waliedassar

ProcessExecuteFlags

Jan 21st, 2013
287
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com/
  2. //http://www.twitter.com/waleedassar
  3.  
  4. The following is based upon research conducted on Win7 SP1 64-bit.
  5.  
  6. A process can change its own execute flags e.g. ExecuteDisable or DisableThunkEmulation
  7. by calling the "ZwSetInformationProcess" function with the "ProcessInformationClass"
  8. parameter to ProcessExecuteFlags 0x22.
  9.  
  10. In Wow64 processes:
  11. This is usually done at process startup within the "LdrpInitializeProcess" function.
  12. The "LdrpInitializeProcess" function checks to see if the "IMAGE_DLLCHARACTERISTICS_NX_COMPAT"
  13. flag is set in the PE header. If set, permanent DEP is assumed. The function also checks to
  14. see if SEHOP is applicable to the process based upon the global settings, IEFO registry value,
  15. and MajorLinkerVersion and MinorLinkerVersion of image. Finally the call to the
  16. "ZwSetInformationClass" function is issued passing the collected info. to the kernel via the
  17. "ProcessInformation" parameter.
  18.  
  19. Since the process of collecting info. is done is usermode, we can manipulate the
  20. value passed to the system call to be zero and the call will succeed!
  21.  
  22. In kernelMode:
  23. The "NtSetInformationProcess" function ensures that the function call acts only on itself i.e.
  24. the "hProcess" parameter is set -1, otherwise the call is rejected.
  25.  
  26. Then a call to the "KeSetExecuteOptions" function is made to reflect the new value passed into
  27. the "_KPROCESS" structure in a substructure called "_KEXECUTE_OPTIONS", which looks like below.
  28.  
  29.  
  30. struct _KEXECUTE_OPTIONS
  31. {
  32. unsigned char ExecuteDisable:1;
  33. unsigned char ExecuteEnable:1;
  34. unsigned char DisableThunkEmulation:1;
  35. unsigned char Permanent:1;
  36. unsigned char ExecuteDispatchEnable:1;
  37. unsigned char ImageDispatchEnable:1;
  38. unsigned char DisableExceptionChainValidation:1;
  39. unsigned char Spare:1;
  40. };
  41.  
  42.  
  43. The "KeSetExecuteOptions" function ensures that no spare or unused bits are set, otherwise
  44. an error STATUS_INVALID_PARAMETER (0xC000000D) is returned.
  45.  
  46. The function also ensures that the process is 32-bit (Wow64), otherwise (Native64) an error
  47. STATUS_INVALID_PARAMETER (0xC000000D) is returned.
  48.  
  49. Before going any further, the function ensures that the "Permanent" bit is not set, otherwise
  50. an error STATUS_ACCESS_DENIED (0xC0000022) is returned. The rest can be expected except that:
  51. 1) If "ExecuteDisable" is supplied as 1, the "ExecuteEnable" is unset.
  52. 2) If "ExecuteEnable" is supplied as 1, the "ExecuteDispatchEnable" and "ImageDispatchEnable"
  53. are set as such.
  54.  
  55. Once the "KeSetExecuteOptions" function returns a non-error, the "MmRemoveExecuteGrants"
  56. function is called if the "ZwSetInformationProcess" call was made to set ExecuteDisable.
  57.  
  58.  
  59. Native64 Processes:
  60. The whole thing is ignored and the "_KEXECUTE_OPTIONS" structure is left blank.
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×