout
> Randomization), DEP (Data Execution Prevention) in thick client application
> based on C#?
>
> If it cannot be implement then what is the risk in applications which
> developed in C#?
>
> Regards,
>
> Sanjay Kumar
>
>
>
> _______________________________________________
> OWASP-Delhi mailing list
> OWASP-Delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> Twitter: https://twitter.com/OWASPdelhi


_______________________________________________
OWASP-Delhi mailing list
OWASP-Delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
LinkedIn Group: https://www.linkedin.com/groups?gid=89270
Twitter: https://twitter.com/OWASPdelhi

   


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150707/40b89d32/attachment.html>


More information about the OWASP-Delhi mailing list