Hi
I want to ask to be absolutely sure. I have a problem that can be solved nicely using thunks but I'm not sure if this approach will work on systems where the PAE mode is enabled. Can somebody confirm it?

Regards

Biterider
Posted on 2006-03-20 01:11:57 by Biterider
Biterider,
?  ?  ? What's a thunk? and PAE??  Or maybe, if I have to ask, I don't need to know. Ratch
Posted on 2006-03-20 10:56:19 by Ratch
What's a thunk and PAE  Or maybe, if I have to ask, I don't need to know. Ratch
Google is your friend.

Regards,  P1  8)
Posted on 2006-03-20 13:24:55 by P1
p1,
?  ?  ? I came, I Googled, I learned,? that I did not have to know. :mrgreen: Ratch
Posted on 2006-03-20 15:41:40 by Ratch
Hrm, isn't thunking a win9x technique, and PAE only available for NT? Or is there something I'm missing?
Posted on 2006-03-21 08:05:53 by f0dder
Hi
I have to be a little more explicit about the problem.
Thunking is an old technique used for many purposes. In my case I have to modify some data passed from/to a system callback. The code to modify this data is placed in the Thunk witch is in the process heap.
Now, if you enable PAE/DEP (data execution prevention) on the system and due to that the process heap is marked as NX, the code should not execute, raising an exception (05h). OK, so far the theory. I have done this but the code still runs. 
DEP can use hardware and or software to be implemented. I have only the software option available. Perhaps this is the reason why I can execute the thunk.

Any idea?

Regards,

Biterider
Posted on 2006-03-21 08:48:09 by Biterider
Iirc software DEP only checks *some* things, because it needs some tricks that would be a bit too system intensive if done everywhere. Try to see if you can find The Owl + others document on the PAX system, which is essentially the same thing, just done many years early than XP SP2... and ripped off by OpenBSD afaik.

For dynamically created code, you really need VirtualAlloc. I supposed VirtualProtecting Heap memory would do, too, but VirtualAlloc is the safest best.
Posted on 2006-03-21 09:01:28 by f0dder


Now, if you enable PAE/DEP (data execution prevention) on the system and due to that the process heap is marked as NX, the code should not execute, raising an exception (05h). OK, so far the theory. I have done this but the code still runs.?? 




This may be because, by default, DEP verifies only files that belongs to windows.
You can set it to check *every* files but it will then crash any file which is compressed or protected. (until execute flag is set, of course)
Posted on 2006-03-22 07:43:23 by Axial
Hi
I have set it to check all, but it still can execute. My guess is that as f0dder has said, the necessary hardware must be present to fully check all memory accesses.

Biterider
Posted on 2006-03-22 07:52:34 by Biterider
On Ahtlon 64 systems it indeed blocks non-executable code. I didn't test it with other procs though...
Posted on 2006-03-22 08:31:08 by Axial
Hi Axial
If I send you and app, can you test it for me? I can send the sources too, so you can check that it's no malware...

Regards

Biterider
Posted on 2006-03-22 08:51:48 by Biterider
Sure.
Just upload it on the board.
Posted on 2006-03-23 04:49:49 by Axial
Hi Axial
Here's the code. It's a variation of the Demo02 of the OA32 package that uses a thunk to pass the object instance pointer to the WndProc method.

Biterider
Attachments:
Posted on 2006-03-23 08:06:00 by Biterider
Hi Biterider
As you see it was blocked
Posted on 2006-03-24 08:36:22 by Axial
Hi Axial
Thank you very much for testing. It seems that the hardware is necessary to fully implement the DEP.

Regards

Biterider
Posted on 2006-03-24 09:59:30 by Biterider

Hi Axial
Thank you very much for testing. It seems that the hardware is necessary to fully implement the DEP.

It's possible to do without the hardware, but it's too much of a performance hit to do systemwide protection that way...
Posted on 2006-03-25 09:12:02 by f0dder