News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Self modifying code

Started by anuradha, July 17, 2007, 06:26:49 AM

Previous topic - Next topic

lingo

QuoteVista has made improvements against SMC.
So it's going to be very limited as a current usable coding technique.

Would you be so kind to explain more?
Have you some small example?  :wink

hutch--

Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

lingo

DEP was introduced in Windows XP Service Pack 2 and is included in  Windows Server 2003 Service Pack 1 and Windows Vista, hence it is before Vista... :wink

hutch--

We all know that but the front line of anti-smf is DEP and that is certainly available in Vista.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

Tedd

DEP only stops you from executing code in a non-executable section (i.e. data) not from modifying the code section.
However, the code section shouldn't have write access - thus stopping you from modifying the code within (without modifying the access first). Whether or not this is the default windows case is down to the policy of a particular version; but the reason these problems exist is down to a bad first decision (e.g. including execute access in the data section by default, just in case) and then sticking with it purely for compatibility reasons.
No snowflake in an avalanche feels responsible.

lingo

Quote"DEP only stops you from executing code in a non-executable section (i.e. data) not from modifying the code section"
That's correct but my question was about new
"improvements against SMC" in Vista .
DEP is old and IMHO, unusual staff in the struggle against SMC...
Working Example (tested under my Vista Ultimate):

.data
szStack        db  "Stack",0
OldProtect     dd  0

.code
Start:
    mov    ebx, offset L2
    mov    esi, offset L1
    sub    ebx, esi  ; ebx->size of code
    push   0           ; for ExitProcess
    mov    ecx, ebx
    sub    esp, ebx
    mov    edi, esp
@@:
    movsb
    loop   @b
    mov    eax, esp
    invoke VirtualProtect, eax, ebx, PAGE_EXECUTE_READWRITE, OldProtect
    mov    eax, offset MessageBox
    mov    ecx, esp
    call   ecx
    mov    eax, esp
    invoke VirtualProtect, eax, ebx, OldProtect, OldProtect
    add    esp, ebx
    call   ExitProcess
L1:
    push    0
    push    0
    push    offset szStack
    push    0
    call    eax
    ret
    nop
    nop
L2:
End   Start

For me is easier to assume that still no one can't answer my question rather than to argue with someone for stupid things... :lol

Regards,
Lingo

P1

Quote from: lingo on July 18, 2007, 04:57:52 PM
Would you be so kind to explain more?
Have you some small example?  :wink
No sample as of yet.  But I have done it for pieces of my code.  A hassle just to get a some executable security for happy go lucky users who will click on anything that tickles their fancy off the internet.  In the end, better than being Hacked.

There will be managed code, i.e. security signed code, with a local or network certificate.  It will run normal of a local computer or one attached to an AD domain with certificate server running.  ( AD = Active Directory )  Even Java and VBS can be signed now.

Any normal 32bit MASM code can be signed, then counted as managed code.  But once signed it is not modifiable.  Think DRM for executables as well.  Once in memory code section is locked, will throw GPF if code section is modified.

I am an network engineer, who now has the option to limit any workstation on our network to run ONLY managed code, which in theory will prevent any unmanaged code from running.  With options to run selected security certificates.  And to deny all local self certified certificates from Group Policy.

In the end, a new wave of secured bloated software.

Regards,  P1   :8)