This is  again Snake with  his poor English . when m08-67 vulnerability exploited successfully by metasploit guys , i got experience on dep .now i think it is good time ( i know it is a little late ) to public my information about this protection. in this post i try to explain some things that i found about dep internals and NtSetInformationProcess function.

Paging,Page Table,Page Directory

in IA-32 arch architect  and Memory Virtualazation  , CPU and OS are using mechanism called paging.they use paging for mapping linear address space to physical memory . linear address space is CPU addressable space and physical memory is physically connected memory , like RAM or ROM.and mapping is mechanism that translate an address in Virtual memory or Linear Address space to its equal in physical  memory. with out paging and Virtualazation , CPU translate an address directly to Physical memory. but in Memory Virtualazation , whole  address space divided into short fix size blocks  called Page.pages can present in different size , but usually are 4 kb in IA-32 . Page-Directory is 32 bit array of pointers to Page-Tables . and Page Table is 32 bit array that contain address of each page in physical memory. now CPU for mapping an address from Linear Address Space to Physical memory go to desire Page-Directory and find exact Page-Table.then it find correct address from Page and … . figure.1 show this mechanism in better way :

bellow  you can see Page-Directory and Page-Table arrays :

PD and PT bits are not in important for us , just an imagination of what they are and what they do .  by setting Present bit whole array use for storing address and other bits overwritten by addresses   .in  this type of IA-32 paging mechanism, a OS can support and address only  2^32 bits , form 0 to FFFFFFFF. in other word you can have only 4 gig memory for each process . Intel introduced Page Address Extension ( PAE )  for obviating this limits.by using PAE supported CPUs  OS can have 2^36 bit address space and it mean 64 gig memory for each process  ! for using this advantage Intel changed Page-Table and Page-Directory to 64 bit array. above figure show changed PD and PT :

PAE moreover 64 gig address space,  introduced new bit in Page-Table called NX  bit ( Execute Disable , Non-Execute ) .this bit is new protection mechanism in paging related protections such as setting privilege ( R\W )  for Pages . with NX we can mark a page as non executable .  there is many Pages that are use only for holding Data and they are executable so . why let them executable  ?  so by setting this bit OS separate Page for holding Executable Data and Non-Executable data. by this mechanism data related spaces such as Stack,Heap and data section became non-executable and this is Game Over for Exploits that run shellcode from stack or other data sections.

Linux Kernel NX Patch

lets take look at one of first linux Kernel NX patch for better understanding of this protection. at the first we have :

movl %eax,%cr4
btl $5, %eax	# check if PAE is enabled
jnc 6f
/* Check if extended functions are implemented */
movl $0x80000000, %eax
cpuid
cmpl $0x80000000, %eax
jbe 6f
mov $0x80000001, %eax
cpuid
/* Execute Disable bit supported? */
btl $20, %edx
jnc 6f

cr4 control register loaded  into eax , fifth bit of CR4 contain a sign for supporting PAE tech . if it presented we have PAE if not no PAE.  BT instruction used for bit testing and CF will receive its result. after that we use CPUID:80000001 instruction for NX bit checking. 20 bit of edx will recive the result and like PAE checking we have bt instruction again.i skip some functions that are written for mapping kernel address space to physical memory .after that we have function for catching NX in Page-Table :

static void __init set_nx(void)
{
 unsigned int v[4], l, h;
 if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
 cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
 if ((v[3] & (1 << 20)) && !disable_nx) {
 rdmsr(MSR_EFER, l, h);
 l |= EFER_NX;
 wrmsr(MSR_EFER, l, h);
 use_nx = 1;
 __supported_pte_mask |= _PAGE_NX;
 }
 }
}

then Kernel setup Page-Table by paging_init() function and set NX bit in pages ( if it is compatible )  :

void __init paging_init(void)
 {
#ifdef CONFIG_X86_PAE
 set_nx();
 if (use_nx)
 printk("NX (Execute Disable) protection: active\n");
 else
 printk("NX (Execute Disable) protection: not present!\n");
#endif
 pagetable_init();
[...]

now all the Pages are setuped with NX bit enable . for alocating executable Pages Kernel use vmalloc_exec() function :

void *vmalloc_exec(unsigned long size)
{
return __vmalloc(size, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC);
}

Exploitation Limits After NX

as you can see , NX snatch us permission  of executing code from data marked pages. so if we want to exploit a vulnerability by jumping into data preserve page with NX enable , we got Access Violation Exception ( actually a Page Fault ). now Heap , Stack and Data sections are non-executable .the only Executable memory is Code or text section , but it is write protected !

Windows and NX Bit

windows memory management system also take advantage of NX bit to defeat Stack/Heap/Date base buffer overflow  exploits. windows intruduce this protection in the term of Hardware Enforce Data Execution Prevention or just DEP in brevity. if CPU dosnt suppurt NX bit , there is very limit version of DEP , called Software DEP. it is not like Linux patch non-exportability emulation and just ensure that SEH Handler is located in executable Page ( not Stack or Heap ). DEP is configurable also and you can disable it from boot.ini or boot management in Vista . there is copy-pasted text of boot configuration from Wikipedia .

The Boot.ini file settings are as /noexecute=policy_level, where policy_level is defined as one of the following values:
OptIn
This setting is the default configuration for Windows XP. On systems with processors that can implement hardware-enforced DEP, DEP is enabled by default for limited system binaries and programs that “opt in”. With this option, only Windows system binaries are covered by DEP by default and cannot be disabled without changing the policy to “AlwaysOff”. This is also the default in Windows Vista; however in 64-bit Vista 64-bit applications are always opted in. [8]
OptOut
This setting is the default configuration for Windows 2003 SP1. DEP is enabled by default for all processes. A list of specific programs that should not have DEP applied can be entered using the System dialog box in Control Panel. Network administrators can use the Application Compatibility Toolkit to “opt out” one or more programs from DEP protection. System compatibility fixes, or shims, for DEP do take effect. Also note that Windows silently disables DEP for certain executables, such as those packaged with ASPack. [9]
AlwaysOn
This setting provides full DEP coverage for the whole system. All processes always run with DEP applied. The exceptions list to exempt specific programs from DEP protection is not available. System compatibility fixes for DEP do not take effect. Programs that have been opted out by using the Application Compatibility Toolkit run with DEP applied.
AlwaysOff
This setting does not provide any DEP coverage for any part of the system, regardless of hardware DEP support.

DLLs And DEP Compatibly

there is also a mechanism for detecting DEP incompatible binaries .at binary loading stage , OS call a LdrpCheckNXCompatibility() function. LdrpCheckNXCompatibility() make some experiences on binary to known DEP compatibility/ incompatibility. for example by if there is  sections like .aspack , .sforce or any other signature base sections of packers , the binary is DEP incompatible.if  binary is listed in HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNt\CurrentVersion\Image File Execution Option\DllNXOptions registery key it is also incompatible , this key is list of  DEP incompatible PEs . if binary have IMAGE_DLL_CHARACTERISTICS_NX_COMPAT set in DllCharacteristics field of its optional header its DEP compatible ( by 0×0100 value ) . this filed will set if binary is linked with      /NXCOMPAT linker option.what happen if a dll wasn’t DEP compatible ? in this situation  LdrpCheckNXCompatibility() disable DEP for that specific incompatible process at runtime. but how ?

Disabling DEP at Runtime

LdrpCheckNXCompatibility() function use NtSetInformationProcess function to disable DEP for a specific process .there is NteSetInformationProcess function prototype :

NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationProcess(
 IN HANDLE               ProcessHandle,
 IN PROCESS_INFORMATION_CLASS ProcessInformationClass,
 IN PVOID                ProcessInformation,
 IN ULONG                ProcessInformationLength );

for setting specific characteristic of a process  , Nt SetInformationProcess() use ProcessInformationClass structure .see this structure in above :

typedef enum _PROCESSINFOCLASS {
 ProcessBasicInformation,
 ProcessQuotaLimits,
 ProcessIoCounters,
 ProcessVmCounters,
 ProcessTimes,
 ProcessBasePriority,
 ProcessRaisePriority,
 ProcessDebugPort,
 ProcessExceptionPort,
 ProcessAccessToken,
 ProcessLdtInformation,
 ProcessLdtSize,
 ProcessDefaultHardErrorMode,
 ProcessIoPortHandlers,          // Note: this is kernel mode only
 ProcessPooledUsageAndLimits,
 ProcessWorkingSetWatch,
 ProcessUserModeIOPL,
 ProcessEnableAlignmentFaultFixup,
 ProcessPriorityClass,
 ProcessWx86Information,
 ProcessHandleCount,
 ProcessAffinityMask,
 ProcessPriorityBoost,
 ProcessDeviceMap,
 ProcessSessionInformation,
 ProcessForegroundInformation,
 ProcessWow64Information,
 ProcessImageFileName,
 ProcessLUIDDeviceMapsEnabled,
 ProcessBreakOnTermination,
 ProcessDebugObjectHandle,
 ProcessDebugFlags,
 ProcessHandleTracing,
 ProcessIoPriority,
 ProcessExecuteFlags,
 ProcessResourceManagement,
 ProcessCookie,
 ProcessImageInformation,
 MaxProcessInfoClass
} PROCESSINFOCLASS;

each entry in ProcessInformationClass point to the specific variable . for example ProcessBasicInformation point to  structure named PROCESS_BASIC_INFORMATION and defined in NTDDK.H .

typedef struct _PROCESS_BASIC_INFORMATION {

NTSTATUS ExitStatus;

PPEB PebBaseAddress;

ULONG_PTR AffinityMask;

KPRIORITY BasePriority;

ULONG_PTR UniqueProcessId;

ULONG_PTR InheritedFromUniqueProcessId;

} PROCESS_BASIC_INFORMATION;

typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;

now we can set information of this structure for our selected process by calling NtSetInformationProcess like ( i don’t know coding like this is valid or not ,because i doesn’t find any public example of  using NteSet… ):

PROCESS_BASIC_INFORMATION P_B_I;
P_B_I.ExitStatus = 0;
P_B_I.PebBaseAddress = 0x7FFDF000;
P_B_I.InheritedFromUniqueProcessId = 666;
[...]
NtSetInformationProcess(-1, ProcessBasicInformation, &P_B_I, 0x018);

as you can see , first argument is process handle with PROCESS_SET_INFORMATION access and -1 id defined by windows for current process. second argument is entry of  ProcessInformationClass structure that we want to set , in this case is ProcessBasicInformation . third argument is pointer to modified/seted structure same as a second argument.and finally forth argument is size of second/third argument structure.for each entry of ProcessInformationClass in the NtSetInformationProcess is switch-case block for setting desire informations. for example for setting ProcessAffinityMask :

NTSTATUS WINAPI NtSetInformationProcess(
 IN HANDLE ProcessHandle,
 IN PROCESSINFOCLASS ProcessInformationClass,
 IN PVOID ProcessInformation,
 IN ULONG ProcessInformationLength)
{
 NTSTATUS ret = STATUS_SUCCESS;
 switch (ProcessInformationClass)
 {
[...]
 ProcessAffinityMask:
 if (ProcessInformationLength != sizeof(DWORD_PTR)) return STATUS_INVALID_PARAMETER;
 if (*(PDWORD_PTR)ProcessInformation & ~(((DWORD_PTR)1 << NtCurrentTeb()->Peb->NumberOfProcessors) - 1))
 return STATUS_INVALID_PARAMETER;
 SERVER_START_REQ( set_process_info )
 {
 req->handle   = wine_server_obj_handle( ProcessHandle );
 req->affinity = *(PDWORD_PTR)ProcessInformation;
 req->mask     = SET_PROCESS_INFO_AFFINITY;
 ret = win_server_call( req );
 }
 SERVER_END_REQ;
 break;
[...]

for us there is only one important entry in ProcessInformationClass structure and that is ProcessExecuteFlags. by using this entry in NtSetInfromationProcess() we can Enable/Disable DEP for specific process. DEP setting for a procees is defined in KEXECUTE_OPTIONS field of KPROCESS structure :

DISPATCHER_HEADER     Header                         /* 000 */
 LIST_ENTRY               ProfileListHead;             /* 010 */
 PHYSICAL_ADDRESS      DirectoryTableBase;        /* 018 */
 KGDTENTRY               LdtDescriptor;             /* 020 */
 KIDTENTRY                Int21Descriptor;           /* 028 */
 USHORT                IopmOffset;                /* 030 */
 UCHAR                 Iopl;                         /* 032 */
 UCHAR                 Unused;                     /* 033 */
 ULONG                 ActiveProcessors;          /* 034 */
 ULONG                 KernelTime;                /* 038 */
 ULONG                 UserTime;                  /* 03C */
 LIST_ENTRY            ReadyListHead;             /* 040 */
 SINGLE_LIST_ENTRY     SwapListEntry;             /* 048 */
 PVOID                 VdmTrapcHandler            /* 04C */
 LIST_ENTRY            ThreadListHead;            /* 050 */
 KSPIN_LOCK            ProcessLock;               /* 058 */
 KAFFINITY             Affinity;                  /* 05C */
 union {
 struct {
 ULONG         AutoAlignment:1;           /* 060.0 */
 ULONG         DisableBoost:1;            /* 060.1 */
 ULONG         DisableQuantum:1;          /* 060.2 */
 ULONG         ReservedFlags:29;          /* 060.3 */
 };
 ULONG             ProcessFlags;              /* 060 */
 };
 CHAR                  BasePriority;              /* 064 */
 CHAR                  QuantumReset;              /* 065 */
 UCHAR                 State;                     /* 066 */
 UCHAR                 ThreadSeed;                /* 067 */
 UCHAR                 PowerState;                /* 068 */
 UCHAR                 IdealNode;                 /* 069 */
 UCHAR                 Visited;                   /* 06A */
 KEXECUTE_OPTIONS      Flags;                     /* 06B */
 ULONG                 StackCount;                /* 06C */
 LIST_ENTRY            ProcessListEntry;          /* 070 */

KEXECUTE_OPTIONS contain 7 flag . 4 flag is used for DEP setting :

UCHAR ExecuteDisable:1;
 UCHAR ExecuteEnable:1;
 UCHAR DisableThunkEmulation:1;
 UCHAR Permanent:1;
 UCHAR ExecuteDispatchEnable:1;
 UCHAR ImageDispatchEnable:1;
 UCHAR Spare:2;

if DEP is Enable ExecuteDisable bit set by 1 . if DEP is Disable  ExecuteEnable option will set . if dep is configured as OptOut both ExecuteEnable and ExecuteDisable flags set to 1 and DEP is aslo Enable . there is one another  important flag , Permanent ! in windows Vista/2008/7 Microsoft take advantage of this bit to create a second layer protection against disabling DEP at runtime. in Visat/2008/7 when a program loaded for fist time this bit will set , if compatible , DEP enable and if not disable dep and set  Permanent flag so. if Permanent falg set for process we cannot change DEP policy at runtime . but in prior to Vista we can change dep setting at runtime by calling NtSetInformationProcess() . this macros are defined for changing DEP policy :

#define ProcessExecuteFlags 0x22
#define MEM_EXECUTE_OPTION_DISABLE   0x01
#define MEM_EXECUTE_OPTION_ENABLE    0x02
#define MEM_EXECUTE_OPTION_PERMANENT 0x08

we are familiar with ProcessExecuteFlag as before , it is a part of ProcessInformationClass . by using MEM_EXECUTE_OPTION_DISABLE DEP enable for a process and MEM_EXECUTE_OPTION_ENABLE will disable it.lets take look at this pseudo code and see how NtSetInformationProcess() disable DEP thru this flags :

[...]
case ProcessExecuteFlags:
 if (ProcessInformationLength != sizeof(ULONG))
 return STATUS_INVALID_PARAMETER;
 else if (execute_flags & MEM_EXECUTE_OPTION_PERMANENT)
 return STATUS_ACCESS_DENIED;
 else
 {
 BOOL enable;
 switch (*(ULONG *)ProcessInformation & (MEM_EXECUTE_OPTION_ENABLE|MEM_EXECUTE_OPTION_DISABLE))
 {
 case MEM_EXECUTE_OPTION_ENABLE:
 enable = TRUE;
 break;
 case MEM_EXECUTE_OPTION_DISABLE:
 enable = FALSE;
 break;
 default:
 return STATUS_INVALID_PARAMETER;
 }
 execute_flags = *(ULONG *)ProcessInformation;
[...]

now with this informations , we know calling NtSetInformationProcess() with this arguments , disable DEP for current process :

NtSetInformationProcess(-1, ProcessExecuteFlags, MEM_EXECUTE_OPTION_ENABLE, 0x4 )

this call will set  MEM_EXECUTE_OPTION_ENABLE option for ProcessExecuteFlags and therefore DEP will disable . but the question is how calling NtSetInformationProcess with this arguments ? as i said before , widows Operating System use LdrpCheckNXCompatibility() to check NX compatibility and if a process is not compatible it will disable DEP for that process at runtime. so this is the answer , we can use “code reuse” technique and changing program execution flow to a part of LdrpCheckNXCompatibility() that call NtSetInformationProcess() with desire options.lets take look at its code ( in ntdll.dll ) :

loc_7C936831:
push    4
lea     eax, [ebp+var_4]
push    eax
push    22h
push    0FFFFFFFFh
call    ZwSetInformationProcess
jmp     loc_7C91CD6D
; END OF FUNCTION CHUNK FOR sub_7C91CD11

for using this section of code you have to jump in upper section and execute thru  it till reach this section. i suggest you to read Skape paper about this technique and using ntdll.dll call to SetInformationProcess.there is another dll that call NtSetInformationProcess with DEP disable arguments , it is acgenral.dll :

loc_6F8917C2:
push    4
lea     eax, [ebp+arg_0]
push    eax
push    22h
push    0FFFFFFFFh
mov     [ebp+arg_0], 2
call    ds:NtSetInformationProcess

metasploit use this dll and codes to disable DEP for  ms08-67 vulnerability exploit code.you cannot ever jump to this dll , because it most loaded into process address space and it is not communal DLL .but attention if you use LdrpCheckNXCompatibility() (ntdll ) or avgenrall.dll for disabling DEP Set EBP to a writable address . because, as you can see both ntdll and acgenrall calls, use ebp and stack for storing one of NtSetInformationProcess() arguments . as you know at end of function and before RET instruction get execute we have pop ebp ( or simply leave ) instruction and if you corrupt stack of vulnerable function by junk date , you will change ebp value to a unknown address. and calling to NtSetInformationProcess() will fail .

have nice exploitation;) .

Reference :

1. React OS – reactos.org
2. Skape,  Bypassing Windows Hardware-enforced Data Execution Prevention - www.uninformed.org
3. WineHQ - www.winehq.org
4. Data Execution Prevention – wikipedia.org
5. Intel Manual – intel.com
6. ms08-67 Vulnerability Exploit Code – metasploit.com