flat assembler
Message board for the users of flat assembler.

Index > Windows > executable code in data section works!!!

Author
Thread Post new topic Reply to topic
edfed



Joined: 20 Feb 2006
Posts: 4330
Location: Now
edfed 02 Dec 2012, 23:41
Code:
section '.data' data readable writeable
thisdata db '123',0
thiscode:
mov eax,thisdata
ret
    

can i assume it to work in every windows platforms?

i've tested under 98, xp and 7, nothing seems to forbid that...
Post 02 Dec 2012, 23:41
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8349
Location: Kraków, Poland
Tomasz Grysztar 02 Dec 2012, 23:45
Only when you use "format PE NX" setting, the "executable" flag will get treated seriously, by at least some versions of Windows.

PS Yes, it is not documented - seemingly I forgot to add this into official manual, you can only find it in "whatsnew" notes.
Post 02 Dec 2012, 23:45
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 03 Dec 2012, 00:32
edfed: see if it works when EMET has been set to "nazi mode".

I wouldn't recommend you to attempt it, at any rate - if you have legitimate uses for "data" execution, do the correct steps of VirtualAlloc+VirtualProtect. It's very little extra effort, and it helps keeping your code compatible while making exploiters' life harder.
Post 03 Dec 2012, 00:32
View user's profile Send private message Visit poster's website Reply with quote
nmake



Joined: 13 Sep 2012
Posts: 192
nmake 03 Dec 2012, 01:35
An exploiter would get around both methods, but it is still bad to not protect it, it is bad attitude. Very Happy
Post 03 Dec 2012, 01:35
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 03 Dec 2012, 14:50
nmake wrote:
An exploiter would get around both methods, but it is still bad to not protect it, it is bad attitude. Very Happy
Perhaps he would - but security is about both breadth and depth. Not having DEP/NX enabled for your data and stack makes exploiting easier, and for no good reason.

_________________
Image - carpe noctem
Post 03 Dec 2012, 14:50
View user's profile Send private message Visit poster's website Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1900
DOS386 18 Dec 2012, 03:02
edfed wrote:
Code:
section '.data' data readable writeable
thisdata db '123',0
thiscode:
mov eax,thisdata
ret
    


COOL Smile

edfed wrote:
can i assume it to work in every windows platforms?


NO

edfed wrote:
i've tested under 98, xp and 7, nothing seems to forbid that...


This is one of the most horrible design faults of Intel. The good/bad/ugly old 80286 added protected mode allowing but not enforcing separation of executable and writable memory areas through segmentation "technology" with 64 KiB limit. 80386 increased the segment limit to 4 GiB and added paging. The surprising effect was that programmers stopped using segmentation (offering both executability and writability control) and switched to flat memory models and paging (offering only writability control, but NO executability control). So we got a regression in security Smile

BTW, Windaube 98 (your pet) not only ignores the executability control bit in PE, but the writability control bit too !!! Shocked (XP and HX do respect the writability control bit).

_________________
Bug Nr.: 12345

Title: Hello World program compiles to 100 KB !!!

Status: Closed: NOT a Bug
Post 18 Dec 2012, 03:02
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 18 Dec 2012, 07:45
DOS386 wrote:
The surprising effect was that programmers stopped using segmentation (offering both executability and writability control) and switched to flat memory models and paging (offering only writability control, but NO executability control). So we got a regression in security Smile
Surprising? Flat mode is easier to deal with, for programmers as well as compilers... so not really that surprising. The surprising thing is that it took so many years before native per-page NX bits were added Smile (there were architectural exploits discovered by some of the old reverse engineers that allowed per-page NX many++ years before it was added to the hardware, see if you can locate info on the PAX project).

_________________
Image - carpe noctem
Post 18 Dec 2012, 07:45
View user's profile Send private message Visit poster's website Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4330
Location: Now
edfed 18 Dec 2012, 09:17
i wonder how it works with x86-64. i will test this afternoon.

i make also this:
Code:
mov eax,[thispointer]
call eax
    

and nothing, of course, forbids it, making possible to call anything.

goal now will be to test
Code:
call rax
    
Post 18 Dec 2012, 09:17
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 18 Dec 2012, 20:29
None of those will be problematic unless you're trying to call NX areas, edfed.
Post 18 Dec 2012, 20:29
View user's profile Send private message Visit poster's website Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4330
Location: Now
edfed 18 Dec 2012, 21:33
cool. then, i just have to (re)code my lib in win32 and 64 now Smile
Post 18 Dec 2012, 21:33
View user's profile Send private message Visit poster's website Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1900
DOS386 20 Dec 2012, 01:51
Code:
section '.data' data readable ; NOT writeable ; NOT executable
thisdata db '123',0
thiscode:
blah: mov eax,thisdata
      inc byte [blah] ; This works in Windaube 98 !!!
ret
    
Post 20 Dec 2012, 01:51
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 20 Dec 2012, 11:46
DOS386: gives me a pagefault on Win98SE - that's under vmware though, I haven't got any physical hardware running Win9x. And yes, the environment under vmware is somewhat different than physical hardware, (some of?) the ring0 hacks don't work, for instance.

_________________
Image - carpe noctem
Post 20 Dec 2012, 11:46
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.