Data Execution Prevention

Previous Top Next

Menu->Link->Runtime Environment->Data Execution Prevent

Data Execution Prevention

Data Execution Prevention (DEP) is a system-level memory protection feature that is built into Microsoft® Windows® starting with Windows XP SP2 and Windows Server 2003 SP1 when running on AMD64 and new Intel chips that support DEP. DEP enables the system to mark one or more pages of memory as non-executable. Marking memory regions as non-executable means that code cannot be run from that region of memory, which makes it harder for the exploitation of buffer overruns.

DEP prevents code from being run from data pages such as the default heap, stacks, and memory pools. If an application attempts to run code from a data page that is protected, a memory access violation exception occurs, and if the exception is not handled, the calling process is terminated.

Because some applications and DLLs were not originally designed with DEP in mind, they may not have the correct page settings in their executable image and may fail to load. Other EXE and DLLs may allocate memory from the system heap, then write instructions dynamically at runtime, and try to execute those instructions. If these EXE and DLL files do not specify execute permission for the pages they allocate, these operations will cause the application to crash on Windows Operating Systems and hardware that support DEP. Although Windows permits DEP to be disabled on a per-application basis, it must be done so on a case-by-case basis by the end user.

Thinstall provides a means of automatically adding execute permission to memory pages associated with executable modules (EXEs/DLLs) and memory pages dynamically allocated by the application. In this manner legacy EXE/DLL can be made to run on Windows DEP platforms without changes or requiring the user to specifically "opt-out" for your particular application.

Thinstall provides 2 options for each package created. When no option is selected (default), the application's EXE & DLL code pages will retain their normal page permissions.

-	Add execute permission to all EXE/DLL pages

When this option is selected, the application's EXE & DLL code pages will all be given execute permission. This solves most problems of legacy applications not running on DEP platform.

-	Add execute permission to dynamically allocated pages

When this option is selected, the application's EXE & DLL code pages will all be given execute permission. As well, any dynamically allocated memory created by the application will be given execute permission. This solves problems of DEP crashes for legacy programs that generate code dynamically in memory.

For more information about DEP see this page:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/memory/base/data_execution_prevention.asp

DEP Mini FAQ

When do I need to enable these options?
You only need to enable these options if the normal version of your application crashes on Windows XP SP2 or Windows 2003 SP1 with processors that support DEP (No execute bit). All VB and .NET applications will run correctly on these platforms unless they use 3rd party libraries that suffer DEP incapabilities.

Does enabling these features open up my application to security attacks?
In cases where your Thinstall package includes virtual DLLs that have known security issues, and are exposed to the Internet or data sources from the internet - yes. Since the vast majority of hardware & Windows OS versions today do not support DEP, the same security holes would exist on all other platforms.

Thinstall will only give execution permission to virtual EXE and DLL files, or external EXE files loaded inside of the virtual machine. THinstall does not effect the page permissions for DLLs loaded from the operating system. For example if you embed the Internet Explorer ActiveX control in your application, enabling these options will not effect Internet Explorer because it is loaded by the Operating System.