We have seen in Chapter 4, Ransomware Distribution how exploits play a crucial role in delivering ransomware and other malware too. A vulnerable application on your system can serve as a port of entry to ransomware or any other malware.

Antivirus also plays a role in exploit detection but it cannot detect an exploit if there is no signature for it or the exploit is unknown. If a vulnerability is not known, it is called a 0 day and can bypass  most of signature-based security software.

The Windows operating system has introduced certain features to protect itself and the software installed on it from exploits. Before getting into those features, we will explain some concepts of software exploits. We have already explained exploits and shellcodes in Chapter 1, Malware from Fun to Profit, but let us review some more stuff.

A program uses certain area of virtual memory for storing data. This is not meant to be executed. Heap and stack are the common places in virtual memory to store data . Some exploits store the shellcode in these regions and then execute it. Stack is a place to store local variables in a program . Overwriting stack variables by providing a large-sized data to a variable which is not meant to be large as per the programmer is called a stack overflow. To protect against stack overflow, Windows introduced Structured Exceptional Handler (SEH) that creates an exception when stack overflow occurs. Also, we mentioned that exploits use stack and heap to store the malicious code and then execute it from there. To protect against such kind of exploit attacks, Windows has come up with a concept called Data Execution Prevention (DEP). This avoids execution of these areas. On Windows 7, you can find the DEP setting by going to My Computer | System Protection | Advanced | Performance | Settings | Data Execution Prevention:

Well, hackers find a way to bypass it but, still, the features add to security. Return Oriented Programming (ROP) is an exploitation method designed by hackers to circumvent DEP. ROP-based exploitation is a tricky concept. Since DEP does not allow code to be executed on heap or stack, ROP uses bits and pieces from the loaded DLLs in memory which already have permission to execute to execute the malicious purpose.

Exploits are created by assembling codes from a DLL (DLLs or dynamic linked libraries are described in Chapter 1, Malware from Fun to Profit). In order to do that, the exploit needs to find the address of the DLL in virtual memory and find the required code in it. If the DLL is loaded at a fixed address in virtual memory, the work of writing an exploit becomes much easier. In order to protect against this, Microsoft came up with the concept of Address Space Layout Randomization (ASLR). Due to this address, a DLL is loaded at different locations in virtual memory when the program is started each time. Thus, predicting the address of a DLL in virtual memory becomes harder and, in turn, exploitation becomes tougher.

Microsoft Enhanced Mitigation Experience Toolkit (EMET) is another tool from Microsoft meant to protect against exploitation. It has Data Execution Prevention (DEP), ASLR, Structured Exception Handler (SEH Protection), and Anti-Return Oriented Programming (Anti-ROP). Some older versions of Windows, including earlier versions of Windows XP, lack many of anti-exploitation features. But still, some old versions of Windows are used in ATMs and many other important places. Installing EMET can act as an exploit-prevention shield in that case. In 2017, Windows introduced anti-exploitation features in Windows Defender, known as Windows Defender Exploit Guard (WDEG). https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-Windows-defender-exploit-guard/ talks about the introduction of Windows Defender Exploit Guard (WDEG). Other than EMET, WDEG had introduced a few more features into it. Controlled folder access is one such feature that is that is meant to protect our data from ransomware. We have also seen in in Chapter 7, Ransomware Distribution that Locky was spread using spam emails that used JavaScript. The Attack Surface Reduction (ASR) feature in Exploit Guard takes care of similar threats that spread by scripts attached in the email and that are part of Office documents.

It's very important for a user to install patches in order to prevent exploitation. Administrators should have a keen eye on the vulnerabilities and their patches to safeguard their organization. We see antivirus and anti-exploitation tools play an important role in threat prevention and detection.