ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

DonationCoder.com Software > Find And Run Robot

FARR v2 - Official Bug Tracking and Feature Request Thread

<< < (6/24) > >>

aloishammer:
welcome aloishammer  :up:

i'm afraid i'm totally ignorant about ASLR and Perma-DEP.  could you point me to something gentle i could read and maybe elaborate a little on why you think this would be useful?
-mouser (August 20, 2010, 06:34 PM)
--- End quote ---
I don't know what you'd consider "gentle".  Microsoft seems to have gone out of their way to confuse anyone attempting to use either CPU-based or compiler-based software protection techniques.  >:(

There's an MSDN article here that explains some of the code protection techniques MSVC offers.  Unfortunately, Microsoft can't decide whether it's Address Space Layout Randomization (ASLR) or "dynamic base" or "image randomization".  Also, while they differentiate between the NX execute-protection CPU instruction and "SafeSEH" in the article, Windows does not.  Windows offers "Data Execution Prevention", occasionally calls it NX (as in the NT6 bootloader), and combines both NX and "SafeSEH" for anything selected for protection with "DEP".

Wikipedia may actually be a considerably better reference:
http://en.wikipedia.org/wiki/Data_Execution_Prevention
http://en.wikipedia.org/wiki/Address_space_layout_randomization#Microsoft_Windows

The extremely short version I can offer: the NX instruction is used to mark memory ranges as non-executable; if someone successfully inserts malicious instructions into an NX-marked data (non-code) area and successfully sets the instruction pointer there, the CPU should throw an exception and refuse to execute the non-code.

SafeSEH is next to worthless, but very good at breaking applications that weren't compiled for it.  This is why "DEP" was introduced in WinXPSP2, but Win7 still doesn't enable it by default, and I assume 7SP1 won't, either.

ASLR, depending on exact implementation (Windows' is partial for performance reasons), can place various code *and* data into totally random memory address ranges.  This way, anyone successfully injecting malicious code into the in-RAM, executing image of your app will either be unable to reliably predict where the malicious code went, and thus be unable to set the instruction pointer to it, or will have to work considerably harder to locate and execute it.

These are the two big ones: the MSDN article mentions one or two other code protection techniques (mostly free just by enabling switches in MSVC), but most focus ends up on "DEP", NX, ASLR.

Major caveat: ASLR on Win32 gives you only a 3.2-3.5GB address space to search, so it's very close to not worth doing.  This is part of the reason I'm asking for a native Win64 build.

Wrap-up: assuming you're using MSVC, and at least 2005SP1, or that you can/could build with MSVC Express (free), NX, ASLR, and the other techniques mentioned in the MSDN article are effectively free; it should be a matter of switching on flags when building your project.

Postscript: From my testing, I don't think you'd need any recoding.  I've been experimenting with Microsoft's EMET 2.0 release: FARR2 and DCU are reported as running with full EMET-enforced protections and display no abnormalities.

tleforge:
Feature Request:  When highlighting an app to run, the ability to highlight multiple apps (maybe with a shift key) to run all highlighted.

Knowing you guys, I'm sure this is already in the program somehow and I've just missed it. :Thmbsup:

mouser:
i'm afraid you can't multiple select in the program list but you can use Ctrl+# to launch an item and stay open (you can change the effect of keyboard modifiers on the Keyboard Interface tab of options); so if you want to launch programs listed as items 1,2,3 you would hold Ctrl and hit 1 2 3.

aloishammer:
One more security note: everyone in the wider security community has "binary planting" on their minds just now.  I can't even begin to guess where FARR2 might need/want changes, but this new research seems extremely pertinent to FARR2, whose entire purpose is to create new processes...

http://blog.acrossecurity.com/2010/09/binary-planting-goes-exe.html

pattu:
When plugging and unplugging monitors FARR gets lost off screen...

I am using v2.90.02 and am really quite addicted.  Unfortunately, I work between home and work a lot and change between multiple and single monitors on my notebook, only using suspend, not rebooting.  When  I change configs, FARR often ends up appearing off screen.  I used to use ALT-SPACE as my hotkey, but I have changed away from that, because I need to use this to move the FARR window back on screen.  FARR should I guess check the resolution of the current monitor every time.  Drives me a little crazy, but I still use FARR a *lot*. ;)


Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version