Buffer overflow Detection

Transferred from: http://blog.csdn.net/galihoo/article/details/2299151

Currently, buffer overflow should be the most direct way to attack, so how to detect buffer overflow and protection is urgent, but there is no very stable and reliable method to detect buffer overflow, MacFee should be the first security vendor to propose buffer overflow protection, But now also no longer hype about the technology, these days in the online, I feel comodo the buffer overflow detection done better, and then I can not understand what technology he used, if any cattle to introduce his technology is good. Later read Gyzy's article " A point of view of buffer overflow based on stack fingerprint detection "and czy to its comments, it can be seen that the two cattle of the analysis of the use of the exploits have an extraordinary experience, but from the article also see in accordance with such technical thinking can not deal with a lot of buffer overflow, the first is based on such a return address detection itself instability, Kaba also just take him as a signature scan of a supplement, if this is the case, bypassing the method must not just modify the TEB and push ret+jmp two methods, followed by the heap overflow detection, many heap overflow vulnerability now through a large area of the jet and then jump can be used stably, Especially the heap overflow associated with IE. Cows are detecting buffer overflows, but I'm not even going to say it, but I'm going to summarize the ideas for the past few days, hoping to help myself and my friends in the research spill detection:
According to the location of shellcode storage, buffer overflow can be divided into heap overflow and stack overflow, the current buffer overflow detection protection objects are these two people, as far as I know, the current buffer overflow detection protection method has the following several:

1. Compile-level detection protection
(1) For example, the/GZ option above VC7 is to add a cookie to the stack, and when the function returns, detects if the cookie value has been changed, if the change indicates an overflow, and then throws an exception
The patch of GCC can be downloaded under UNIX, it is similar to the effect of
(2) C array bounds Check, this method is too inefficient, not applicable
There are other methods, I do not understand, so I will not talk about

2. System/Hardware-level detection protection
such as Windwos Data execution protection, which sets the heap and stack to be non-executable, immediately throws an exception if the code is detected in these places, but there are 3 ways to bypass it. Dynamic detection at runtime
Personally think this is the security product should be researched, because this does not depend on the development environment, and system support
However, the current approach is to hook the key function LoadLibraryA or getprocaddr even a function such as CreateProcessA, and then look at its return address, if the address is on the stack, it can be determined that overflow occurred,

Some ideas for dynamic detection
(1) In the kernel take over call and RET, do not know can be implemented, if can take over, then for the thread to create a "return address stack", when call occurs, the return address is pressed in the "return address stack", when RET and then compare to see if an overflow occurred, may be more troublesome operation
(2) Also hooking up the key functions, and then using stack backtracking to continue parsing the location of function calls, would that be a common point?

There are a few more questions:
1. How do I get the heap information under Windows? How to tell if an address is in the heap? It's mem_private, peb,teb, all right?
2. Some Packers software running on the KABA7 installed machine error is the buffer overflow detection caused?
3. With regard to stack backtracking, the stack backtracking technique is primarily based on EBP, and if EBP is destroyed or if the function is not optimized to backtrack through EBP, what can be done to continue to speculate on the previous call? Do you want to search the stack one at a time?