RWX内存页的风险 [英] Risks of RWX memory pages

问题描述

在对该答案获得负面评论之后-科学！)

After getting negative comments on this answer - can i implement counter in the .text area without using registers?, I performed a little investigation, trying to understand if RWX memory pages are really non-usual and rare thing, or every popular program has some. (Science!)

我通过WinDBG附加到MSVS，执行了！address/f:Image，PAGE_EXECUTE_READWRITE ，
我看到很多这样的行:

I attached to MSVS by WinDBG, executed !address /f:Image,PAGE_EXECUTE_READWRITE,
and I saw a lot of lines like this:

7a534000 7a537000     3000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READWRITE             Image "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\6836a951700c2eb01a933212425cda4e\System.ni.dll"

我检查了它的部分，并且有 .xdata 部分，其中有"Execute Read Write"字样.标志.

I examined its sections, and there is .xdata section with "Execute Read Write" flags.

这是否意味着每个加载了.NET库的应用程序都具有RWX内存页?
例如，您的浏览器(如果您运行Windows).(幸运的是，没有FF8，也没有IE8都没有使用.NET)

Does it mean that every application, with a .NET library loaded in it, has RWX memory pages?
Your browser, for example (if you run Windows). (Fortunately, neither FF8, neither IE8 don't use .NET)

那为什么我们还要担心RWX内存呢?

So why do we bother about RWX memory?

推荐答案

我的直觉是这可能不是问题.运行时环境可能需要这样做以支持动态行为.

My gut feeling is that this probably isn't a problem. This is probably required by the run time environment to support dynamic behavior.

存在可写和可执行存储区域的安全问题.这使攻击者可以使用 shellcode 填充缓冲区，然后执行此代码.用shellcode填充缓冲区并不重要，它只是数据.当攻击者能够控制指令指针(EIP)时，通常会出现问题，方法是使用基于堆栈的缓冲区溢出破坏函数的堆栈帧，然后通过将该指针分配给shellcode的地址来更改执行流程(或nop雪橇中的某个位置，它将击中shellcode).

There is a security problem with memory regions that are both writable and executable. This allows an attacker to fill a buffer with shellcode, and then execute this code. Filling a buffer with shellcode isn't a big deal, its just data. The problem arises when the attacker is able to control the instruction pointer (EIP), usually by corrupting a function's stack frame using a stack based buffer overlfow, and then changing the flow of execution by assigning this pointer to the address of the shellcode (or somewhere in the nop sled which will hit the shellcode).

如果您想更好地了解此安全措施，那么请看一下NX位出现之前，哪些缓冲区溢出漏洞被利用.您应该阅读经典论文，粉碎堆栈以获取乐趣和收益.请记住，由于NX位，ASLR和金丝雀，这些攻击都不再起作用.

If you want to understand this security measure better, then take a look at what buffer overflows exploits where like prior to the advent of the NX bit. You should read the classic paper, Smashing the Stack for Fun and Profit. Keep in mind that none of these attacks work anymore because of the NX bit, ASLR and canaries.

这篇关于RWX内存页的风险的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！