First, the principle
DEP - Data Execution Prevention abbreviation, Data Execution Prevention. He is a hardware and software technologies that perform additional checks on memory to help prevent malicious code running on the system. The basic principle is where the data is identified as non-executable memory pages, when the program successfully into the overflow shellcode, the program will try to execute commands on the data page, and the CPU will throw an exception, rather than to execute malicious commands. as the picture shows
DEP - Data Execution Prevention abbreviation, Data Execution Prevention. He is a hardware and software technologies that perform additional checks on memory to help prevent malicious code running on the system. The basic principle is where the data is identified as non-executable memory pages, when the program successfully into the overflow shellcode, the program will try to execute commands on the data page, and the CPU will throw an exception, rather than to execute malicious commands. as the picture shows
DEP main role is to prevent data pages (such as the default heap pages, various stack pages, and memory pool pages) to execute code. Microsoft began offering Windows XP SP2 from such technical support, according to different mechanisms of implementation can be divided into: software DEP (Software DEP) and hardware DEP (Hardware-enforced DEP).
Second, the classification
software DEP is actually SafeSEH, its purpose is to prevent the use of SEH's attack, this mechanism has nothing to do with the CPU hardware, Windows using software simulation to achieve DEP, provide some protection for the operating system. SafeSEH will check during verification to the exception handler is located on a non-executable page.
Hardware DEP is the real meaning of the DEP, DEP requires CPU hardware support, AMD and Intel have done a design, AMD called the No-Execute Page-Protection (NX ), Intel called Execute Disable Bit (XD) both functional and working principles are the same in nature.
Provided by the operating system's memory page NX / XD property tag, to indicate that the memory can not be executed from the code. To achieve this, it is necessary to add a special flag (NX / XD) to identify whether to permit execution of instructions on the memory page in page table (Page Table) in. When the identification bit is set to 0 in instruction execution allows that a page, the page is set to indicate the instruction 1 is not allowed.
Here only the hardware DEP discussion and analysis.
It can be checked by the following method whether the CPU supports hardware DEP, "My Computer" icon, select "Properties" on the right-click the desktop, click on the "Advanced" tab in the "System Properties" window. In the "Advanced" tab page in the "Performance" click "Settings" to open the "Performance Options" page. Click the "Data Execution Prevention" tab, in this page we can confirm that the computer's own CPU supports DEP. If the CPU does not support hardware DEP bottom of the page there will be similar to the following prompt: "Your computer's processor does not support hardware-based DEP However, Windows can use DEP software to help protect against certain types of attacks.". as the picture shows.
Second, the classification
software DEP is actually SafeSEH, its purpose is to prevent the use of SEH's attack, this mechanism has nothing to do with the CPU hardware, Windows using software simulation to achieve DEP, provide some protection for the operating system. SafeSEH will check during verification to the exception handler is located on a non-executable page.
Hardware DEP is the real meaning of the DEP, DEP requires CPU hardware support, AMD and Intel have done a design, AMD called the No-Execute Page-Protection (NX ), Intel called Execute Disable Bit (XD) both functional and working principles are the same in nature.
Provided by the operating system's memory page NX / XD property tag, to indicate that the memory can not be executed from the code. To achieve this, it is necessary to add a special flag (NX / XD) to identify whether to permit execution of instructions on the memory page in page table (Page Table) in. When the identification bit is set to 0 in instruction execution allows that a page, the page is set to indicate the instruction 1 is not allowed.
Here only the hardware DEP discussion and analysis.
It can be checked by the following method whether the CPU supports hardware DEP, "My Computer" icon, select "Properties" on the right-click the desktop, click on the "Advanced" tab in the "System Properties" window. In the "Advanced" tab page in the "Performance" click "Settings" to open the "Performance Options" page. Click the "Data Execution Prevention" tab, in this page we can confirm that the computer's own CPU supports DEP. If the CPU does not support hardware DEP bottom of the page there will be similar to the following prompt: "Your computer's processor does not support hardware-based DEP However, Windows can use DEP software to help protect against certain types of attacks.". as the picture shows.
Depending on the startup parameters, DEP can be divided into four working condition.
(1) Optin: DEP protection will only apply to the default Windows system components and services, no protection for other programs, but users can enable DEP for selected programs over the Application Compatibility Toolkit (ACT, Application Compatibility Toolkit), in Vista below through / NXcompat options compiled program will automatically apply DEP. This model can be dynamically close the application, it is more for the consumer version of the operating system, such as Windows XP, Windows Vista, Windows7.
(2) Optout: Turn on DEP for all programs and services outside the exclusion list, users can manually specify not enable DEP protection programs and services in the exclusion list. This model can be dynamically close the application, it is used for server operating systems, such as Windows 2003, Windows 2008.
(3) AlwaysOn: DEP protection is enabled for all processes, sorted list does not exist, in this mode, DEP can not be turned off, currently only working at AlwaysOn mode on 64-bit operating system.
(4) AlwaysOff: disable DEP for all processes, in this mode, DEP can not be dynamically turned on, this mode is generally used only in certain situations, such as DEP to interfere with the normal operation of the program.
We can switch modes by Optin and Optout check box to switch the image above. You can also modify c: to control the mode of operation of the DEP values boot.ini / noexecute boot entry. As shown, DEP mode of operation on the operating system for Optout.
Three, VS environment settings
Introduction After working principle and the state DEP, DEP and we look at a closely related program link options: / NXCOMPAT. / NXCOMPAT is under Visual Studio 2005 and later introduced a link option is enabled by default. Used in this book in Visual Studio 2008 (VS 9.0), can → through the menu Project → project Properties → Configuration Properties Linker → Advanced → Data Execution
in Prevention (DEP) option is to not use / NXCOMPAT compiler, such as As shown in FIG.
Use / NXCOMPAT compiled program file provided on the PE header IMAGE_DLLCHARACTERISTICS_ NX_COMPAT identifier, which structure IMAGE_OPTIONAL_HEADER be embodied in DllCharacteristics variable, when set to 0x0100 indicates DllCharacteristics The program uses / NXCOMPAT compiled. About IMAGE_OPTIONAL_HEADER detailed description of the structure you can access MSDN relevant information, in which we will not discuss too much.
After / NXCOMPAT program compiled what good is it? We know by the previous introduction user version of the operating system generally work in Optin state DEP, DEP protects only this time the system core processes, and for the common procedure is not protected. Although users can add their own through the tool, but potentially increase the safety threshold, so Microsoft launched / NXCOMPAT compiler option. After / NXCOMPAT compiled program will automatically enable DEP protection on Windows vista and later versions of the operating system.
Fourth, the analysis
DEP for the origin of overflow attacks, improved memory management mechanism. By non-executable memory pages to the state, to prevent the execution stack shellcode, mechanisms such drastic to buffer overflow has brought unprecedented challenges. This book is so far the most powerful protection mechanisms we encountered, it is possible to completely prevent buffer overflow attack? The answer is no.
As described earlier as security mechanisms, DEP also has its own limitations.
First, the CPU needs to support hardware DEP, but not all of the CPU provides hardware support for DEP, in some older CPU top DEP is unable to play.
Secondly, due to the compatibility of Windows can not open DEP protection for all processes, or may be abnormal. For example, some third-party plug-in DLL, inability to confirm whether it supports DEP, the program involves the DLL is not dare open DEP protection. Then there is the use of ATL 7.1 or previous versions of the program need to generate code that can be executed on the data page, this situation can not be turned on DEP protection, otherwise the program will be abnormal.
Again, / NXCOMPAT compiler option, or IMAGE_DLLCHARACTERISTICS_NX_COMPAT setting is valid only for systems above Windows Vista. In the previous system, such as Windows XP SP3, etc., this setting is ignored. In other words, even with this link options program does not automatically enable DEP protection on some operating systems.
Finally, when the DEP to work at the most important two states Optin and Optout, DEP can be dynamically turned off and on, which indicates that the operating system provides some API functions to control the state of DEP. Also Unfortunately there are no restrictions on the earlier operating system API calls to these functions, all processes can call these API functions, which planted a big security risk, but also provides a way for us to break DEP .
V. C code break DEP
#include <WINDOWS.H>
typedef enum _PROCESSINFOCLASS
{
ProcessDebugPort = 0x22
} PROCESSINFOCLASS;
#define MEM_EXECUTE_OPTION_ENABLE 0x2
typedef DWORD
(NtSetInformationProcess CALLBACK *) (
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
IN PVOID ProcessInformation,
IN ULONG ProcessInformationLength );
NTSETINFORMATIONPROCESS NtSetInformationProcess;
BOOL CloseProcessDEP()
{
HMODULE hNtdll;
hNtdll = LoadLibraryA("ntdll.dll");
if(hNtdll == NULL)
{
OutputDebugStringA("LoadLibraryA ntdll.dll Error\n");
return 0;
}
= NtSetInformationProcess (NtSetInformationProcess) the GetProcAddress (hNtdll, "NtSetInformationProcess");
IF (NtSetInformationProcess == NULL)
{
OutputDebugStringA ( "the GetProcAddress NtSetInformationProcess Error \ n-");
return 0;
}
ULONG ExecuteFlags = MEM_EXECUTE_OPTION_ENABLE;
// Close called here the DEP
DWORD dwRet = NtSetInformationProcess (GetCurrentProcess (), ProcessDebugPort, & ExecuteFlags, the sizeof (ExecuteFlags));
IF (! dwRet = 0)
{
OutputDebugStringA ( "NtSetInformationProcess Error \ n-");
return 0;
}
return. 1;
}
bypass theory dep is built on such a function.
ExecuteFlags = MEM_EXECUTE_OPTION_ENABLE ULONG;
NtSetInformationProcess (
NtCurrentProcess (), // (HANDLE) -1
ProcessExecuteFlags, 0x22 //
& ExecuteFlags, 0x2 // PTR to
the sizeof (ExecuteFlags)); // 0x4
when MEM_EXECUTE_OPTION_ENABLE set to 0x2, the disable NX (Non-Executable) Support. The first parameter can be set to the current process.
MS design reasons, resulting in change function can be called in the user state, that is to say in user mode, you can call this function to disable the NX support for the current process, bypassing dep. After you call the function once, the thread stack space or process that is not protected by DEP, and can be used to execute the shellcode!