Data Execution Prevention (DEP) Bypasses

About DEP

• DEP is controlled by windows through the use of bcdedit.exe.

• There are four DEP policy settings in Windows.

  • OptIn: DEP is automatically enabled only for operating system components.

  • OptOut: DEP is automatically enabled for operating system components and all processes. This is the default setting for Windows Client operating systems like 7 and 10.

  • AlwaysOff: DEP is disabled for all parts of the system, regardless of hardware support for DEP.

  • AlwaysOn: DEP is enabled for all parts of the system. All processes always run with DEP enabled. DEP cannot be explicitly disabled for selected applications. This is the default setting for Windows Server operating systems like 2012 and 2019.

MISC

!vprot esp ## This will display the memory protection PAGE_READWRITE for the stack when DEP is enabled.

Return Oriented Programming

Two different approaches which can be taken, build a 100% ROP shell code or build a ROP stage which can allow for traditional execution on the stack.

One method to implement the second choice is to use a ROP attack to allocate memory using the Win32 VirtualAlloc API to create a chunk of memory with both read and write and execute permissions. Another approach is to change the permissions of the memory page where the user provided shellcode resides. This can be done by calling Win32 VirtualProtect API. A third option is to use Win32 WriteProcessMemory API to hotpatch the .text section of the running process in order to inject shellcode before jumping into it. WriteProcessMemory API is able to patch executable memory through a call to NtProtectVirtualMemory.

These Win32 functions can usually be retrieved from the Import Address Table (IAT) of the targeted DLL.

Determining the offset.