William Woodruff
William Woodruff
This is very helpful, thanks! As a first pass, checking for a `.text` section might be a reasonable solution here. But that's probably not general enough, since a PE could...
Agreed! This should be part of the default output (for JSON as well).
(Related to #66.)
https://github.com/olliencc/WinBinaryAudit contains more advanced GS checks that we should probably build off of.
To elaborate: the current `/GS` detection is probably over-sensitive, since every recent build of the Windows CRT has stack cookies enabled and uses the default cookie to protect `_start` at...
Similarly, maybe a `-c cmd` mode to spawn a process for auditing.
We should probably de-icebox this: the fact that all memory in DR is executable means that we'll probably find crashes that won't happen when DEP is enabled.
I think `dr_virtual_alloc` + `MEMORY_BASIC_INFORMATION.Protect` will allow us to accomplish this.
Based on https://github.com/DynamoRIO/dynamorio/blob/f1713ec4a9a856d1038c6095da67a5bd95b6a1c7/core/win32/ntdll.c#L2016 and https://github.com/DynamoRIO/dynamorio/blob/f1713ec4a9a856d1038c6095da67a5bd95b6a1c7/core/win32/drwinapi/kernel32_mem.c#L460, I don't *think* DynamoRIO uses permissive memory. I also haven't been able to cause a ROP exploit under a DEP-protected binary run under `drrun`, so...
(Marking it as a candidate just in case I'm wrong).