nezumi-lab
January 10th, 2009, 15:18
Iouri Kharon (IDA-Pro coauthor, the guy who created an excellent win32 emulator ("http://www.doswin32.com/") that works out of pure ms-dos and fits on a single 3″ floppy leaving enough space for system files, FAR manager and a few other tools - unbelievable small, isn’t? he also created a famous UniLink linker ("ftp://ftp.styx.cabel.net/pub/UniLink/") ) asked me if I know analogue for GetProcessDEPPolicy ("http://msdn.microsoft.com/en-us/library/bb736297(VS.85).aspx") for W2K/XP.
this function returns DEP status, telling us do we have non-executable stack/heap or not. it’s very useful for protections, shell-codes and malware, but, um… the problem is - GetProcessDEPPolicy has been appeared only since XP SP3. what’s about W2K or XP SP2 or earlier? the second problem is - sometimes we want to execute code on the stack before the address of GetProcessDEPPolicy will be found.
the solution is simple. just try to execute any code (like RETN) on the stack and if you get an access violation exception - it means DEP is enabled and otherwise. it’s very easy. just a few assembly lines, but it might be even simpler!
any exception raised inside TLS callback is suppressed by OS and isn’t delivered to the app. what it means? it means that trying to execute code inside TLS we’re not obligated to catch exceptions! if DEP is on, OS just terminates TLS callback, so posterior code will be not executed.
to demonstrate this I wrote a simple test program. you can download ("http://nezumi-lab.org/ffh/DEP_XP.zip")it with a source. it has no assembly in-lines, but was tested only for MS VC. compile it, open exe with HIEW ("http://www.hiew.ru/") hex-editor. press ENTER to go to hex-mode. F7 (search)m type DE AD BE EF. move cursor to the next byte after “DE AD BE EF”, see current virtual address (right-top corner of the screen). in our case it’s “PE.4002F8″. convert VA to RVA (i.e. 40002F8 ->2F8). press F8 to call PE header, press to F10 to display Directories, find “TLS” there, press F3 to edit and change RVA to our RVA (in our case it’s 2F9) and make size == 20h. F9 to save changes and Escape (press twice) to close the dialog and exit.
now, run the exe and see DEP status.
http://nezumi-lab.org/blog/?p=54
this function returns DEP status, telling us do we have non-executable stack/heap or not. it’s very useful for protections, shell-codes and malware, but, um… the problem is - GetProcessDEPPolicy has been appeared only since XP SP3. what’s about W2K or XP SP2 or earlier? the second problem is - sometimes we want to execute code on the stack before the address of GetProcessDEPPolicy will be found.
the solution is simple. just try to execute any code (like RETN) on the stack and if you get an access violation exception - it means DEP is enabled and otherwise. it’s very easy. just a few assembly lines, but it might be even simpler!
any exception raised inside TLS callback is suppressed by OS and isn’t delivered to the app. what it means? it means that trying to execute code inside TLS we’re not obligated to catch exceptions! if DEP is on, OS just terminates TLS callback, so posterior code will be not executed.
to demonstrate this I wrote a simple test program. you can download ("http://nezumi-lab.org/ffh/DEP_XP.zip")it with a source. it has no assembly in-lines, but was tested only for MS VC. compile it, open exe with HIEW ("http://www.hiew.ru/") hex-editor. press ENTER to go to hex-mode. F7 (search)m type DE AD BE EF. move cursor to the next byte after “DE AD BE EF”, see current virtual address (right-top corner of the screen). in our case it’s “PE.4002F8″. convert VA to RVA (i.e. 40002F8 ->2F8). press F8 to call PE header, press to F10 to display Directories, find “TLS” there, press F3 to edit and change RVA to our RVA (in our case it’s 2F9) and make size == 20h. F9 to save changes and Escape (press twice) to close the dialog and exit.
now, run the exe and see DEP status.
#pragma comment(lib, “USER32″
#pragma comment(lib, “KERNEL32″
#pragma comment(linker, “/ENTRY:nezumi /SUBSYSTEM:WINDOWS”
char dep[] = “DEP is on!”;
BOOL WINAPI TLS_callback(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
int ret = 0xC3;
if (fdwReason == 1)
{
ret = ((int (*)())&ret)();
*((WORD*) &dep[sizeof(dep)-3]) = ‘ff’;
}
return 0×666;
}
nezumi() { MessageBox(0, dep, “[x]“, 0); }
DWORD ptr[] = { (DWORD) TLS_callback, 0 };
DWORD *xl[] = { (DWORD*) 0xEFBEADDE, ptr, ptr, (DWORD*) xl, ptr, 0, 0};
http://nezumi-lab.org/blog/?p=54