Nmap Development mailing list archives
Re: Enabling DEP and ASLR on Nmap for Windows
From: David Fifield <david () bamsoftware com>
Date: Wed, 11 Aug 2010 14:26:55 -0600
On Wed, Aug 11, 2010 at 02:01:54PM +0100, Rob Nicholls wrote:
Attached is a patch that enables ASLR and DEP for Nmap, Ncat and Nping on modern versions of Windows. It's a simple change to two configuration options in Visual C++ for each project. We still use "Unsafe Clib functions" according to Looking Glass (available from Errata security), but the main executables (ncat.exe, nmap.exe, nping.exe) can support ASLR and NX (DEP). I haven't touched SetProcessDEPPolicy() - I had tried adding something, but it didn't seem to work (according to LookingGlass, although I'm not sure I trust the results as it said "True" to ASLR and DEP in my 2000 VM so it's possible it's only checking the PE header?), but that's probably down to my lack of knowledge of C and C++ more than anything else. It seems to be used to either disable DEP (which we don't want), enable it but prevent NS faults from the ATL thunk layer (not ideal), or enable it permanently (what we want). It seems that using the NXCOMPAT linker switch is equivalent to the latter, but it looks like only XP SP3, Vista, 2008, 2008R2 and 7 support it (i.e. 2003 SP2 and 2000 SP4 don't - although 2003 SP2 should have DEP enabled by default so that might be why MS didn't backport support like they did with XP SP3; ASLR isn't supported on 2003 and 2000 doesn't support anything IIRC). The NXCOMPAT switch sets a bit in the executable that indicates to the OS that the application is DEP enabled. I believe that setting this bit will override all other DEP settings - if DEP is disabled system wide or the application is opted out of DEP, the OS will still enable DEP for the application.
The patch builds for me. I don't see any harm in committing it right
away. I noticed that DEP and ASLR are only enabled for the Release
configuration, not Debug--I think that's right.
I'm confused because the addresses don't behave the way I expect them to
after a quick test. I'm used to the behavior in Linux, where a simple
program like this,
#include <stdio.h>
int main()
{
int i;
printf("%p\n", &i);
return 0;
}
shows random addresses when run repeatedly:
0xbfdee8fc
0xbfe61fac
0xbf83d5bc
0xbfa30b9c
I added this line near the top of nmap_main,
printf("%p\n", &ss);
where ss is a local variable in nmap_main. The output is constant:
0012E958
0012E958
0012E958
0012E958
Maybe I'm missing something?
David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- Enabling DEP and ASLR on Nmap for Windows Fyodor (Jul 03)
- <Possible follow-ups>
- Re: Enabling DEP and ASLR on Nmap for Windows George Orwell (Jul 12)
- Re: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Jul 12)
- Re: Enabling DEP and ASLR on Nmap for Windows Fyodor (Aug 10)
- Re: Enabling DEP and ASLR on Nmap for Windows Ron (Aug 10)
- RE: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Aug 11)
- Re: Enabling DEP and ASLR on Nmap for Windows David Fifield (Aug 11)
- Re: Enabling DEP and ASLR on Nmap for Windows David Fifield (Aug 11)
- Re: Enabling DEP and ASLR on Nmap for Windows 'Fyodor' (Aug 12)
- Re: Enabling DEP and ASLR on Nmap for Windows Gianluca Varenni (Aug 13)
- RE: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Aug 13)
- Re: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Jul 12)