Exploit prevention techniques
Exploit prevention technique |
Description |
|---|---|
Data Execution Prevention (DEP) |
Data execution prevention blocks execution of arbitrary code in protected areas of memory. |
Address Space Layout Randomization (ASLR) |
Changes to the layout of data structures in the address space of the process. |
Structured Exception Handler Overwrite Protection (SEHOP) |
Replacement of exception records or replacement of the exception handler. |
Null Page Allocation |
Prevention of redirecting the null pointer. |
LoadLibrary Network Call Check (Anti ROP) |
Protection against loading DLLs from network paths. |
Executable Stack (Anti ROP) |
Blocking of unauthorized execution of areas of the stack. |
Anti RET Check (Anti ROP) |
Check that the CALL instruction is invoked safely. |
Anti Stack Pivoting (Anti ROP) |
Protection against relocation of the ESP stack pointer to an executable address. |
Simple Export Address Table Access Monitor (EAT Access Monitor & EAT Access Monitor via Debug Register) |
Protection of read access to the export address table for kernel32.dll, kernelbase.dll, and ntdll.dll |
Heap Spray Allocation (Heapspray) |
Protection against allocating memory to execute malicious code. |
Execution Flow Simulation (Anti Return Oriented Programming) |
Detection of potentially dangerous chains of instructions (potential ROP gadget) in the Windows API component. |
IntervalProfile Calling Monitor (Ancillary Function Driver Protection (AFDP)) |
Protection against escalation of privileges through a vulnerability in the AFD driver (execution of arbitrary code in ring 0 through a QueryIntervalProfile call). |
Attack Surface Reduction (ASR) |
Blocking the start of vulnerable add-ins via the protected process. |
Anti Process Hollowing (Hollowing) |
Protection against creating and executing the malicious copies of trusted processes. |
Anti AtomBombing (APC) |
Global atom table exploit via Asynchronous Procedure Calls (APC). |
Anti CreateRemoteThread (RThreadLocal) |
Another process has created a thread in protected process. |
Anti CreateRemoteThread (RThreadRemote) |
Protected process has created a thread in another process. |