I installed Windows 7 inside vmware a few days ago, as I was interested in exploring the security mechanisms that it employs and to evaluate it’s security.

The Windows 7 Operating System is fully capable of ASLR (Address Space Layout Randomization).  What this essentially means is each time a process starts up and it loads all of it’s required modules into the process’ newly initialized Virtual Address Space, we try to make it as difficult as possible to reliably determine the base address of these modules.  Among the most important modules to hackers are kernel32.dll (gives hackers access to LoadLibraryA() which loads any DLL they’d like into the process address space in addition to GetProcAddress(), which hackers commonly use to find function bases inside loaded modules), ws2_32.dll (from which attackers can access sockets, connect(), open(), and accept()).  Once an attacker has found a vulnerability, it’s a simple matter of looking at the memory layout at the time of crash and identifying the addresses of these two modules.  Another method of protection against software exploits is the N^X bit which is now built into modern Intel and AMD CPUs.  This method of security is known as Data Execution Prevention, and is based on the premise that since buffer overflows occur in user data, if we prevent the CPU from trying to execute instructions on a per page basis, we might mitigate arbitrary execution of code.  The implementation of DEP is done at the hardware level and uses up a single bit on every single page in memory (assuming DEP is enabled for all running processes).  This bit is either set to (W)rite xor e(X)ecute, but strictly not both.  Every time the cpu executes a set of instructions from a page, it checks this bit first, and will throw an exception if you are trying to execute a writable data page.

For some unfortunate reason, there are four possible modes of operation for DEP on Windows 7: OptIn, OptOut, AlwaysOff, and AlwaysOn.  Win7 by default uses the OptIn policy, which means that programs must voluntarily specify they want DEP enabled.  For any developers writing windows software unaware of the inherent vulnerabilities in some programs such as C stack-based buffer overflows, the concept of data execution prevention may or may not be something they know about.  So, how do we go about changing a windows 7 machine’s DEP policy? We can execute the bcdedit.exe program from the command line however you must be running as a system level account like the Administrator or System.  Let’s open a command prompt, run bcdedit.exe and examine the output:

As you can see, the default policy is OptIn.  This means that the policy is per application, and each application must “opt in”.  I was both surprised and dismayed to learn that this is the default behavior of Windows 7.  Let’s go ahead and change this policy to force DEP when possible.  To do this, we can set the policy to “AlwaysOn” at the command line by typing:

bcdedit.exe /set nx AlwaysOn

As you can see in the above screenshot, we have successfully changed our Data Execution Prevention Policy.  You must restart your computer for these changes to take effect, since they are set up as part of your boot initializer.