Friday, July 14, 2006

The other side of VirtualProtect() and friends: DEP evasion

As some people may think that the regression tests which involve VirtualProtect() usage for evading DEP, are wrongly implemented and present a legitimate feature as a potential risk, the images below show "hot spots" in the disassemble of Microsoft Windows Media Player and Skype. The first, as most multimedia applications in either GNU/Linux or Microsoft Windows, needs to generate code on run-time and this requires access to executable memory. Skype was known to break with Data Execution Prevention (DEP) enabled, until it was fixed...

Image below shows Skype allocating memory with PAGE_EXECUTE_RADWRITE access:

PAGE_EXECUTE_READWRITE 0x40

Enables execute, read, and write access to the committed region of pages.

Allocating memory with such a nice permission is for sure an easy way to get around DEP-related compatibility issues. Basically, DEP will be useless. If the memory area allocated, receives some-how user input (or at least is partially controlled by another process), code could be written and then executed without any barrier, including DEP protection.

19.01.2006 version 2.0.0.73

  • bugfix: crashes when DEP is supported in hardware

Now let's look over Windows Media Player....

It doesn't matter if we allocate memory with RWX (Read-Write-Execute) access or we just allocate it with write access and then change it to be executable. In any case, if memory becomes executable after writing from user-input or similar unsafe sources, DEP will be unable to protect against it, as there's no enforcement in place for memory access permissions. You just have to rely on the vendor, and trust that they didn't go the easy way and didn't fix their code, but just applied a workaround.

For further information:

  1. MSDN Memory Management functions: VirtualProtect()
  2. MSDN Memory Management functions: VirtualAlloc()
  3. MSDN Memory Protection Constants
  4. Blog on Cyberterror: A DEP evasion technique
  5. ZDnet blogs: Skype 2.0 looked like a virus
  6. Skype change-log
  7. Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform. By David Litchfield, NGSSoftware Insight Security Research (NISR).

at 2:02 AM

Labels: , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)