EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationaslrdepstack-canary

OS-Level Exploit Mitigations

How ASLR, DEP, and stack canaries make exploitation harder — the mechanism behind each mitigation, its known bypass techniques, and why understanding them helps analysts recognise evasion in the wild.

Ashish Revar12 May 202616 min read2 views
Quick Bite

⚡ Quick Bite · 40s

Exploit Mitigations: ASLR, DEP, and Canaries

Modern OS defences — ASLR randomizing memory addresses, DEP blocking code execution, ROP chains bypassing DEP, and Stack Canaries detecting buffer overflows before execution.

Watch this 40-second summary before diving into the full article. Sign in to earn 5 leaderboard points.

Why Mitigations Matter for Analysts

Modern operating systems do not rely on programmers writing bug-free code. They deploy hardware and software mitigations that make exploitation harder even when a vulnerability exists.

Analysts need to understand these mitigations because:

  • Malware that bypasses them uses specific, recognisable techniques (ROP chains, information leaks)
  • Understanding the mitigation explains why certain malware behaviours exist
  • Bypass attempts leave forensic artefacts that appear in dynamic analysis

ASLR — Address Space Layout Randomisation

ASLR randomises the base addresses of the executable image, stack, heap, and loaded DLLs on each process execution. An attacker who discovers a buffer overflow cannot hardcode a jump address because the target address changes on every run.

Entropy by architecture

ArchitectureEntropy (Stack)Brute-force Feasibility
32-bit Windows8–9 bitsFeasible in seconds to minutes
64-bit Windows (HEASLR)17+ bitsInfeasible
64-bit Linux (PIE)28+ bitsInfeasible

32-bit ASLR is weak. Malware targeting 32-bit systems sometimes brute-forces ASLR by repeatedly crashing and restarting the target process until a predictable address is hit.

ASLR bypass techniques

TechniqueMechanism
Information disclosureLeak a pointer to calculate actual base address
Partial overwriteModify only the lower bytes (unaffected by ASLR randomisation)
Non-ASLR modulesTarget DLLs compiled without /DYNAMICBASE flag
Brute forceFeasible on 32-bit systems with low entropy
Heap sprayFill large memory region with shellcode — increases probability of hitting it

What to look for

In dynamic analysis, a crash followed by a retry loop in the malware suggests ASLR brute-forcing. An information disclosure followed by a calculated jump target suggests a leak-based bypass.

DEP — Data Execution Prevention

DEP marks the stack and heap as non-executable. The CPU refuses to execute instructions fetched from pages without the Execute permission, enforced via the NX (AMD) or XD (Intel) bit in page table entries.

Even if an attacker injects shellcode into a data region, the CPU raises an access violation when attempting to execute bytes from a non-executable page.

DEP bypass: Return-Oriented Programming (ROP)

ROP chains together small snippets of existing executable code called gadgets — sequences ending in RET — that already exist in loaded modules.

Stack layout for a ROP chain:
┌──────────────────────────────┐
│  Address of gadget 1         │  ← return address (overwritten)
│  Address of gadget 2         │  ← popped by gadget 1's RET
│  Address of gadget 3         │  ← popped by gadget 2's RET
│  Address of VirtualProtect() │  ← called to make shellcode executable
│  Arguments to VirtualProtect │
└──────────────────────────────┘

No injected code executes — only existing code in executable regions. DEP is bypassed entirely.

ROP gadgets look like this in disassembly:

pop  eax     ; ← this is the gadget
ret          ; ← RET chains to next gadget address on stack

Finding ROP gadgets in loaded DLLs is automated by tools like ROPgadget and mona.py.

ASLR + DEP together

DEP prevents code injection. ASLR prevents reliable gadget addressing. Defeating both requires:

  1. An information disclosure to find module base addresses (defeats ASLR)
  2. A ROP chain using gadgets from those modules (defeats DEP)

Malware that uses both bypass techniques is sophisticated and likely from a professional threat actor.

Stack Canaries

A random value — the canary — is placed between local buffers and the saved return address during function prologue. Before RET executes, the epilogue verifies the canary value. If corrupted, the process terminates immediately.

Stack layout with canary:
┌─────────────────────────┐
│  Return Address          │  ← target of overflow
│  Saved EBP               │
│  Stack canary (random)   │  ← verified before RET
│  Local buffer            │  ← overflow starts here
└─────────────────────────┘

An overflow must corrupt the canary before reaching the return address — triggering immediate termination.

Bypass

Requires knowing the canary value in advance via an information disclosure vulnerability — reading the canary value from memory before triggering the overflow, then including the correct value in the exploit payload.

Compiler flags

CompilerFlagNotes
MSVC/GSDefault since Visual Studio 2003
GCC-fstack-protectorProtects functions with arrays
GCC-fstack-protector-strongProtects more functions

Summary

MitigationDefeatsBypass Technique
ASLRHardcoded addressesInfo leak, brute force (32-bit), non-ASLR modules
DEP/NXShellcode injectionROP chain using existing executable code
Stack canaryReturn address overwriteInfo leak to read canary value first

ASLR and DEP are most effective together. Bypassing both requires an information leak and a ROP chain — significantly raising the bar for exploitation.

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Malware Blueprints in Portable Executable Headers

A deep dive into the Portable Executable (PE) structure used by Windows binaries — how analysts decode executable metadata to uncover malicious intent, compiler behaviour, packing indicators, and execution flow.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

MITRE ATT&CK — Exploitation for Client Execution (T1203)

ATT&CK technique covering exploitation of software vulnerabilities including mitigation bypass techniques used in the wild.

reference
checksec — Verify Binary Mitigations

Script that checks which mitigations (ASLR, DEP, stack canary, PIE) are enabled in a binary. Run on any PE to assess hardening.

tool
ROPgadget — ROP Chain Builder

Automated tool that finds ROP gadgets in binaries. Run against loaded DLLs to understand how ROP bypasses DEP in practice.

tool
More articlesTest your knowledge