Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Data Execution Prevention

463 views
Skip to first unread message

Christian Kaiser

unread,
Nov 23, 2005, 6:56:12 AM11/23/05
to
As some of our apps use an "old" module which causes an access violation due
to DEP, we'd like to add a hint in the SETUP process that DEP needs to
exclude our apps.

Is there a way to find out whether the current machine has DEP active?

Christian


Kellie Fitton

unread,
Nov 23, 2005, 1:10:57 PM11/23/05
to
Hi,

Here are some webLinks that might help you out with DEP:

http://support.microsoft.com/kb/875352

http://support.microsoft.com/kb/875351

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/memory/base/data_execution_prevention.asp

Hope these information helps,

Kellie.

Christian Kaiser

unread,
Nov 24, 2005, 2:30:46 AM11/24/05
to
Thank you.

I know all this, but still does not know how a Setup Application (WISE in
this case) can find out whether DEP is active for all applications ("OptOut,
AlwaysOn").

Is the best way to scan the parameters in
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control"?

Christian

"Kellie Fitton" <KELLIE...@YAHOO.COM> wrote in message
news:1132769457.3...@g44g2000cwa.googlegroups.com...

Ivan Stambuk

unread,
Nov 25, 2005, 10:26:52 PM11/25/05
to
You can query per-process DEP status via
NtQueryInformationProcess/ProcessExecuteFlags. The bad thing is that
this info is stored in kernel-mode per-process KPROCESS.Flags bitmask,
and according to [1] you can query DEP status for current process only:

"Sure enough, these bits relate to DEP and it appears that
MmGetExecuteOptions copies them from that structure to the
corresponding bits in the memory location passed as the
ProcessInformation argument to NtQueryInformationProcess. I had
therefore determined that I could query the DEP status of a process by
calling NtQueryInformationProcess with a ProcessInformationClass of
0x22, the address of a DWORD (4-byte integer), and a length of 4. It
appears that MmGetExecuteOptions returns the flags for the current
process only and ignores the ProcessHandle parameter (Process Explorer
queries the DEP status of other processes by having its helper driver
switch into them via the KeAttachProcess API)."

The good thing is that execution flags can be turned off by using
NtSetInformationProcess [2] - even on hardware-enforced DEPed machines!
:) Optionally, one can disable Permanent flag (bit 3):

kd> dt _KEXECUTE_OPTIONS
+0x000 ExecuteDisable : Pos 0, 1 Bit
+0x000 ExecuteEnable : Pos 1, 1 Bit
+0x000 DisableThunkEmulation : Pos 2, 1 Bit
+0x000 Permanent : Pos 3, 1 Bit
+0x000 ExecuteDispatchEnable : Pos 4, 1 Bit
+0x000 ImageDispatchEnable : Pos 5, 1 Bit
+0x000 Spare : Pos 6, 2 Bits

so that those NtSetInformationProcess-> MmSetExecuteOptions calls would
succeed.


[1]
http://people.zeelandnet.nl/stibracke/ssu/2005/01/sysinternals-sysinternals-newsletter.html

[2] http://www.uninformed.org/?v=2&a=4&t=txt

0 new messages