Nmap Development mailing list archives

RE: Enabling DEP and ASLR on Nmap for Windows

From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Fri, 13 Aug 2010 19:26:48 +0100

These two links might be a good starting point for DEP:

http://support.microsoft.com/kb/912923
http://en.wikipedia.org/wiki/X86-64

I believe that AMD's AMD64 instruction set, which Intel later adopted for
their x64 CPUs, included NX/DEP support from the very start (Intel already
had support in their IA-64 architecture) and is presumably why 64-bit
versions of Windows always have hardware-enforced DEP enabled for 64-bit
native programs. Having said that, it appears that early Intel CPUs with
Intel 64 lacked the NX bit - I presume in this probably quite rare scenario
that means it'll fall back to software DEP, but I don't know for sure.

It probably depends how it's implemented, but if you can use the
/DYNAMICBASE and /NXCOMPAT flags to set support in the PE header, I think
NT4 will safely ignore them like Windows 2000 and XP does, but I admit I
haven't dug out my old NT4 media to test this out. It looks like you can use
editbin to add these flags to the PE header after they've been compiled, as
long as they weren't compiled with /FIXED to begin with (which is why we
can't do anything about zenmap.exe, for example), but I doubt that way is
recommended by anyone.

The other way of doing it would involve using SetProcessDEPPolicy() 

http://msdn.microsoft.com/en-us/library/bb736299(VS.85).aspx

This is only available from XP SP3, Vista SP1 and Server 2008. This hasn't
been implemented (yet?) in Nmap, but it'd only gain DEP support on XP SP3
(as Vista onwards support the /dynamicbase and /nxcompat flags; and older
versions of XP don't support the function), so I don't know what pitfalls
might be encountered when using it (I was hoping to check specifically for
something like the XP SP3 NTDDI_VERSION and only call the function then).

ASLR is only available on Vista onwards, so the easiest way is to use the
/DYNAMICBASE linker switch. I'm not actually sure how you'd do it otherwise.

I can't remember offhand if you compile WinPcap using Visual C++ 2003 or
2005, but I believe later versions of both products are capable of setting
the /NXCOMPAT linker switch. I believe /DYNAMICBASE is only be supported by
2005 SP1 onwards though.

I would normally suggest using Looking Glass from Errata Security to check
for ASLR and DEP support. However, I've spent the morning trying to compile
OpenSSL (the older version we're still using, as newer versions caused
compilation errors) using /DYNAMICBASE and /NXCOMPAT as well as using
editbin on versions compiled without the linker switches to add the same
flags to the PE header. They seemed to work okay (I've only run one scan
against an SSL service, much more testing is obviously required), but
ssleay32.dll disappeared from Looking Glass' list of analyzed files,
although it did say it had analyzed 7 when 6 were listed, so it's possible
that the tool is a bit buggy!

Rob


-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org]
On Behalf Of Gianluca Varenni
Sent: 13 August 2010 17:02
To: 'Fyodor'; Rob Nicholls
Cc: 'George Orwell'; nmap-dev () insecure org
Subject: Re: Enabling DEP and ASLR on Nmap for Windows



--------------------------------------------------
From: "'Fyodor'" <fyodor () insecure org>
Sent: Thursday, August 12, 2010 10:56 PM
To: "Rob Nicholls" <robert () robnicholls co uk>
Cc: "'George Orwell'" <nobody () mixmaster it>; <nmap-dev () insecure org>
Subject: Re: Enabling DEP and ASLR on Nmap for Windows

...

The WinPcap DLLs don't support ASLR or DEP. We're distributing their 
signed
binaries, so we'd really need WinPcap to make the changes at their end.


Maybe we'll ask them nicely.


I'm definitely willing to add support for it in the next release of WinPcap.

Can you provide some pointers on documentation for it? Do you know if the 
feature is available on x64 systems too?

I will also need to discover what happens if such a DLL is run on NT4...

GV
 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Enabling DEP and ASLR on Nmap for Windows Fyodor (Jul 03)
- <Possible follow-ups>
- Re: Enabling DEP and ASLR on Nmap for Windows George Orwell (Jul 12)
  - Re: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Jul 12)
    - Re: Enabling DEP and ASLR on Nmap for Windows Fyodor (Aug 10)
    - Re: Enabling DEP and ASLR on Nmap for Windows Ron (Aug 10)
    - RE: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Aug 11)
    - Re: Enabling DEP and ASLR on Nmap for Windows David Fifield (Aug 11)
    - Re: Enabling DEP and ASLR on Nmap for Windows David Fifield (Aug 11)
    - Re: Enabling DEP and ASLR on Nmap for Windows 'Fyodor' (Aug 12)
    - Re: Enabling DEP and ASLR on Nmap for Windows Gianluca Varenni (Aug 13)
    - RE: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Aug 13)
- Enabling DEP and ASLR on Nmap for Windows Nomen Nescio (Jul 13)