flat assembler
Message board for the users of flat assembler.
Index
> Windows > executable code in data section works!!! |
Author |
|
Tomasz Grysztar 02 Dec 2012, 23:45
Only when you use "format PE NX" setting, the "executable" flag will get treated seriously, by at least some versions of Windows.
PS Yes, it is not documented - seemingly I forgot to add this into official manual, you can only find it in "whatsnew" notes. |
|||
02 Dec 2012, 23:45 |
|
f0dder 03 Dec 2012, 00:32
edfed: see if it works when EMET has been set to "nazi mode".
I wouldn't recommend you to attempt it, at any rate - if you have legitimate uses for "data" execution, do the correct steps of VirtualAlloc+VirtualProtect. It's very little extra effort, and it helps keeping your code compatible while making exploiters' life harder. |
|||
03 Dec 2012, 00:32 |
|
nmake 03 Dec 2012, 01:35
An exploiter would get around both methods, but it is still bad to not protect it, it is bad attitude.
|
|||
03 Dec 2012, 01:35 |
|
f0dder 03 Dec 2012, 14:50
nmake wrote: An exploiter would get around both methods, but it is still bad to not protect it, it is bad attitude. _________________ - carpe noctem |
|||
03 Dec 2012, 14:50 |
|
DOS386 18 Dec 2012, 03:02
edfed wrote:
COOL edfed wrote: can i assume it to work in every windows platforms? NO edfed wrote: i've tested under 98, xp and 7, nothing seems to forbid that... This is one of the most horrible design faults of Intel. The good/bad/ugly old 80286 added protected mode allowing but not enforcing separation of executable and writable memory areas through segmentation "technology" with 64 KiB limit. 80386 increased the segment limit to 4 GiB and added paging. The surprising effect was that programmers stopped using segmentation (offering both executability and writability control) and switched to flat memory models and paging (offering only writability control, but NO executability control). So we got a regression in security BTW, Windaube 98 (your pet) not only ignores the executability control bit in PE, but the writability control bit too !!! (XP and HX do respect the writability control bit). _________________ Bug Nr.: 12345 Title: Hello World program compiles to 100 KB !!! Status: Closed: NOT a Bug |
|||
18 Dec 2012, 03:02 |
|
f0dder 18 Dec 2012, 07:45
DOS386 wrote: The surprising effect was that programmers stopped using segmentation (offering both executability and writability control) and switched to flat memory models and paging (offering only writability control, but NO executability control). So we got a regression in security _________________ - carpe noctem |
|||
18 Dec 2012, 07:45 |
|
edfed 18 Dec 2012, 09:17
i wonder how it works with x86-64. i will test this afternoon.
i make also this: Code: mov eax,[thispointer] call eax and nothing, of course, forbids it, making possible to call anything. goal now will be to test Code: call rax |
|||
18 Dec 2012, 09:17 |
|
f0dder 18 Dec 2012, 20:29
None of those will be problematic unless you're trying to call NX areas, edfed.
|
|||
18 Dec 2012, 20:29 |
|
edfed 18 Dec 2012, 21:33
cool. then, i just have to (re)code my lib in win32 and 64 now
|
|||
18 Dec 2012, 21:33 |
|
DOS386 20 Dec 2012, 01:51
Code: section '.data' data readable ; NOT writeable ; NOT executable thisdata db '123',0 thiscode: blah: mov eax,thisdata inc byte [blah] ; This works in Windaube 98 !!! ret |
|||
20 Dec 2012, 01:51 |
|
f0dder 20 Dec 2012, 11:46
DOS386: gives me a pagefault on Win98SE - that's under vmware though, I haven't got any physical hardware running Win9x. And yes, the environment under vmware is somewhat different than physical hardware, (some of?) the ring0 hacks don't work, for instance.
_________________ - carpe noctem |
|||
20 Dec 2012, 11:46 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.