Skill

implementing-memory-protection-with-dep-aslr

From asi

Configures Windows memory protections like DEP, ASLR, CFG via PowerShell, GPO, and Intune to harden endpoints against buffer overflows, ROP chains, and code injection.

Powershell

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Use this skill when hardening endpoints against memory-based exploits by configuring DEP, ASLR, CFG, and Windows Exploit Protection system-wide and per-application mitigations.

SKILL.md

Similar Skills

implementing-memory-protection-with-dep-aslr

5.9k

Configures Windows DEP, ASLR, CFG mitigations via PowerShell, GPO, Intune to protect endpoints from buffer overflows, ROP, code injection exploits.

7 files

cybersecurity-skills

implementing-memory-protection-with-dep-aslr

Implements DEP, ASLR, CFG, and Windows Exploit Protection mitigations via PowerShell to harden endpoints against buffer overflows, ROP chains, and code injection.

7 files

cybersecurity-skills-zh

configuring-windows-defender-advanced-settings

Configures Microsoft Defender for Endpoint advanced settings including ASR rules, controlled folder access, network protection, and exploit protection for hardening Windows endpoints.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Implementing Memory Protection with DEP and ASLR

When to Use

Use this skill when hardening endpoints against memory-based exploits by configuring DEP, ASLR, CFG, and Windows Exploit Protection system-wide and per-application mitigations.

Prerequisites

Windows 10/11 or Windows Server 2016+ with administrative privileges
Group Policy management access for enterprise-wide deployment
Understanding of memory corruption attack techniques (buffer overflow, ROP chains)
Test environment for validating application compatibility with exploit mitigations

Workflow

Step 1: Configure System-Level Mitigations

# Enable system-wide DEP (Data Execution Prevention)
# Boot configuration: OptIn (default), OptOut (recommended), AlwaysOn
bcdedit /set nx AlwaysOn

# Verify ASLR status (enabled by default on modern Windows)
Get-ProcessMitigation -System
# MandatoryASLR, BottomUpASLR, HighEntropyASLR should be ON

# Enable all system-level mitigations
Set-ProcessMitigation -System -Enable DEP,SEHOP,ForceRelocateImages,BottomUp,HighEntropy

Step 2: Configure Per-Application Mitigations

# Harden high-risk applications (browsers, Office, PDF readers)
Set-ProcessMitigation -Name "WINWORD.EXE" -Enable DEP,SEHOP,ForceRelocateImages,CFG,StrictHandle
Set-ProcessMitigation -Name "EXCEL.EXE" -Enable DEP,SEHOP,ForceRelocateImages,CFG,StrictHandle
Set-ProcessMitigation -Name "AcroRd32.exe" -Enable DEP,SEHOP,ForceRelocateImages,CFG
Set-ProcessMitigation -Name "chrome.exe" -Enable DEP,CFG,ForceRelocateImages
Set-ProcessMitigation -Name "msedge.exe" -Enable DEP,CFG,ForceRelocateImages

# Export configuration for deployment
Get-ProcessMitigation -RegistryConfigFilePath "C:\exploit_protection.xml"
# Deploy via Intune or GPO

Step 3: Deploy via Intune/GPO

Intune: Endpoint Security → Attack Surface Reduction → Exploit Protection
  Import exploit_protection.xml template

GPO: Computer Configuration → Admin Templates → Windows Components
  → Windows Defender Exploit Guard → Exploit Protection
  → "Use a common set of exploit protection settings" → Enabled
  → Point to XML file on network share

Key Concepts

Term	Definition
DEP	Marks memory pages as non-executable to prevent shellcode execution in data regions
ASLR	Randomizes memory addresses of loaded modules to defeat hardcoded ROP gadgets
CFG	Validates indirect call targets at runtime to prevent control flow hijacking
SEHOP	Validates SEH chain integrity to prevent SEH-based exploitation

Tools & Systems

Windows Exploit Protection: Built-in per-process mitigation management
EMET (legacy): Enhanced Mitigation Experience Toolkit (predecessor, now deprecated)
ProcessMitigations PowerShell: Get/Set-ProcessMitigation cmdlets

Common Pitfalls

DEP compatibility: Legacy 32-bit applications may crash with DEP AlwaysOn. Use OptOut with exceptions.
Mandatory ASLR breaking apps: Some applications are not ASLR-compatible. Test before enforcing ForceRelocateImages.
CFG limited to compiled-in support: CFG only works for applications compiled with /guard:cf. Cannot be retroactively applied.