Chapter 4/ System Briefing

view the DEP status of each process. This column can be set to one of three

possible values (see Table 4,9).

Table 4.9 DEP Process Status

Policy

Description

DEP (permanent)

DEP is enabled because the module is a system binary

DEP

DEP is enabled due to the current policy or because the application

opted in

Empty

DEP is disabled due to the current policy or because the application

opted out

There has been a significant amount of work done toward bypassing DEP

protection. After years of cat-and-mouse between Microsoft and the attack-

crs, people continue to successfully crack DEP. For example, at the 2010

Pwn20wn contest, a researcher from the Netherlands named Peter Vreugden-

hil bypassed DEP and ASLR on Windows 7 in an attack that targeted Internet

Explorer 8.0.�

Address Space Layout Randomization

In past versions of Windows, the memory manager would try to load binaries

at the same location in the linear address space each time that they were load¬

ed. The /BASE linker option supports this behavior by allowing the developer

to specify a preferred base address for a DLL or executable. This preferred

linear address is stored in the header of the binary.

If a preferred base address is not specified, the default load address for

an .EXE application is 0x400000, and the default load address for a DLL is

0x10000000. If memory is not available at the default or preferred linear ad¬

dress, the system will relocate the binary to some other region. The /FIXED

linker option can be used to prevent relocation. In particular, if the memory

manager cannot load the binary at its preferred base address, it issues an error

message and refuses to load the program.

This behavior made life easier for shell coders by ensuring that certain mod¬

ules of code would always reside at a fixed address and could be referenced

in exploit code using raw numeric literals,

2. http://vreugdeiihilresearch.iil/Pwn20wn-2010-Windows7-InternetExplorer8.pdf.