4.5 Other Memory Protection Features

+0x001 TimerControlFlags : 0 "

+0x06c Flags : _KEXECUTE_OPTIONS

+0x000 ExecuteDisable : Oyl

+0x000 ExecuteEnable : OyO

+0x000 DisableThunkEmulatlon : Oyl

+0x000 Permanent : Oyl

+0x000 ExecuteDispatchEnable ; OyO

+0x000 ImageDispatchEnable : OyO

+0x000 DisableExceptionChainValidation : Oyl

+0x000 Spare : OyO

+0x000 ExecuteOptions : 0x4d 'M'

For the sake of this discussion, three fields in the KEXECUTE_OPTIONS structure

are of interest (see Table 4.8).

Table 4,8 Fields in KEXECUTE_OPTIONS

Policy

Description

ExecuteDisabie

Set to 1 if DEP is enabled

ExecuteEnable

Set to 1 if DEP is disabled

Permanent

Set to 1 if DEP configuration cannot be altered dynamically by the

process

One way to examine the DEP status of a program without cranking up a ker¬

nel debugger is with the Sysinternals Process Explorer (see Figure 4.8). The

View menu has a menu item named Select Columns that will allow you to

kj! Process Explorer - Sysinternals: www.svsinternals.com [delme-PC\svsop]

Rie Options View Process Find Users Help

-iPlxl

J B! ID

m\

Proce ss

bI]|

System Idle Process

filsvchost.ex&

1 PID I CPU I Cofnpany Name

0 3S.OO

I DEP

11 Intemjpts

n/3

riDPCs

n/3

El 13 System

4

[■Ismss.exe

228

Microsoft Coiporation

DEP ipermanert)

afilcsf�s.ejte

340

Microsoft Cotporatron

DEP (permanent)

imlconhost.exe

208

Microsoft Coiporatfon

DEP Jjermanent)

0 wininit.exe

ass

Microsoft Corporation

DEP permanent)

0 [�services.exe

480

Microsoft Corporation

DEP jaermanent)

R[ilsvchost.exe

61S

Microsoft Corporation

DEP Ijpermanent)

[i� naPfdMgr.exe

1732

Mcj�ee, Inc.

D

CPU Usage: 2.00% [Commit Charge: 37.95''/d Prcrcesses: � Physical Usage: 49.10% f

Figure 4.8

Part! I 147