Nmap Development mailing list archives
RE: Enabling DEP and ASLR on Nmap for Windows
From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Fri, 13 Aug 2010 19:26:48 +0100
These two links might be a good starting point for DEP: http://support.microsoft.com/kb/912923 http://en.wikipedia.org/wiki/X86-64 I believe that AMD's AMD64 instruction set, which Intel later adopted for their x64 CPUs, included NX/DEP support from the very start (Intel already had support in their IA-64 architecture) and is presumably why 64-bit versions of Windows always have hardware-enforced DEP enabled for 64-bit native programs. Having said that, it appears that early Intel CPUs with Intel 64 lacked the NX bit - I presume in this probably quite rare scenario that means it'll fall back to software DEP, but I don't know for sure. It probably depends how it's implemented, but if you can use the /DYNAMICBASE and /NXCOMPAT flags to set support in the PE header, I think NT4 will safely ignore them like Windows 2000 and XP does, but I admit I haven't dug out my old NT4 media to test this out. It looks like you can use editbin to add these flags to the PE header after they've been compiled, as long as they weren't compiled with /FIXED to begin with (which is why we can't do anything about zenmap.exe, for example), but I doubt that way is recommended by anyone. The other way of doing it would involve using SetProcessDEPPolicy() http://msdn.microsoft.com/en-us/library/bb736299(VS.85).aspx This is only available from XP SP3, Vista SP1 and Server 2008. This hasn't been implemented (yet?) in Nmap, but it'd only gain DEP support on XP SP3 (as Vista onwards support the /dynamicbase and /nxcompat flags; and older versions of XP don't support the function), so I don't know what pitfalls might be encountered when using it (I was hoping to check specifically for something like the XP SP3 NTDDI_VERSION and only call the function then). ASLR is only available on Vista onwards, so the easiest way is to use the /DYNAMICBASE linker switch. I'm not actually sure how you'd do it otherwise. I can't remember offhand if you compile WinPcap using Visual C++ 2003 or 2005, but I believe later versions of both products are capable of setting the /NXCOMPAT linker switch. I believe /DYNAMICBASE is only be supported by 2005 SP1 onwards though. I would normally suggest using Looking Glass from Errata Security to check for ASLR and DEP support. However, I've spent the morning trying to compile OpenSSL (the older version we're still using, as newer versions caused compilation errors) using /DYNAMICBASE and /NXCOMPAT as well as using editbin on versions compiled without the linker switches to add the same flags to the PE header. They seemed to work okay (I've only run one scan against an SSL service, much more testing is obviously required), but ssleay32.dll disappeared from Looking Glass' list of analyzed files, although it did say it had analyzed 7 when 6 were listed, so it's possible that the tool is a bit buggy! Rob -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Gianluca Varenni Sent: 13 August 2010 17:02 To: 'Fyodor'; Rob Nicholls Cc: 'George Orwell'; nmap-dev () insecure org Subject: Re: Enabling DEP and ASLR on Nmap for Windows -------------------------------------------------- From: "'Fyodor'" <fyodor () insecure org> Sent: Thursday, August 12, 2010 10:56 PM To: "Rob Nicholls" <robert () robnicholls co uk> Cc: "'George Orwell'" <nobody () mixmaster it>; <nmap-dev () insecure org> Subject: Re: Enabling DEP and ASLR on Nmap for Windows ...
The WinPcap DLLs don't support ASLR or DEP. We're distributing their signed binaries, so we'd really need WinPcap to make the changes at their end.Maybe we'll ask them nicely.
I'm definitely willing to add support for it in the next release of WinPcap. Can you provide some pointers on documentation for it? Do you know if the feature is available on x64 systems too? I will also need to discover what happens if such a DLL is run on NT4... GV _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Enabling DEP and ASLR on Nmap for Windows Fyodor (Jul 03)
- <Possible follow-ups>
- Re: Enabling DEP and ASLR on Nmap for Windows George Orwell (Jul 12)
- Re: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Jul 12)
- Re: Enabling DEP and ASLR on Nmap for Windows Fyodor (Aug 10)
- Re: Enabling DEP and ASLR on Nmap for Windows Ron (Aug 10)
- RE: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Aug 11)
- Re: Enabling DEP and ASLR on Nmap for Windows David Fifield (Aug 11)
- Re: Enabling DEP and ASLR on Nmap for Windows David Fifield (Aug 11)
- Re: Enabling DEP and ASLR on Nmap for Windows 'Fyodor' (Aug 12)
- Re: Enabling DEP and ASLR on Nmap for Windows Gianluca Varenni (Aug 13)
- RE: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Aug 13)
- Re: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Jul 12)