Hi Quitch,
Thanks for the link to the TechNet article it does provide a very useful explanation of how Mandatory ASLR works.
There is additional information in the following EMET thread:
http://social.technet.microsoft.com/Forums/en-US/emet/thread/70f0e91a-1b37-400f-826d-97a56d392c15
Within this thread there is a link to a YouTube video by Didier Stevens who explains EMETs ASLR in more detail. I have also mentioned (in that thread) where in that video he talks about this.
Here is my understanding of EMET's Mandatory ASLR: if the DLLs within an executable file were compiled with the
/DYMANICBASE compiler link, EMET will not take any action. EMETs ASLR works by examining the preferred loading address of the DLLs within an executable file (when they dont already use the
ASLR of the OS). EMET then pre-allocates those locations (most likely with default data or random data, just to fill in that memory location) and then provides a random memory location to the DLL being loaded so that the DLL is loaded at that address.
As Didier Stevens in the video linked to in the above thread mentions, EMETs ASLR is actually more random than the ASLR of the OS (this comment may not apply to Windows 8).
You correct about Windows 8, it did introduce improvements to ASLR. The best sources of information about these changes are the following links:
http://technet.microsoft.com/en-us/library/dn169048.aspx
http://blogs.windows.com/windows/b/business/archive/2013/02/27/windows-8-built-with-security-in-mind.aspx
http://gcn.com/Articles/2012/07/25/2nd-Black-Hat-Windows-8-improves-security.aspx?Page=1
http://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf
This PDF was originally mentioned in the following blog post:
https://isc.sans.edu/diary/EMET+3.5%3A+The+Value+of+Looking+Through+an+Attacker's+Eyes/14797
My thanks to
Chris Covington for bringing this very useful PDF to the attention of a wider audience.
Further technical details about ASLR and Force ASLR are available in the following links:
http://www.insanitybit.com/2012/11/09/windows-8-takes-aslr-to-the-next-level/
http://blog.ptsecurity.com/2012/12/windows-8-aslr-internals.html
http://support.microsoft.com/kb/2639308
While Windows 8 does bring significant improvements to ASLR, 3rd party programs are not obliged to use it. This is where EMET can assist by forcing such applications to use ASLR. This applies to Force ASLR too (as page 17 of the above PDF discusses), applications
must opt-in to receive the benefits of Force ASLR.
I hope this helps. If I can answer any other related questions, please let me know.
Thank you.