Programming for DEP atmosphere in Windows

Info Execution Avoidance

Info Execution Avoidance (DEP) technology was released in Windows XP SP2/Windows 2003 SP1. The aim of DEP was to disable execution of the code positioned into memory regions marked as knowledge: heap, stack. It was required to minimize the amount of security vulnerabilities triggered by a large amount of viruses, rootkits and exploits that used the methods based on operating of code in Stack.

DEP technology is based on NX little bit CPU technology which makes it possible for to mark memory internet pages as not executable and stop executing of the code from these kinds of regions.

Hardware DEP stops:

  1. Code execution in Heap. If Heap was established with out HEAP_Produce_Allow_EXECUTE flag you will not be in a position to run code in this Heap.
  2. Code execution in Stack.

Program DEP checks:

  1. If the exception handler is registered in the application exception desk.
  2. Because Windows Vista it checks the deal with of the exception handler. The deal with of the exception handler should belong to the memory region with MEM_Image attribute.

The digital equipment program doesn’t emulate hardware DEP so there is only program DEP enabled.

Complications

What issues can these kinds of checks cause for the men and women, who are not interested in producing malware?

Very first of all it became a headache for the program protections. The Program Protectors are decrypting the code into memory and operating it there. Also they are employing exception handlers for anti-debugging methods.

The 2nd problem is achieved by the Simulator Program, the program which basically masses the executable binaries as knowledge file and simulates processes and threads operating inside of it. It also requirements to run the code from “data memory” and simulate exception handlers.

Can DEP be disabled? Of study course!

Disabling DEP

Guide way

The initially way is the easiest – disable DEP for you approach. It can be carried out manually by using “System Propeties” – “Advanced” – “Performance Settings”. In the “Performance Settings” window pick the “Data Execution Prevention” tab. There you can disable DEP for the executable file by your alternative:

Then you will have to reboot the program to utilize the alterations.

This is the guide, official way. But there is a problem: you will not be in a position to insert the .Web executables to the exclusions record in Windows Vista. Instead you will have acquired the mistake concept:

This concept is triggered by Image_DLLCHARACTERISTICS_NX_COMPAT little bit, which is set in the PE header by Visible Studio compiler by default. There’s no way to disable these kinds of little bit by using undertaking settings in Visible Studio for .Web purposes (nevertheless there is a environment for native purposes in VS 2008). It can be carried out by using edit bin utility, which is the aspect of Visible Studio:

editbin.exe /NXCOMPAT:NO

For the native executables you can disable it in the undertaking properties in VS 2008:

Guide way 2

In Windows Vista DEP can be disabled for the full program. It can be carried out by using bcdedit tool.

bcdedit /set current nx AlwaysOff

In Windows XP you can edit boot.ini file and transform noexecute selection:

/noexecute=alwaysoff

Programmatically

There are basically undocumented API in sysdm.cpl which makes it possible for to handle DEP settings:

int __stdcall EnableExecuteProtectionSupportW()
int __stdcall ModifyExecuteProtectionSupportW(int, int, wchar_t *OptionName, int)
int __stdcall NoExecuteAddFileOptOutList(LPCWSTR lpSrc)

NoExecuteAddFileOptOutList() function makes it possible for to insert the executable file into DEP exclusions record.

Study about other illustrations of Computer Safety methods from Apriorit Circumstance Research.