Buffer overflow protection (MS)
0x01/GS -- buffer security check
If/GS is used for compilation, code is inserted into the program to detect buffer overflow that may overwrite the return address of the function. If a buffer overflow occurs, the system displays a warning dialog box to the user and terminates the program. In this way, attackers cannot control the application. You can also write custom error handling routines to handle errors in place of the default dialog box.
A special cookie (Series bytes) will be inserted before the return address so that any buffer overflow will change the cookie. The cookie value will be tested before the function returns. If the cookie value has been changed, the handler will be called. Servers or services may require different processing, rather than displaying a dialog box.
0x02 SafeSEH1. what is SafeSEH?
Previously, stack overflow has always been the core of security issues in WINDOWS systems, and the technology that covers seh is well known. Safeseh is a technology used to protect and detect and prevent the seh in the stack from being overwritten.
2. Is safeseh a new technology of vista?
Safeseh is not a new technology of vista. safeseh is a technology already introduced by xp sp2. But because safeseh needs. only images compiled by the. net compiler are supported, while the libraries and execution programs carried by the xp sp2 system are not. net compiler, so that safeseh on xp sp2 can only become deaf ears, xp sp2, stack overflow as long as cover the seh address can easily get rid of all the protection mechanisms. Therefore, in the xp sp2 era, research on safeseh has never been taken seriously, and even many errors have occurred in its Mechanism Research. safeseh only shields the data segment address, as long as the address of the library function space is licensed, some safeseh operations are misunderstood and read as function address-protected operations.
3. Why does SafeSEH start to send power in vista?
The system library of vista. More than 99% of programs are compiled using the. net compiler. By default, the. net compiler will generate support for SafeSEH in the IMAGE. Therefore, the system libraries loaded by applications in vista are almost all images supported by SafeSEH. When stack overflow occurs, SEH that supports the safeseh module can be checked out, the technology that overwrites the SEH address in the stack is no longer available.
4. Security of safeseh in vista
Safeseh is very powerful. If all modules loaded by a process support the image of safeseh, it is impossible to obtain and use it by covering seh. At least 99% of the system libraries in VISTA support the image of safeseh. The system library of xp sp2 99% does not support the image of safeseh. Therefore, although safeseh is a technology that xp sp2 began to use, it should be a technology that started to play a role under vista. Of course, if an IMAGE that does not support safeseh in a process is equivalent to the failure of the whole safeseh mechanism, but because vista supports the random process space technology, it can be used to defend against seh overwrite in this case.
5. Implementation Process of SafeSEH
The principle of safeseh itself is very simple, that is, when the compiler generates a binary IMAGE, it resolves the addresses of all valid SEH functions, generate a valid SEH function table in the IMAGE for strict matching check during exception handling. The basic process is as follows (XP SP2 and VISTA are the same): loading process: when loading an IMAGE, locate and read the address of the valid SEH function table (if the IMAGE does not support safeseh, then, the address of the SEH function table is 0) and is encrypted using a random number in the memory of the login user. Put the encrypted address of the encrypted SEH function table, the starting address of the IMAGE, the length of the IMAGE, and the number of valid SEH functions as a record into the data memory of the ntdll loading module.
Exception Handling process: Based on the SEH address in the stack, check whether it belongs to an IMAGE address space. If it belongs to the "SEH function table encryption address, IMAGE start address, and IMAGE length corresponding to the data memory of the loading module that reads ntdll, the number of valid SEH functions "records a random number in the memory of the login user, decrypts the encrypted address of the SEH function table, and reads the actual address of the SEH function table * if the address is not 0, this indicates that the IMAGE supports safeseh. Based on the Number of valid SEH functions, the addresses of valid SEH functions are calculated in sequence and compared with the current SEH address. If the SEH function is executed, if none of the preceding conditions are met, the address specified by the current SEH is not executed. * If the address is 0, the IMAGE does not support safeseh, as long as the memory belongs to the IMAGE. code range, the code can be executed.
//Without SafeSEHvoid RtlDispatchException(...){ if (exception record is not on the stack) goto corruption; if (handler is on the stack) goto corruption; if (RtlIsValidHandler(handler, process_flags) == FALSE) goto corruption; // execute handler RtlpExecuteHandlerForException(handler, ...) ...}//With SafeSEHBOOL RtlIsValidHandler(handler){ if (handler is in an image) { if (image has the IMAGE_DLLCHARACTERISTICS_NO_SEH flag set) return FALSE; if (image has a SafeSEH table) if (handler found in the table) return TRUE; else return FALSE; if (image is a .NET assembly with the ILonly flag set) return FALSE; // fall through } if (handler is on a non-executable page) { if (ExecuteDispatchEnable bit set in the process flags) return TRUE; }}
0x03 DEP-Data Execution Protection
Data Execution Protection (DEP) is a set of hardware and software technologies that can perform additional checks on the memory to help prevent malicious code from running on the system. In Microsoft Windows XP Service Pack 2, Microsoft Windows Server 2003 Service Pack 1, Microsoft Windows XP Tablet PC Edition 2005, and Microsoft Windows Vista, DEP is enforced by hardware and software.
The main advantage of DEP is that it can help prevent code execution on data pages. Generally, code is not executed from the default heap and stack. The hardware implements DEP detection of code running from these locations and raises exceptions when detecting execution. Software Implementation DEP can help prevent malicious code from using the Exception Handling Mechanism in Windows for destruction. Hardware Implementation DEP is a feature of some DEP compatible processors that prevents code execution in the memory area marked as a data storage area. This function is also called non-execution and execution protection. Windows XP SP2 also includes software implementation DEP, which aims to reduce the use of the exception handling mechanism in Windows.
Unlike anti-virus programs, the hardware and software DEP technology is not designed to prevent installation of harmful programs on computers. Instead, it monitors your installed programs to help determine whether they are using the system memory safely. To monitor your program, the hardware implementation DEP tracks memory areas that have been specified as "unexecutable. If the memory is specified as "unexecutable" but a program tries to execute code through the memory, Windows will close the program to prevent malicious code. This operation is performed regardless of whether the code is malicious or not.
0x04 ASLR
Windows Vista includes a security feature designed to protect the system from buffer overflow attacks: Address Space Layout Randomization (ASLR), which loads key system files to different memory addresses, this increases the difficulty of running malicious code.
It is interesting to say that Microsoft is playing tricks with hackers.
0x05 Heap protection & Heap randomization
Heap protection, as its name implies. Mainly uses heap cookies and data encryption to randomize the addresses loaded by the RtlHeapCreate function.