Only watch thread injection or only NX-bit?

[ernstblaauw]

I have an Athlon64. That processor is equipped with the 'NX'-bit, preventing some kinds of buffer overflows. But sadly, the NX-bit and the Look 'n Stop watch thread injection are incompatible. Enableing both results in a blue screen.

So I have to disable one of those features. Can someone help me to choose between those two features?

[ernstblaauw]

Doesn't have anyone an opinion about this?

[WSFuser]

all i know is that when i tried LnS and enabling thread injection, i kept getting BSOD, but im sure the LnS dev are working on a fix or sumthing otherwise just disable that option.

[ernstblaauw]

Quote:

Originally Posted by WSFuser

all i know is that when i tried LnS and enabling thread injection, i kept getting BSOD, but im sure the LnS dev are working on a fix or sumthing otherwise just disable that option.

In this post Frederic sais he is not sure a solution will be available. I think if no solution will be available, it is the end of LnS, or at least the end of WTI. That's because at the moment, almost no processor without NX-bit is sold.

[Defenestration]

Hopefully this will be addressed in the next version.

[ernstblaauw]

I just found out that, if I add 'Windows Explorer' and 'LnS' to the exeption list of DEP, my computer does not crash. (maybe LnS or explorer is not needed, but I didn't try with only one).

Now my question: Because I added explorer.exe to the exeption list of DEP and because I have added the line "ActivatedSoon"=dword:00000001 to the registry, I wonder if DEP is active practically. That's because I read somewhere all processes become a child of explorer if "ActivatedSoon"=dword:00000001 is added to the registry.
Anyone?

[General Noel]

I have also the same issue...

I tried to open a new question on the forum at http://www.wilderssecurity.com/showt...oto=nextnewest unfortunately nobody answered yet.

Can anybody from Look & Stop development answer this question ??

[ernstblaauw]

Quote:

Originally Posted by ernstblaauw

I just found out that, if I add 'Windows Explorer' and 'LnS' to the exeption list of DEP, my computer does not crash. (maybe LnS or explorer is not needed, but I didn't try with only one).

Now my question: Because I added explorer.exe to the exeption list of DEP and because I have added the line "ActivatedSoon"=dword:00000001 to the registry, I wonder if DEP is active practically. That's because I read somewhere all processes become a child of explorer if "ActivatedSoon"=dword:00000001 is added to the registry.
Anyone?

Some more info: Maybe it didn't do those tests correctly. I do not know if my experiences with the expetion list are done with NX-bit enabled or disabled, which makes my test worthless. My apologies.

(This is because I changed some settings manually in the boot.ini, but I do not know if I changed the correct start-up configuration)

[General Noel]

Quote:

Originally Posted by ernstblaauw

I have an Athlon64. That processor is equipped with the 'NX'-bit, preventing some kinds of buffer overflows. But sadly, the NX-bit and the Look 'n Stop watch thread injection are incompatible. Enableing both results in a blue screen.

So I have to disable one of those features. Can someone help me to choose between those two features?

Forget it. It will never work with the current L&S release. see the following post LnS - bad reputation

[MakoFusion]

So far as I can tell NX-bit works with various 64 bit chips!
But in order to enable that feature the OS must also support it.

Quote:

Microsoft implemented NX in Service Pack 2 for Windows XP. However, the CPU's virtual memory function must also support NX by providing a flag (an indicator) for each virtual page that can be turned on by the software.

Source = http://www.answers.com/topic/nx-bit

The two culprits are Windows XP SP2 and your Athlon 64 bit chip. I also have both right now and it creates BSOD in mere seconds. Even a reset! I am thinking because of the way it works that there might not be a work around for it unless you turn off NX-bit. For now I would probably leave it on till you know more.

[General Noel]

I agree with you about the definition of NX bit which is a hardware - processor and Operating system solution.

Now the NX-bit definition states the following: "(No eXecute) A method for specifying areas of memory that cannot be used for execution"

Now how come is it the LnS execute in forbidden memory area ? Isn't it a development issue of the product ?

[Frederic]

Hmmm,

[MakoFusion]

You don't have to choose between one or the other...

START >> Control Panel >> System

Data Execution Prevention (TAB)

::bullet:: Turn on DEP for all programs and services except those I select:

Add >> Looknstop.exe >> Apply >> OK

[ernstblaauw]

Quote:

Originally Posted by MakoFusion

You don't have to choose between one or the other...

START >> Control Panel >> System

Data Execution Prevention (TAB)

::bullet:: Turn on DEP for all programs and services except those I select:

Add >> Looknstop.exe >> Apply >> OK

You are sure that Watch Thread Injection' is enabled? Before you disabled DEP for looknstop.exe, your system did crash if you enabled WTI?

[General Noel]

Hi ernstblaauw

every which needed to be discussed about this matter was already covered.

Now WTI if a nice feature to have but it is incompatible with the NX-bit no matter how you configure in win XP (even if LnS is configured as an "exeption").

I beleive LnS is a good firewall but unfortunately perfection is not of this world... therefore LnS still need some improvement to be fully compatible with the NX-bit feature

[ernstblaauw]

Has there been any progress on this issue? I hope so, I would like to combine the NX-bit with WTI.

[General Noel]

As far as I know there is no modification since the last time...

I am not sure if Frederic will ever fix this issue