Data Execution Prevention

[ic2]

Rockoon forget it

[Rockoon]

The OS isnt manipulating your registers.

Can you prove it ?
If so, than what is the problem?
If not, what would be YOUR GUEST?
I'll await your answers...

How can anyone decipher your problem when all you have described is rolling a register, storing it somewhere, and then loading it back up and rolling it back before use..

I'd like to think that you are storing your modified value someplace other than where you got it. I'd like to think that because where I think you got it isnt yours to mess with. But I don't even want to go down that road because I am only assuming that you read the value from the PE section.

A post like that is to find out if others is having any bad experience with (DEP).  The info along with all my previous OS's I tested on proved that my code was good.

You didnt even get any DEP errors. Why do you even think that this is a DEP issue?

I did not post to explain myself to anyone.  I did not prepare an acceptance speech for my fit of anger.

Do you just want to be angry, or do you want to find the actual reason for your issue?

You decide.

[ic2]

...or stop the bad coding practice

So you make this statement with-out seeing my code.  And you don't know nothing about me.  So that mean you calling me a lie based off my first post or two. That's a lot of questions asked in a way that seem very strange.  I don't think Jimg mean it that way.  The way you came just don't seem right no matter how you look at it.  I am not a hacker.  I don't know how... I code masm32 style exampes 1 - 4 the ones that works for all OS and but include my  protection code written in poperly 100%.

I'm through with it. I'll just say for every coder, if you have already upgraded months or years ago... just go back to other versions of windows that millions of people still use and see if your program still works.  If it does knock on wood.... Don't screw up this thread... bye

[Rockoon]

Are you sure that its not an application compatability shim? Maybe its malicious software protection? Anti-virus? They work in part by defending, and at times altering, a processes IAT.

There are so many possibilities.. but only one is the truth..

..you ARE trying to hack up the IAT, right?? I can only guess.

[ecube]

Donkey: "Vista has a solution to the DEP problem, you can set DEP in line using SetProcessDEPPolicy, though if GetSystemDEPPolicy returns 1(AlwaysOn), the APi will not change the policy."

Code Select Expand


PROCESS_DEP_DISABLE  equ  00000000h
.code
DisableVistaDEP proc
invoke GetModuleHandle,CTEXT("kernel32.dll")
cmp eax,NULL
je @Done
mov ecx,eax
invoke GetProcAddress,ecx,CTEXT("SetProcessDEPPolicy")
cmp eax,NULL
je @Done
push PROCESS_DEP_DISABLE
call eax
@Done:
ret
DisableVistaDEP endp


also for xp this should work, but requires a reboot

bootcfg /raw "/noexecute=AlwaysOff /fastdetect /noguiboot" /id 1

I hear win2k3 is abit different but then others say it works the same, so am not sure.

[QvasiModo]

Hi all...

It susprises me to see that here people thinks DEP is a problem. It's really a patch! Pages marked as non executable should not be executable, this has worked for other architectures and only now Windows has implemented it correctly in Intel. The only code that breaks from it is the one that doesn't comply with the specifications anyway (read the VirtualProtect entry on MSDN).

The solution is and should be to correctly mark pages as executable if you intend to execute code in it. Please note that executable pages can still be writable if you mark them so. I understand the linker by default marks all data pages as writable / non executable and all code pages as read only / executable, but you can change that easily from the linker itself, or on runtime using the APIs.

Passing the right flags to VirtualAlloc, or changing page permissions with VirtualProtect, will always work, Vista or no Vista. It's always been part of the Win32 API so that can't change.

You can also turn off DEP temporarily for the current process, but that's a bad idea IMHO. You really do want to protect non executable pages and it also helps debugging your program. Besides these DEP hacks don't work across Windows versions.

I've also read here that DEP "slows down" viruses. That's not accurate. What it does is make exploitation of security holes harder (or even impossible, it depends on other factors), so virus writers have more difficulties to have one of their creations break into your computer. Of course if you doble click on a file called "pr0n pictures.jpg.exe" that some stranger sent you by email, then DEP is pretty much useless, right? :wink

I also don't think it's true that MS implemented DEP just to screw us assembly programmers, BTW... ::)

[ic2]

Hello QvasiModo

Mirno  May 18, 2001

...Other than as a learning exercise, assembly in DOS is pretty much dead.

  MS$... I said Driver writing OUT  ...  did anyone get a clue. 

ic2    January 1, 2010

VistaVino128  ...........  System Close unless signed or known !!! .

from DEP and friends

I request that this thread be moved to the battle grounds.

[ecube]

I second his request, as I want to see what ic2 has to say :D

[ic2]

I just started to re-building my app from scratch.  When you use a GetProcAddr function under XP ServicePack 2 and possibly Visa ( I use yOda code )

Microsoft changed the RegisterClassExA api ... regardless

The most important api for getting any window up.  That's problem one down.  I plan to keep on re-building so I know more.  Possibly no other problems but it will make for good pratice to continue re-building ... funny, most would never have a clue about any real changes of the OS until Microsoft put the whammy on you.

The figure on the right side of the page the api was gotten with the use of yOda GetProcAddr common used code.  AND NOW ALL PROGRAMS CRASHES...

The figure on the LEFT side of the page the api was gotten using the common MASM32 api GetProcAddress and the programs runs as expected ...

This is all I founded so far and it's possibly the only one with such a major change.  A api is only  4 bytes but under the OS mentioned you get an overflow as you see.  I did everything possible to get 4 bytes through many function and the OS will not let me do it.  Under previous versions this has never been a problem.

But that not the issue yet here.  Look at the API closely.  They were called separately with-in the same  program on the same OS. I switched calls and re-comply and ran the program each time.

As you can plainly see, the API has been stripped in order not to work and may have be tagged in addition.  What do this have to do with security.  Vir^s register themselfs.  I don't think most Vir^s plan to show you a window anyway.  This is an outright attack on legit assemble coding.  Maybe it's only yOda code.

So Rockoon, you were right.  DEP was not my problem, It was worse than that.  Something no outsider could ever fix. Try it with yours and if it work post a copy please.

QvasiModo, I just like saying that... just in case... i use the word me also, just as an example and I act like this because ...

... This tells me that too much is going on which should not be for an machine that is suppose to be a operating system only.

Anyway, why in the heck would RegisterClassExA be blocked from being called with your own code.  That is not nice all and will not stop a vir^s.

So what are the reasons for this?  What are they trying to hide ?  What are they trying to put a stop to ?   Is it a mistake that must be corrected ?  Do they plan to CORRECT it ?  Have someone replaced Explorer or getting too close to Explorer complexity or getting toooo close  or     WHAT???   Is it Me, is it You ... o God no... because it's would be DOOMS DAY and they have nothing else to do but accommodate good coding like a operating system is suppose to do, regardless...

PS: Asking and accusing is two difference things.  Never ever accuse others of bad coding practice when all he may be trying telling you for your sake also, that his code was broken under the latest OS or upgrade.  Especially if he been around just as long as you have. 

Use your head first.  If it wasn't for bad coding practice Windows would not be here and you would have nothing to do but drink beer and catch crabs, etc.

If you choose to only follow documentation without being adventurous, that's your problem.  No one would even know of these changes if it has not been for great coders like yOda and many others.  That's what we are here for. To catch changes and see what we can do about it if it's a bad change.

Being a snot nose to others because you know more is not the way to go.   Remember the days when you first asked a question and didn't know sh^t.  The point is, out of all we may learn today may not mean jack tomorrow.  But that's the risk we take as coders, and we do not take problems out on each other as well as noobs.  We take it to Microsoft front door.  They may listen if we try.



[attachment deleted by admin]

[hutch--]

ic2,

I knew y0da back in the middle to late 90s and while he was a clever guy, the world has changed and many of the techniques that worked back then in win95/98 no longer work on later OS versions as the techniques were tuned to those OS versions alone. In those days getting an API address by a non standard means was a protection mechanism to make cracking your app harder but there are other ways to do things like this that do not limit you to out of date OS versions.

The protection mechanisms from that era were all broken at about the same time as they were released and while they were interesting techniques, generally based on the PE executable format, theye did not produce anything that lasted so this stuff is of very limited value to you. Always the best protection mechanisms are idiosyncratic, original and thinking outside the box.

Use your API calls in documented and reliable ways as the action for doing original and useful things is elsewhere, knowing your architecture, instruction range and to some extent how programs are analysed and cracked.

[Rockoon]

I was right. Thanks.

Now, do you want to get to the bottom of things? (or do you want to go on and on about how evil you think microsoft is?)

The first step is to hop on MSDN and read the documentation on the functions you are using. Seriously. The documentation is important.

[ic2]

.Thanks hutch, I am paying attention.  I learned a long time ago there is no real protection.   If it's good enough they can build a team of a hundred cracker in a minute and crack the best with-in days.

Protection was one my only motive to challenge these experts but after all of this time it's a coding style that is build into me.   If it don't work, I will find out why not and make it work.  It's a habit and it is where i have my biggest  fun with ASM.  I do it so much and I'll never change and I still got a 5 year plan to learn the rest of what I don't know about ASM.  I just want to give the entire team at lease 6 months worth of pure hell.  Only than will I feel my ASM experience has been fulfilling.  After that I wouldn't care.  I'll retire bragging the rest of my days.

One more thing hutch.  Just hear me out.   Code is code and if it get out dated I DO all to bring it up to date.  If the OS do stuff to block code I fix it if possible.  If it's my fault I go to masm32forum and hit my knees...  yOda code is still gold today, the modern equivalent does the same but a tincy  faster but never better.  The OS shouldn't interfere with this by right.

Rockoon,  I been getting to the bottom of thing before you were born.   I know you're a kid because you don't know how to figure or talk to grown folks.  Can't you understand, I love Microsoft and she love me.  That's why we argue everyday.  But we never parted.  When she act up I let it be known.  And if she don't straighten up I'll start dating Ms. Linux and she know this.

I will be posting all of my finding... I am in no rush.  With-in a month the truth will be posted here.  I can have my broken project back up and running in under a  week but I want to rebuild so I have no time for debugging.  I'll just bump right into the problem anyway and make the simple change to the old project, just to be sure...  You can't get simpler than that.

Now I be pumping it up with some even with even more of the stuff hutch and I were taking about ...  I can't wait... I'll never learn.

Rockoon, DEP is still a poorly written application for the OS.  Time will show you that if jj2007 code did not already.

Thanks anyway my guy


OK, Here my Correction:

Well I learned a lot in my non-stop near 48 hours of testing every tincy thing as I go.  It's not the API.  Because there is two of them and I had both listed in difference places somehow years ago and never realized it.   That could be classified as bad coding practice and that would be as far as I would ever go.  No big deal because look what I discover behind it ... be it right or wrong I post it.

Speaking of new project in progress still at beginning level just for  practices...  It will not show a window when I use RegisterClassExA.

So I went to Window95 and Raw XP and it DID SHOW the Window using  RegisterClassExA ... but it would not show a window in either old or new project when I change it to  RegisterClassA.

This is crazy... It's all backward, but I will not worry you about this any longer because maybe it only me.   My style must be wild.   I see what's happing and I know how to play it.  Only a madman could ever crack my code since no  one know this exist...

Balance Act 4:
for ic2 only

RegisterClassExA....... Works for Win95 to XP
RegisterClassA............ Works for Servicepack2 and Visa "maybe"


RegisterClassExA.......Will NOT work for Servicepack2 and Visa "maybe"
RegisterClassA............Will NOT works for Win95 to XP

I'll only post my finding from time to time with short comment with-out, the stories from now on.

Have a Great Day Everybody

My ASM battle is ON baby ...

It just dawn on me...  Maybe this is what you get when you go full blast MANUAL coding.  Why didn't I think of that before.  This is the payback you get from the OS.  The real deal.

Please don't tell me that the OS writer didn't know this what they were doing.  Dam

Just for that, I going to get  REAL GOOD  at it forever!!!

[Rockoon]

Rockoon,  I been getting to the bottom of thing before you were born.   I know you're a kid because you don't know how to figure or talk to grown folks. 

Still making the same mistakes after all these years, eh? I'm 35 years old and know full well how to talk to grown ups. I also know how to talk to people who would rather rant and who dismiss factual statements based on their preconcieved stubborness.

Your problem is that you jump to conclusions.

You jumped to the conclusion that DEP was your problem and then ranted about microsoft, and argued with me about it. Now you finally discovered that DEP wasn't your problem and have again ranted about microsoft, while trying to pick an arguement with me.

The patterns are clear. You like to jump to conclusions, you like to rant about Microsoft, and when challenged on your "facts" you like to argue about it.

Your problem is you.

Rockoon, DEP is still a poorly written application for the OS.  Time will show you that if jj2007 code did not already.

DEP is not an application. DEP is a hardware feature which the OS has enabled for us. One of the last hardware platforms to offer DEP, finally and thankfully we have it. Eventualy the shims that continue to allow the mainstream sloppyness (read: legacy corporate software) to execute will be removed.

Now, you might want to take advantage of one of those shims that disables DEP. My advice is don't do it. You will just be setting yourself up for failure at a later date. Stick to the documentation. Whatever it is that you are trying to do can be done without violating the standards in place, be it masking DLL usage, self modifying code, or even execution of code in your .text. These concepts arent broken, only sloppy implimentations of them are.

[ic2]

I'm 35 years old

sub eax,18

[GregL]

I agree that DEP is a good thing. My Vista system supports hardware-enabled DEP and I have it set to OptOut and I am having no problems. OptIn is the default setting. I tried setting it to AlwaysOn and immediately ran into a problem, Firefox wouldn't run. I was surprised about that, obviously Firefox is 'opting-out'. IE 7 ran just fine, but I prefer Firefox so I switched it back to OptOut. Hopefully Firefox will get that fixed soon.

I think trying to get around DEP is a really bad idea. If it's set to AlwaysOn, it's impossible to get around it (without admin privileges and a reboot). On 64-bit Windows it's AlwaysOn period. Why not play by the rules?