Re: Non executable memory pages with AMD64 + XP SP2

[Nicolas RUFF <nicolas.ruff () edelweb fr>]

(All in one answer)

First of all, thank you everybody for your support.

>[...] This means
>that you hello world or basic stack overflow that you write will not
>receive the protection until it is enabled system wide.

I would have thought that setting "/NoExecute=AlwaysOn" in BOOT.INI 
should be enough to enable DEP system wide (including user apps) ... But 
this is not the case !

>32 bit XP SP2 does use NX technology if running on a processor that
>supports it. It has to run in PAE mode though.

My CPU is AMD64 Athlon 3000+ (not FX, though). It shall support NX flag.

MOV EAX, 0x80000001
CPUID
EAX = 00000000000000000000111101001000 (0x00000F48)
EBX = 00000000000000000000000100001000 (0x00000108)
EDX = 11100001110100111111101111111111 (0xE1D3FBFF)
                 ^
                 |--- NX supported

I know that it should run in PAE mode for DEP to be effective, but 
Microsoft clearly states that PAE is enabled by default along with DEP :
http://support.microsoft.com/kb/875352

>I wrote a white paper for ISS on these shortcomings. It should be made
>public pretty soon.

Aaah, I feel better knowing that there is a real issue behind all this.

> There should be a panel at Control Panel->Performance and
> Maintence->System->Advanced->Performace Settings->DEP Settings that will
> rewrite the boot.ini as need for whatever protection level you choose.

Yes, this parameter will set OptIn or OptOut in BOOT.INI. You won't be 
given a chance to select AlwaysOn or AlwaysOff or PAE through a 
graphical interface, though.

Regards,
- Nicolas RUFF
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave