Windows: what is the difference between DEP always on and DEP opt-out with no exceptions?
- by Peter Mortensen
What is the difference between DEP always
on ("/NoExecute=AlwaysOn" in boot.ini) and DEP opt-out
( "/NoExecute=OptOut" in boot.ini) with no exceptions?
"no exceptions" = empty list of programs for which DEP does not apply.
DEP = Data Execution Prevention (hardware).
One would expect it to work the same way, but it makes a
difference for some applications. E.g. for all versions
of UltraEdit 14 (14.2). It crashes at startup for DEP
always on, at least on Microsoft Windows XP Professional
Edition x64 edition. (2010-03-11: this problem has been
fixed with UltraEdit 15.2 and later.)
Update 1: I think this difference is caused by the
backdoors that Microsoft has put into hardware DEP for
OptOut, according to Fabrice Roux (see below). In the
case of IrfanView, for which Steve Gibson observed the
same difference as I did for UltraEdit (see below), the
difference is caused by a non-DEP aware EXE packer
(ASPack) that Microsoft coded a backdoor for.
Is there a difference between Windows XP, Windows Vista and
Windows 7 ?
Is there a difference between 32 bit and 64 bit versions of
Windows ?
Sources:
From
[http://blog.fabriceroux.com/index.php/2007/02/26/hardware_dep_has_a_backdoor?blog=1],
"Hardware DEP has a backdoor" by Fabrice Roux.
2007-02-26.
"IrfanView was not using any trick to evade DEP ...
Microsoft just coded a backdoor used only in OPTOUT.
Bascially Microsoft checks the executable header for a
section matching one of the 3 strings. If one these
strings is found, DEP will be turned OFF for this
application by windows. ... 'aspack', 'pcle', 'sforce'"
From [http://www.grc.com/sn/sn-078.htm],
by Steve Gibson.
"I can’t find any documentation on Microsoft’s site
anywhere, because we’re seeing a difference between
always-on and opt-out. That is, you would imagine that
always-on mode would be the same as opting out if you
weren’t having any opt-out programs. It turns out it’s
not the case. For example ... the IrfanView file viewer
... runs fine in opt-out mode, even if it has not been
opted out. But it won’t launch, Windows blocks it from
launching ... in always-on mode."
From [http://www.grc.com/sn/sn-083.htm],
by Steve Gibson.
"... IrfanView ... won’t run with DEP turned on. It’s
because it uses an EXE packer, an executable compression
program called ASPack. And it makes sense that it
wouldn’t because naturally an executable compressor has
got to decompress the executable, so it allocates a
bunch of data memory into which it decompresses the
compressed executable, and then it runs it. Well, it’s
running a data allocation, which is exactly what DEP is
designed to stop. On the other hand, UPX, which is
actually the leading and most popular EXE compressor,
it’s DEP- compatible because those guys realized, hey,
when we allocate this memory, we should mark the pages
as executable."