exectable section

NTDEV
1

hi all,

if i do a memory allocation with ExAllocatePoolWithTag then is the
allocation done in the data segment?

How do I mark that allocation as ‘executable’ ?

thanks

ap

2

as an internal detail the allocation is executable, but that is not something you should really be relying on b/c that can change in the future. What are you trying to do?

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of A P
Sent: Wednesday, December 16, 2009 4:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] exectable section

hi all,

if i do a memory allocation with ExAllocatePoolWithTag then is the allocation done in the data segment?

How do I mark that allocation as ‘executable’ ?

thanks

ap
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

3

A P wrote:

if i do a memory allocation with ExAllocatePoolWithTag then is the
allocation done in the data segment?

Your question is not really meaningful. Memory is not divided up into
“data segment” and “code segment”. There are CS and DS registers in the
hardware, but both point to the exactly the same space (i.e., all of
virtual memory). Your executables have a code section and a data
section, but that doesn’t have anything to do with allocated memory.

Newly allocated pages are marked read/write/execute.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

4

Which pool? Not all pools are executable on all versions of Windows. And why
do you care? (Let me guess…You want to load a driver, copy code into pool,
and then unload to be all stealthy like).

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“A P” wrote in message news:xxxxx@ntdev…
hi all,

if i do a memory allocation with ExAllocatePoolWithTag then is the
allocation done in the data segment?

How do I mark that allocation as ‘executable’ ?

thanks

ap

5

> Your question is not really meaningful. Memory is not divided up into “data segment”

and “code segment”. There are CS and DS registers in the hardware, but both point to
the exactly the same space (i.e., all of virtual memory).

Actually, introduction of DEP at the hardware level brought the long-dead concept of making a distinction between code and data back to life. Therefore, the OP’s question can be rephrased as “What is the state
of ExecuteDisable bit for a page allocated with ExAllocatePoolWithTag()” …

Anton Bassov

6

to answer all ofyour questions

  • no i am not trying to sthealth load a driver
  • this question occured in my mind and i just wanted to clarify if to load
    executable code without the loader i need to use ExAllocatePool* or not

On Thu, Dec 17, 2009 at 1:35 AM, wrote:

> > Your question is not really meaningful. Memory is not divided up into
> “data segment”
> > and “code segment”. There are CS and DS registers in the hardware, but
> both point to
> > the exactly the same space (i.e., all of virtual memory).
>
> Actually, introduction of DEP at the hardware level brought the long-dead
> concept of making a distinction between code and data back to life.
> Therefore, the OP’s question can be rephrased as “What is the state
> of ExecuteDisable bit for a page allocated with ExAllocatePoolWithTag()”
> …
>
>
> Anton Bassov
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>