Thursday, June 14, 2012

Disable DEP and ASLR on Windows 7 64bit at compile time


In the development of sample exploit code for this blog (for example the Buffer Overflow post), various Windows attack mitigations had to be enabled or disabled. Two very effective and common mitigations on Windows 7 are DEP and ASLR. In an effort to save the reader frustration, time and effort, the compiler and linker options used to disable DEP and ASLR both independently and together are listed below. The DEP and ASLR columns of Mark Russinovich's popular "Process Explorer" tool are used to determine whether a process has DEP or ASLR enabled.

Disable DEP
First, run "%windir%\system32\SystemPropertiesPerformance.exe" from the commandline, and select the "Data Execution Prevention" tab. Select the second option and specify which application to remove DEP protection for.

Opting out of DEP
In this case, ROP.exe was the executable for which DEP was to be disabled. Next, these are the commandline arguments to compile ROP.c without DEP:

cl ROP.c /GS- /Gs-
editbin ROP.exe /NXCOMPAT:NO

Process Explorer shows DEP as disabled for this process:
 

Disable ASLR
Commandline Arguments:

cl ROP.c /DYNAMICBASE:NO /link /FIXED

Now Process Explorer shows ASLR as Disabled for this process:


 
Disable both DEP and ASLR
Commandline Arguments:

cl ROP.c /DYNAMICBASE:NO /GS- /Gs- /link /FIXED
editbin ROP.exe /NXCOMPAT:NO


The ability to selectively disable different mitigation techniques allows us to build smaller and less complex binaries, and makes it easier to perform static analysis and demonstrate security concepts. However, it is highly recommended to enable these mitigation technologies when building production binaries, as these mitigations greatly increase the security of the resulting binaries.

3 comments:

  1. Hey man, You have to test it with 64bit apps,
    not a 32bit app on 64bit enviromnet.

    ReplyDelete
    Replies
    1. Hey there. Thanks for reading :) From my understanding, the PTEs would have the same permission bits for 32 and 64 bit processes. Can you please explain what I might be missing? Thanks.

      Delete
  2. Obviously you tested this in a 32 bit Windows (and if you did it in 64 bit Windows, I really want to know how to do that). Because Windows 7 64 bits will not allow you to run any 32 or 64 executable without DEP. This is a stupid limitation that Microsoft imposed, and this causes lot of trouble even to us, non-malware developers. Try to test your ROP.exe app in 64 bit windows... it will run with DEP enabled, even if you designed and specifically stated not to do so.
    Regards.

    ReplyDelete