TechSpot

Curiosities about winxp memory allocation?

By Lohq
May 13, 2006
  1. I am wondering about Windows XP because I thought I had read somewhere that Winxp did not allow buffer overflow errors somehow... ie overwriting execution data with data until the end of the block and somehow allowing it to keep writing off the end of the block onto another process be it accidental due to incorrect installation of software or hardware or on purpose by ovewriting data with zero's until you can 'drop' commands onto the shell process... but recently I have been having some NO_MORE_IRP_STACK_LOCATIONS issues and upon reading further on this error (35) it sounds very similar to a buffer overflow... now I suppose I have a few questions, Is this what I think it is... and two, can this be exploited?(I hope not), and can buffer overflows be eliminated in a windows environment?

    A few months back an employee downloaded a very nasty virus that installed itself and waited for a reboot and logon by an administrator account at which point it overwrote a specific security zone of ntoskrnl with zero's allowing guest users admin status and patched ntldr to not notice a bad checksum! after that an attacker was allowed to upload anything he liked to the computer... which had Norton Internet Security installed, all updates, etc... It actually used Norton CCAPP (symantec common client architecture) against me in that it would lock up everything whenever it was loaded into memory. I was wondering if a buffer overflow is how they gained access in the first place as aren't those files normally locked from changes?
     
  2. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    No, it is not a buffer overlow nor anything similar. It is a buggy driver. No, you can't really exploit it. If you already manage to get your own driver into a system, then there are much easier ways to wreak havoc :)

    Yes, all proper OS prevent processes from trashing the memory of another process.

    What newer OS additionally do, is preventing running code from memory that is flagged for data only ("no execute"). In theory one would allocate buffers only in data memory and trying to execute anything from there is something that should normally never happen.

    Buffer overflows can still occur - they just overflow into some other data in the same memory block or the next block belonging to the same process. And Windows will never even see this, since it cannot know about the inner workings of software and what is done with its allocated memory.
     
  3. Lohq

    Lohq TS Rookie Topic Starter

    Thanks so much, that clears up a lot
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...