implementing-memory-protection-with-dep-aslr
Implements memory protection mechanisms including DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization), CFG (Control Flow Guard), and other exploit mitigations to prevent memory corruption attacks. Use when hardening endpoints against buffer overflow exploits, ROP chains, and code injection. Activates for requests involving memory protection, exploit mitigation, DEP, ASLR, or CFG configuration.
What this skill does
# Implementing Memory Protection with DEP and ASLR ## When to Use Use this skill when hardening endpoints against memory-based exploits by configuring DEP, ASLR, CFG, and Windows Exploit Protection system-wide and per-application mitigations. ## Prerequisites - Windows 10/11 or Windows Server 2016+ with administrative privileges - Group Policy management access for enterprise-wide deployment - Understanding of memory corruption attack techniques (buffer overflow, ROP chains) - Test environment for validating application compatibility with exploit mitigations ## Workflow ### Step 1: Configure System-Level Mitigations ```powershell # Enable system-wide DEP (Data Execution Prevention) # Boot configuration: OptIn (default), OptOut (recommended), AlwaysOn bcdedit /set nx AlwaysOn # Verify ASLR status (enabled by default on modern Windows) Get-ProcessMitigation -System # MandatoryASLR, BottomUpASLR, HighEntropyASLR should be ON # Enable all system-level mitigations Set-ProcessMitigation -System -Enable DEP,SEHOP,ForceRelocateImages,BottomUp,HighEntropy ``` ### Step 2: Configure Per-Application Mitigations ```powershell # Harden high-risk applications (browsers, Office, PDF readers) Set-ProcessMitigation -Name "WINWORD.EXE" -Enable DEP,SEHOP,ForceRelocateImages,CFG,StrictHandle Set-ProcessMitigation -Name "EXCEL.EXE" -Enable DEP,SEHOP,ForceRelocateImages,CFG,StrictHandle Set-ProcessMitigation -Name "AcroRd32.exe" -Enable DEP,SEHOP,ForceRelocateImages,CFG Set-ProcessMitigation -Name "chrome.exe" -Enable DEP,CFG,ForceRelocateImages Set-ProcessMitigation -Name "msedge.exe" -Enable DEP,CFG,ForceRelocateImages # Export configuration for deployment Get-ProcessMitigation -RegistryConfigFilePath "C:\exploit_protection.xml" # Deploy via Intune or GPO ``` ### Step 3: Deploy via Intune/GPO ``` Intune: Endpoint Security → Attack Surface Reduction → Exploit Protection Import exploit_protection.xml template GPO: Computer Configuration → Admin Templates → Windows Components → Windows Defender Exploit Guard → Exploit Protection → "Use a common set of exploit protection settings" → Enabled → Point to XML file on network share ``` ## Key Concepts | Term | Definition | |------|-----------| | **DEP** | Marks memory pages as non-executable to prevent shellcode execution in data regions | | **ASLR** | Randomizes memory addresses of loaded modules to defeat hardcoded ROP gadgets | | **CFG** | Validates indirect call targets at runtime to prevent control flow hijacking | | **SEHOP** | Validates SEH chain integrity to prevent SEH-based exploitation | ## Tools & Systems - **Windows Exploit Protection**: Built-in per-process mitigation management - **EMET (legacy)**: Enhanced Mitigation Experience Toolkit (predecessor, now deprecated) - **ProcessMitigations PowerShell**: Get/Set-ProcessMitigation cmdlets ## Common Pitfalls - **DEP compatibility**: Legacy 32-bit applications may crash with DEP AlwaysOn. Use OptOut with exceptions. - **Mandatory ASLR breaking apps**: Some applications are not ASLR-compatible. Test before enforcing ForceRelocateImages. - **CFG limited to compiled-in support**: CFG only works for applications compiled with /guard:cf. Cannot be retroactively applied.
Related in General
modeling-omnistudio-epc-catalog
IncludedSalesforce Industries CME EPC product-modeling skill for Product2-based catalog creation. Use when creating EPC products, configuring product attributes, building offer bundles with Product Child Items, or reviewing EPC DataPack JSON metadata for product catalog changes. TRIGGER when: user creates or updates Product2 EPC records, AttributeAssignment payloads, AttributeMetadata/AttributeDefaultValues, Offer bundles, or ProductChildItem relationships. DO NOT TRIGGER when: designing OmniScripts/FlexCards/Integration Procedures (use building-omnistudio-omniscript, building-omnistudio-flexcard, or building-omnistudio-integration-procedure), implementing Apex business logic (use generating-apex), or troubleshooting deployment pipelines (use deploying-metadata).
relationship-science-coach
IncludedUse this skill for direct, practical adult relationship coaching: couples conflict, repair, trust, marriage, dating, flirting, attachment patterns, emotional connection, sex, desire differences, eroticism, kink negotiation, affection, love languages, breakups, and long-term passion. Draw on Gottman, EFT and Hold Me Tight, attachment science, modern sex research, Perel, Nagoski, Kerner, Schnarch, Love and Stosny, and flexible love-language tools. Be concrete and low-hedge. Redirect only for imminent danger, abuse, coercive control, minors, non-consent, self-harm, stalking, or medical/legal/psychiatric decisions.
building-sf-integrations
IncludedSalesforce integration architecture and runtime plumbing with 120-point scoring. Use this skill to set up Named Credentials, External Credentials, External Services, REST/SOAP callout patterns, Platform Events, and Change Data Capture. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use configuring-connected-apps), Apex-only logic (use generating-apex), or data import/export (use handling-sf-data).
venue-templates
IncludedAccess comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.
let-fate-decide
IncludedDraws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.
net-ops
IncludedCross-platform network troubleshooting (Windows, macOS, Linux) via local or remote shell. Use for: DNS broken, can't resolve hostnames, nslookup/dig works but apps fail, NRPT, WFP, scutil, /etc/resolver, systemd-resolved, /etc/resolv.conf, NetworkManager, VPN DNS leak residue (ProtonVPN/Mullvad/WireGuard/AnyConnect), AV/firewall blocking DNS or DoH, Tailscale DNS interaction, intermittent connectivity, remote diagnostics over SSH.