Re: [ros-dev] [ros-diffs] [tkreuzer] 64591: [NTOSKRNL] - Improve the random address base code in MiCreatePebOrTeb to actually make sense and not rely on retarded hacks implicitly hardcoding the PEB size in pages into the ra...
11 Oct
2014
11 Oct
'14
4:37 p.m.
Where't the unit test proving your 'improved' algorithm matches XP
SP2/SRV03 SP1?
Best regards,
Alex Ionescu
On Tue, Oct 7, 2014 at 5:31 PM, <tkreuzer(a)svn.reactos.org> wrote:
11 Oct
11 Oct
11:59 p.m.
New subject: [ros-diffs] [tkreuzer] 64591: [NTOSKRNL] - Improve the random address base code in MiCreatePebOrTeb to actually make sense and not rely on retarded hacks implicitly hardcoding the PEB size in pages into the ra...
The improvement is based on readability / coding style. I think the
comment explained the reason to improve it. But I can explain again in
more detail:
The old code created a random value for a page offset inside a 64k
region. The PEB was supposed to get into that region, but preferably not
below.
Obviously, we don't have ALL of these 16 possible 4k page locations
available, if we neither want to go above the upper or below the lower
margin, but still fit n pages between these 2.
The old code "fixed" the random value to account for that limitation by
hardcoding a 2 (for 2 pages), making sure that there are 2 pages
available to put the PEB in.
The new code will check the size of the PEB instead of relying on the
hardcoded magic value of 2, wich wasn't even explained anywhere. So all
I did here was remove a hack.
The rest of the change affects the path that we follow on a failure.
Instead of trying to allocate the PEB at a constant given address and if
that fails, try again from top down, we use the upper margin and try to
allocate at the highest address from there. So it cannot fail, unless
the whole address space is blocked. The commit message might not have
been describing this properly, but the claim that there is no change in
Windows behaviour still stays, since there is no way to predict the
address of the PEB anyway. It's random, from top down. And it stays that
way. Under normal circumstances only the NLS section would block the
address range and in that case the allocation will go below, so no
change at all. When it comes to cloned processes, things might be more
complicated, but then there is no chance to predict the location of the
PEB anyway, it could go anywhere, even below the 64k range. Again no change.
If you still have doubts, please let me know what exactly you think
could be wrong here, so I can address that accordingly.
Timo
PS: we are talking about randomized behavior here, that is done for
security reasons, so doing it differently without breaking assumptions
that user mode applications can make would most likely be beneficial.
When you write a security software that has prevention capabilities, you
also also change Windows behaviour. If that had a negative effect on
*legitimate* software running on the system, it would be bad. If it
doesn't have any negative effect, or only on "bad" software, it's good.
If you can reasonably argue, why this change could possibly affect
legitimate software in a negative way, then I can write a test based on
that.
Am 11.10.2014 18:37, schrieb Alex Ionescu:
12 Oct
12 Oct
4:16 a.m.
New subject: [ros-diffs] [tkreuzer] 64591: [NTOSKRNL] - Improve the random address base code in MiCreatePebOrTeb to actually make sense and not rely on retarded hacks implicitly hardcoding the PEB size in pages into the ra...
The magic of 2 is to account for the Wow64 PEB, on 64-bit systems, FYI.
I agree on your other points -- the 'test' was not "prove me this generates
the same random numbers as windows" but rather "make sure this actually
generates enough randomness"
Best regards,
Alex Ionescu
On Sat, Oct 11, 2014 at 4:59 PM, Timo Kreuzer <timo.kreuzer(a)web.de> wrote:
3796
days inactive
3797
days old
2 comments
2 participants
participants (2)
-
Alex Ionescu -
Timo Kreuzer