Log in

View Full Version : Is this behaviour of Virtual Memory normal?


Hero
October 8th, 2008, 02:40
Hi all
I noticed if your virtual memory has PAGE_READWRITE or PAGE_READONLY permission, it is enough to execute what is in that memory page even thouh you don't have PAGE_EXECUTE permission.
Is this a normal behaviour of Virtual memory?
I personnaly think this answer is yes, So this is main reason of DEP feature of windows.
But I want to prevent a page from execution, BUT be readable(so I cannot use PAGE_NOACCESS). Any idea how I can do this?
I were not able to find some good article for it. If you know please provide me one....

Hmmmm,I think total question can be abstracted into this:
"How I can emulate a DEP inside my application without using windows DEP?"

Regards

Camus SoNiCo
October 8th, 2008, 12:01
Mm.. First idea to my mind is to register yourself as the exception handler, and emulate a mechanism like the OS with Stack...

jstorme
October 8th, 2008, 16:18
Why not use DEP?? It easy to set up and I have been playing with it for some time now and it usually works out ok. This is a Olly plugin that demonstrates how to turn on DEP for a remote process through a bit of code injection.
It then uses DEP as a BreakOnExecute breakpoint in Olly. http://portal.b-at-s.info/downloadt.php?id=13
Plugin isn't 100% finished though (but it works) because I only meant it to demonstrate the nifty things you can do with DEP

Hope it helps

Hero
October 9th, 2008, 00:23
Quote:
[Originally Posted by jstorme;77329]Why not use DEP?? It easy to set up and I have been playing with it for some time now and it usually works out ok. This is a Olly plugin that demonstrates how to turn on DEP for a remote process through a bit of code injection.
It then uses DEP as a BreakOnExecute breakpoint in Olly. http://portal.b-at-s.info/downloadt.php?id=13
Plugin isn't 100% finished though (but it works) because I only meant it to demonstrate the nifty things you can do with DEP

Hope it helps



I was thinking about same usage of this emulated DEP.But somebody had this idea before me...

Regards

aionescu
October 20th, 2008, 10:52
Quote:
[Originally Posted by jstorme;77329]Why not use DEP?? It easy to set up and I have been playing with it for some time now and it usually works out ok. This is a Olly plugin that demonstrates how to turn on DEP for a remote process through a bit of code injection.
It then uses DEP as a BreakOnExecute breakpoint in Olly. http://portal.b-at-s.info/downloadt.php?id=13
Plugin isn't 100% finished though (but it works) because I only meant it to demonstrate the nifty things you can do with DEP

Hope it helps


Good work, but don't ship the 3MB .ncb file -- it's useless and will be regenerated automatically, it's just your local autocomplete file.