Results 1 to 5 of 5

Thread: Is this behaviour of Virtual Memory normal?

  1. #1

    Is this behaviour of Virtual Memory normal?

    Hi all
    I noticed if your virtual memory has PAGE_READWRITE or PAGE_READONLY permission, it is enough to execute what is in that memory page even thouh you don't have PAGE_EXECUTE permission.
    Is this a normal behaviour of Virtual memory?
    I personnaly think this answer is yes, So this is main reason of DEP feature of windows.
    But I want to prevent a page from execution, BUT be readable(so I cannot use PAGE_NOACCESS). Any idea how I can do this?
    I were not able to find some good article for it. If you know please provide me one....

    Hmmmm,I think total question can be abstracted into this:
    "How I can emulate a DEP inside my application without using windows DEP?"

    Regards
    Last edited by Hero; October 8th, 2008 at 02:46.
    I should look out my posts,Or JMI will get mad at me! ;)

  2. #2
    Camus SoNiCo
    Guest
    Mm.. First idea to my mind is to register yourself as the exception handler, and emulate a mechanism like the OS with Stack...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Why not use DEP?? It easy to set up and I have been playing with it for some time now and it usually works out ok. This is a Olly plugin that demonstrates how to turn on DEP for a remote process through a bit of code injection.
    It then uses DEP as a BreakOnExecute breakpoint in Olly. http://portal.b-at-s.info/downloadt.php?id=13
    Plugin isn't 100% finished though (but it works) because I only meant it to demonstrate the nifty things you can do with DEP

    Hope it helps

  4. #4
    Quote Originally Posted by jstorme View Post
    Why not use DEP?? It easy to set up and I have been playing with it for some time now and it usually works out ok. This is a Olly plugin that demonstrates how to turn on DEP for a remote process through a bit of code injection.
    It then uses DEP as a BreakOnExecute breakpoint in Olly. http://portal.b-at-s.info/downloadt.php?id=13
    Plugin isn't 100% finished though (but it works) because I only meant it to demonstrate the nifty things you can do with DEP

    Hope it helps

    I was thinking about same usage of this emulated DEP.But somebody had this idea before me...

    Regards
    Last edited by Hero; October 9th, 2008 at 00:25.
    I should look out my posts,Or JMI will get mad at me! ;)

  5. #5
    Quote Originally Posted by jstorme View Post
    Why not use DEP?? It easy to set up and I have been playing with it for some time now and it usually works out ok. This is a Olly plugin that demonstrates how to turn on DEP for a remote process through a bit of code injection.
    It then uses DEP as a BreakOnExecute breakpoint in Olly. http://portal.b-at-s.info/downloadt.php?id=13
    Plugin isn't 100% finished though (but it works) because I only meant it to demonstrate the nifty things you can do with DEP

    Hope it helps
    Good work, but don't ship the 3MB .ncb file -- it's useless and will be regenerated automatically, it's just your local autocomplete file.
    --
    Best regards,
    Alex Ionescu

Similar Threads

  1. Replies: 3
    Last Post: January 16th, 2014, 13:48
  2. Reading Virtual Memory
    By ^DAEMON^ in forum Blogs Forum
    Replies: 4
    Last Post: May 1st, 2011, 20:33
  3. Behind Windows x64's 44-bit Virtual Memory Addressing Limit
    By Alex Ionescu Blog in forum Blogs Forum
    Replies: 0
    Last Post: December 10th, 2007, 23:52
  4. Very strange behaviour
    By Firestream in forum Bugs
    Replies: 3
    Last Post: January 15th, 2003, 10:34
  5. quite strange app behaviour
    By NikDH in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: February 7th, 2001, 06:47

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •