I have a compiler which compiles assembly language to machine language (in memory). My project is in c# .net. Is there any way to run the memory on a thread? How can DEP prevent it?
byte[] a:
01010101 10111010 00111010 10101011 ...
I have a compiler which compiles assembly language to machine language (in memory). My project is in c# .net. Is there any way to run the memory on a thread? How can DEP prevent it?
byte[] a:
01010101 10111010 00111010 10101011 ...
I doubt there's a supported way. I don't know and haven't researched it, but here are some guesses:
The easiest way might be to launch it as a process: write it into a *.com file and then tell the O/S to run that executable.
Alternatively, pass the memory as a parameter to the CreateThread
function (but you'll need to wrorry about the code having the right calling conventions, expecting the specified parameters, preserving registers, and being in memory which is executable).
Another possibility is to write the opcodes into memory which is know is already going to be executed (e.g. overwrite existing code in a recently-loaded DLL).
You can whitelist your application from the control panel http://ask-leo.com/how%5Fdo%5Fi%5Fturn%5Foff%5Fdata%5Fexecution%5Fprevention%5Ferrors.html
I doubt you can whitelist it programattically, but certainly not without admin access - that would defeat the purpose of this security feature.
It's possible to execute bytes as code:
It does require the use of unsafe
code.
I thought that this was just a fun fact but useless in practice, but perhaps your application actually has a use for this :)
The key is to put the executable code into a block of memory allocated with VirtualAlloc such that the buffer is marked as executable.
IntPtr pExecutableBuffer = VirtualAlloc(
IntPtr.Zero,
new IntPtr(byteCount),
AllocationType.MEM_COMMIT | AllocationType.MEM_RESERVE,
MemoryProtection.PAGE_EXECUTE_READWRITE);
(then use VirtualFree to clean up after yourself).
This tells Windows that the memory should be marked as executable code so that it won't trigger a DEP check.