DEP and machine code

**Petr Schreiber** · 13-03-2008, 19:40

Hi Eros,

friend warned me about it but I thought it would not apply - MC_Eval and similar make DEP to go crazy.
Is there any way to make machine code execution DEP alert free? Wouldnt be such a workaround considered a virus practice?

Thanks,
Petr

**ErosOlmi** · 13-03-2008, 19:58

Well,

whatever can be a virus. It depends on what the application does, how the application warn user about its behave and so on. Its not a particular technique that make a virus but the behave of the application.

Is the car that invest the pedestrian or the car driver?
And more (you shoul know this one

) it's the paiter or the brush that make the picture?

To go tecnical, MC_Eval does nothing. It just transform a more human way to write bytes into bytes.
MC_Exec just load the sequence of bytes into a string, calculate the string pointer and make an execution jump to that pointer. This technique is used thousands of times per seconds by any switched on PC. Nothing more.

DEP protection is interesting and to be used if needed. We already talked about it in other threads because there were some problems with thinAir. We solved that problems and to avoid those problems again, since than Roberto works with DEP switched on: "/noexecute=optin" in BOOT.INI file.

http://msdn2.microsoft.com/en-us/library/ms791480.aspx

What I can think is a way to warn user if MC_* functions are used inside a script. Something like VBA macros protection.

Ciao
Eros

**Michael Clease** · 13-03-2008, 21:06

Originally Posted by Psch

Hi Eros,

friend warned me about it but I thought it would not apply - MC_Eval and similar make DEP to go crazy.
Is there any way to make machine code execution DEP alert free? Wouldnt be such a workaround considered a virus practice?

Thanks,
Petr

If it was considered a virus then you dont need MC-Eval to make a virus all the tools are already in TB. File_SAVE and shell execute and strings. Build a bat file with some destructive code and shell execute it and bang.

**Charles Pegge** · 13-03-2008, 21:52

DEP appears to be processot dependent. I have DEP turned on for all programs. But do not encounter problems - could be that my processor does not support it.

http://www.jose.it-berater.org/smffo...icseen#msg5672

**Petr Schreiber** · 13-03-2008, 22:13

Thanks all for the replies,

I have AMD Sempron 64bit ( on 32bit system :P ), and maybe it is more sensitive.
I did not wanted to provocate the "paintbrush and artist"

or "car/driver" discussion, just wanted to let you know there could be problem which could "scare out" users of MC_Eval enabled scripts.

Eros, good idea with user warning, but it could be optional (?), as for scripts only I will use it would not be necessary.

Bye,
Petr