`
atoooo
  • 浏览: 13178 次
  • 性别: Icon_minigender_1
  • 来自: 广州
社区版块
存档分类
最新评论
阅读更多

A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003

View products that this article applies to.

<script></script> Article ID

:

875352

Last Review

:

May 11, 2006

Revision

:

12.0

On This Page

SUMMARY

INTRODUCTION

MORE INFORMATION

Hardware-enforced DEP

Software-enforced DEP

Benefits

System-wide configuration of DEP

Per-program DEP configuration

MORE INFORMATION

<script type="text/javascript"></script><script src="/common/script/gsfx/kbtoc.js??4" type="text/javascript"></script>SUMMARY

<script type="text/javascript"></script>Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. In Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software.

The primary benefit of DEP is to help prevent code execution from data pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. Software-enforced DEP can help prevent malicious code from taking advantage of exception-handling mechanisms in Windows.

Back to the top

INTRODUCTION

<script type="text/javascript"></script>This article describes the DEP feature in Windows XP SP2 and in Microsoft Windows Server 2003 with Service Pack 1 (SP1) and discusses the following topics:

Hardware-enforced DEP

Software-enforced DEP

Benefits

System-wide configuration of DEP

Per-program DEP configuration

 

Back to the top

MORE INFORMATION

<script type="text/javascript"></script>Hardware-enforced DEP

<script type="text/javascript"></script>Hardware-enforced DEP marks all memory locations in a process as non-executable unless the location explicitly contains executable code. A class of attacks exists that tries to insert and run code from non-executable memory locations. DEP helps prevent these attacks by intercepting them and raising an exception.

Hardware-enforced DEP relies on processor hardware to mark memory with an attribute that indicates that code should not be executed from that memory. DEP functions on a per-virtual memory page basis, and DEP typically changes a bit in the page table entry (PTE) to mark the memory page.

Processor architecture determines how DEP is implemented in hardware and how DEP marks the virtual memory page. However, processors that support hardware-enforced DEP can raise an exception when code is executed from a page that is marked with the appropriate attribute set.

Advanced Micro Devices (AMD) and Intel have defined and shipped Windows-compatible architectures that are compatible with DEP.

Beginning with Windows XP SP2, the 32-bit version of Windows uses one of the following:

The no-execute page-protection (NX) processor feature as defined by AMD.

The Execute Disable Bit (XD) feature as defined by Intel.

To use these processor features, the processor must be running in Physical Address Extension (PAE) mode. However, Windows will automatically enable PAE mode to support DEP. Users do not have to separately enable PAE by using the /PAE boot switch.

Note Because 64-bit kernels are Address Windowing Extensions (AWE) aware, there is not a separate PAE kernel in 64-bit versions of Windows.
For more information about PAE and AWE in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

283037 (http://support.microsoft.com/kb/283037/) Large memory support is available in Windows Server 2003 and in Windows 2000

Back to the top

Software-enforced DEP

<script type="text/javascript"></script>An additional set of Data Execution Prevention security checks have been added to Windows XP SP2. These checks, known as software-enforced DEP, are designed to block malicious code that takes advantage of exception-handling mechanisms in Windows. Software-enforced DEP runs on any processor that can run Windows XP SP2. By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.

Back to the top

Benefits

<script type="text/javascript"></script>The primary benefit of DEP is that it helps prevent code execution from data pages, such as the default heap pages, various stack pages, and memory pool pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. If the exception is unhandled, the process will be stopped. Execution of code from protected memory in kernel mode causes a Stop error.

DEP can help block a class of security intrusions. Specifically, DEP can help block a malicious program in which a virus or other type of attack has injected a process with additional code and then tries to run the injected code. On a system with DEP, execution of the injected code causes an exception. Software-enforced DEP can help block programs that take advantage of exception-handling mechanisms in Windows.

Back to the top

System-wide configuration of DEP

<script type="text/javascript"></script>DEP configuration for the system is controlled through switches in the Boot.ini file. If you are logged on as an administrator, you can now easily configure DEP settings by using the System dialog box in Control Panel.

Windows supports four system-wide configurations for both hardware-enforced and software-enforced DEP.

Configuration

Description

OptIn

This setting is the default configuration. On systems with processors that can implement hardware-enforced DEP, DEP is enabled by default for limited system binaries and programs that "opt-in." With this option, only Windows system binaries are covered by DEP by default.

OptOut

DEP is enabled by default for all processes. You can manually create a list of specific programs that do not have DEP applied by using the System dialog box in Control Panel. Information technology (IT) professionals can use the Application Compatibility Toolkit to "opt-out" one or more programs from DEP protection. System compatibility fixes, or shims, for DEP do take effect.

AlwaysOn

This setting provides full DEP coverage for the whole system. All processes always run with DEP applied. The exceptions list to exempt specific programs from DEP protection is not available. System compatibility fixes for DEP do not take effect. Programs that have been opted-out by using the Application Compatibility Toolkit run with DEP applied.

AlwaysOff

This setting does not provide any DEP coverage for any part of the system, regardless of hardware DEP support. The processor does not run in PAE mode unless the /PAE option is present in the Boot.ini file.

Hardware-enforced and software-enforced DEP are configured in the same manner. If the system-wide DEP policy is set to OptIn, the same Windows core binaries and programs will be protected by both hardware-enforced and software-enforced DEP. If the system cannot use hardware-enforced DEP, the Windows core binaries and programs will be protected only by software-enforced DEP.

Similarly, if the system-wide DEP policy is set to OptOut, programs that have been exempted from DEP protection will be exempted from both hardware-enforced and software-enforced DEP.

The Boot.ini file settings are as follows:

/noexecute=policy_level

Note policy_level is defined as AlwaysOn, AlwaysOff, OptIn, or OptOut.

Existing /noexecute settings in the Boot.ini file are not changed when Windows XP SP2 is installed. These settings are also not changed if a Windows operating system image is moved across computers with or without hardware-enforced DEP support.

During installation of Windows XP SP2 and Windows Server 2003 SP1 or later versions, the OptIn policy level is enabled by default unless a different policy level is specified in an unattended installation. If the /noexecute=
policy_level setting is not present in the Boot.ini file for a version of Windows that supports DEP, the behavior is the same as if the /noexecute=OptIn setting was included.

If you are logged on as an administrator, you can manually configure DEP to switch between the OptIn and OptOut policies by using the
Data Execution Prevention tab in System Properties. The following procedure describes how to manually configure DEP on the computer:

1.

Click Start, click Run, type sysdm.cpl, and then click OK.

2.

On the Advanced tab, under Performance, click Settings.

3.

On the Data Execution Prevention tab, use one of the following procedures:

Click Turn on DEP for essential Windows programs and services only to select the OptIn policy.

Click Turn on DEP for all programs and services except those I select to select the OptOut policy, and then click Add to add the programs that you do not want to use the DEP feature.

4.

Click OK two times.

IT professionals can control system-wide DEP configuration by using a variety of methods. The Boot.ini file can be modified directly with scripting mechanisms or with the Bootcfg.exe tool that is included in Windows XP SP2.

To configure DEP to switch to the AlwaysOn policy by using the Boot.ini file, follow these steps:

1.

Click Start, right-click My Computer, and then click Properties.

2.

Click the Advanced tab, and then click Settings under the Startup and Recovery field.

3.

In the System startup field, click Edit. The Boot.ini file opens in Notepad.

4.

In Notepad, click Find on the Edit menu.

5.

In the Find what box, type /noexecute, and then click Find Next.

6.

In the Find dialog box, click Cancel.

7.

Replace policy_level with AlwaysOn.

WARNING Make sure that you enter the text accurately. The Boot.ini file switch should now read:

/noexecute=AlwaysOn

8.

In Notepad, click Save on the File menu.

9.

Click OK two times.

10.

Restart the computer.

For unattended installations of Windows XP SP2 or later versions, you can use the Unattend.txt file to pre-populate a specific DEP configuration. You can use the OSLoadOptionsVar entry in the [Data] section of the Unattend.txt file to specify a system-wide DEP configuration.

Back to the top

Per-program DEP configuration

<script type="text/javascript"></script>For the purposes of program compatibility, you can selectively disable DEP for individual 32-bit programs when DEP is set to the OptOut policy level. To do this, use the Data Execution Prevention tab in System Properties to selectively disable DEP for a program. Alternatively, you can use the following command line to disable DEP for a program:

rundll32 sysdm.cpl, NoExecuteAddFileOptOutList "FullPathToExecutable"

For IT professionals, a new program compatibility fix that is named DisableNX is included with Windows XP SP2. The DisableNX compatibility fix disables Data Execution Prevention for the program that the fix is applied to.

The DisableNX compatibility fix can be applied to a program by using the Application Compatibility Toolkit. For more information about Windows application compatibility, see Windows Application Compatibility on the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/default.mspx (http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/default.mspx)

Back to the top

MORE INFORMATION

<script type="text/javascript"></script>For more information, click the following article number to view the article in the Microsoft Knowledge Base:

912923 (http://support.microsoft.com/kb/912923/) How to determine that hardware DEP is available and configured on your computer

Back to the top


APPLIES TO

Microsoft Windows Server 2003 Service Pack 1, when used with:

 

 

 

Microsoft Windows Server 2003, Web Edition

 

 

Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 

 

Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

 

 

Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

 

 

Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems

 

Microsoft Windows XP Service Pack 2

 

Microsoft Windows XP Service Pack 2

 

Microsoft Windows XP Service Pack 2

 

Microsoft Windows XP Tablet PC Edition 2005

 

Back to the top

 

Keywords: 

kbinfo kbtshoot KB875352

 

Back to the top

 

分享到:
评论

相关推荐

    Python库 | cfn-dep2layer-0.0.1.tar.gz

    资源分类:Python库 所属语言:Python 资源全名:cfn-dep2layer-0.0.1.tar.gz 资源来源:官方 安装方法:https://lanzao.blog.csdn.net/article/details/101784059

    Python库 | py3dep-0.1.7-py2.py3-none-any.whl

    资源分类:Python库 所属语言:Python 资源全名:py3dep-0.1.7-py2.py3-none-any.whl 资源来源:官方 安装方法:https://lanzao.blog.csdn.net/article/details/101784059

    SQL Prompt_9.0.1.3179破解版

    BP006, BP011, BP016, DEP002, DEP007, DEP009, DEP012, DEP014, DEP019, DEP026, EI003, EI024, EI029, MI001, MI006, PE001, PE006, PE011, PE016, PE019, PE021, SC005, ST001, ST003, ST007. Fixed occasional ...

    samba 服务器搭建软件包 samba.zip

    我们将参考提供的链接——&lt;https://blog.csdn.net/qq_27788177/article/details/104625848&gt;,并结合压缩包文件中的组件来阐述关键知识点。 首先,我们需要了解Samba服务器的核心组件。在给定的压缩包文件中,包含了...

    Dev-Cpp.5.11.exe.zip

    一个比较经典的DEV C++版本,方便初学者快速入门。对于该软件版本的代码详细调试步骤,可以参考我的博客,地址:https://blog.csdn.net/hz18790581821/article/details/78418648

    Radmin自动登录器v3.0-多国语言绿色版-Release1-20150615

    By: ybmj@vip.163.com , http://dep.yibinu.cn/wgzxnew/ 1、程序功能和使用环境介绍 2、程序操作方法介绍 3、登录信息文件RadminM.txt介绍 4、登录信息文件RadminM.txt的转换和编制 5、v3.0版新增解锁远程...

    Git一个项目并npm install问题

    打开项目的package.json,查看是否有node-sass,注意其版本问题,node与node-sass版本需要对应,看文档https://blog.csdn.net/weixin_42713970/article/details/86507781,修改node-sass版本与自己的node版本对应...

    process hancer 源码

    * Setting DEP status of processes * Capturing kernel-mode stack traces * More efficiently enumerating process handles * Retrieving names for file handles * Retrieving names for EtwRegistration objects...

    com.hudson.hibernatesynchronizer_3.2.zip

    2. **velocity-dep-1.4.jar**:Velocity是Apache的一个模板引擎,用于生成动态内容。在这个上下文中,Velocity可能被用作生成数据库同步脚本或报告的模板,提供了一种灵活的方式来定制输出格式。 3. **xmlplugin....

    portal用户权限表结构.pdf

    - `DEP_ID`:用户所在部门的标识,用于关联用户与组织结构。 - `TELEPHONE`、`ADDRESS`、`REMARK`:用户的联系方式、地址和备注信息。 - `USER_CUR_STATE`:用户当前状态,如活跃、禁用等。 - `USER_FLAG`:可能...

    万能makefile写法详解,一步一步写一个实用的makefile

    本文档可能有更新,更新版本请留意http://blog.csdn.net/huyansoft/article/details/8924624 一 目的:编写一个实际可用的makefile,能自动编译当前目录下所有.c源文件,并且任何.c、.h或依赖的源文件被修改后,能...

    BURNINTEST--硬件检测工具

    &lt;For more details see the online help&gt; Status ====== This is a shareware program. This means that you need to buy it if you would like to continue using it after the evaluation period. Installation...

    EurekaLog_7.5.0.0_Enterprise

    4)....Added: Asking e-mail when user switches to "details" from MS Classic without entering e-mail 5)....Fixed: Compatibility issues with older Bugzilla versions (3.x) 6)....Fixed: Passing settings ...

    Radmin自动登录器v3.0

    By: ybmj@vip.163.com , http://dep.yibinu.cn/wgzxnew/ 1、程序功能和使用环境介绍 2、程序操作方法介绍 3、登录信息文件RadminM.txt介绍 4、登录信息文件RadminM.txt的转换和编制 5、v3.0版新增解锁 远程...

Global site tag (gtag.js) - Google Analytics