Buffer Overflow?

Discussion in 'other anti-malware software' started by WilliamP, Apr 22, 2008.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I have no idea what hardware DEP is, but I'm going to install CMF.
    Any security software that enforces my boot-to-restore is welcome, except blacklist-based security softwares.
    I will try CMF today and see if it likes my system. Thanks alot. :)
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    See http://en.wikipedia.org/wiki/Data_Execution_Prevention.
     
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Erik, here's utility called SecurAble to find out what your machine offers.
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Thanks for the tool. My processor :
    "AMD (939) ATX Athlon 4400+ 64Bit X2 Dual-Core Processor" has indeed DEP.
    How do I know if it is active or not ?
     
  5. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    @ErikAlbert

    At least in my laptop, there is an option in BIOS

    but I also would like to know how I can test it... I haven´t a Comodo account, so I can´t download their test...
     
  6. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
  7. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    guys is there a way to get buffer overflow protection using the tools built into windows? i know windows has that DEP protection but i heard it's weak.

    is there any option (especially in windows xp pro) that can provide respectable buffer overflow protection?
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That's why I installed Comodo Memory Firewall (freeware), but hardware DEP is much better and that's why I wrote some questions about it in this thread.
    I like to solve this once and for all.
     
  9. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    i'm outta luck in this regard as neither of my pc's has a processor that supports hardware DEP. that's why i was hoping for a good software solution. i was hoping there was some option in windows itself that would provide a good solution to the problem but apparently there isn't and now i need to find a good third party product that does the job.

    there is a freeware product called Wehnus, it seems to prevent a good majority of these exploits but when i tried it on my system i got a BSOD.


    me too! :)
     
  10. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    It is written poor way. And not supported anymore.
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I fully agree, a very buggy software and its development is frozen.
     
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Yes. The buffer overflow is used to execute shellcode which drops/download the real payload. Execution control (Anti-Executable, classical HIPS, SRP) stop the payload from being delivered.
    You're using the OptiOut switch. AlwaysOn provides the maximum protection
    Check here on how to setup DEP properly.
    No, if you have hardware-enforced DEP. Check for the presence of the NX-bit. If you don't have hardware-enforced DEP, Comodo Memory Firewall may be the best solution.

    Wehnus is buggy (it froze several of my VMs) and they don't answer support mails.
     
  13. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    amazingly, according to the program at that link i DO have hardware DEP :) but not hardware virtualization :( so if i enable it somehow i don't need a third party software for buffer overflow protection?

    yeah i've given up on them.

    EDIT : after finding out BOTH my computers support hardware DEP thanks to lucas' link to the grc site, i followed the other link lucas provided to the microsoft site telling you how to setup hardware DEP. i then ran the buffer overflow test mentioned here, i passed all 5 tests!

    LUCAS i <3 u :)
     
    Last edited: Apr 23, 2008
  14. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I got this on DEP:

    [​IMG]
    This option is called OptOut. Programs with certain packers will bypass DEP.
    http://blog.fabriceroux.com/index.php/2007/02/26/hardware_dep_has_a_backdoor?blog=1

    So, if you don't want exceptions, or some auto exception (which is wonderful from a security perspective), the best option is AlwaysOn (or hex editing like the link explains, which i won't do). That is only chosen by editing the boot.ini file, substituting "OptOut" for "AlwaysOn" (after noexecute).

    http://support.microsoft.com/default.aspx?kbid=875352&product=windowsxpsp2

    There really isn't any whitelist, everything must comply.
    Opera does not run under this mode, or didn't (ie, Opera does not run with DEP at all). The beta is ok according to MikeNAS.
    Firefox must not have the talkback extension, or it won't run, no warning.

    One good utility to see what programs have DEP is Process Explorer. You have to add the column "DEP".

    Zopzop: i took that pic from MS site, and if you look at it you will notice that message on the bottom. It's probably what you read as well.

    This means 1 of 2 things: your CPU really doesn't have the NX-bit, or that option isn't enabled in the BIOS (it happened to me).

    *just is just a modified version of an earlier post... :p
     
  15. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I'd say no. I'm not sure what we could gain installing for example CMF if we have hardware DEP and other protections provided by the OS.
    Sorry, I don't know what this mean :D

    Please, also take a look at Pedro's post.
     
  16. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    sweet! one less piece of software to worry about :thumb:

    the <3 is supposed to be a "heart" it reads "i <3 (Heart) you" :p
     
  17. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
  18. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I'm ready for the future :

    1. Turn on DEP for all programs and services is MARKED
    2. BOOT.INI contains /NoExecute=AlwaysOn
    3. CPU Hardware DEP = YES, which means to me it's active.
    4. Comodo Memory Firewall v2.0.4.20 is installed and runs for all applications.

    So I have now a 4-Layered Buffer Overrun Protection (LBOP) combined with
    a Rollback Intrusion Prevention System (RIPS). In other words I'm invincible, like Superman.

    Thanks you all for your co-operation. :)

    @DEP-less users : get back on the horse and imitate me. :D
     
  19. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    Hi guys I have 2 computers. One processor supports DEP and one doesn't. I have installed CMF on the one that doesn't for now.
     
  20. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Erik, your setup still lacks ASLR, which is only available in Vista.
     
  21. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    All these Einstein formulas are too much for my simple brain.
    This has to wait until I buy another computer with winVISTA on it. In 2013 perhaps. :)
     
  22. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    LOL, Einstein formulas :D
     
  23. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    What does changing BOOT. INI to /noexecute=AlwaysOn actually do?
     
  24. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    But don't ask me more than this.
     
  25. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    OptOut:
    AlwaysOn:
    OptOut "backdoor":
    Without this "backdoor", OptOut would be the preferred option. With this "backdoor", you can't trust OptOut to protect you.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.