LISTSERV - PCBUILD Archives - LISTSERV.ICORS.ORG

PCBUILD Archives

Personal Computer Hardware discussion List

PCBUILD@LISTSERV.ICORS.ORG

	LISTSERV Archives
	PCBUILD Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Data Execution Prevention
From:	David Gillett <[log in to unmask]>
Reply To:	PCBUILD - Personal Computer Hardware discussion List <[log in to unmask]>
Date:	Thu, 3 Mar 2005 20:53:22 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (48 lines)

  A concept that boggles some people (I have known professional programmers
who had trouble grasping it...) is that there isn't any real physical
difference between bits of RAM that hold data and bits that hold executable
code instructions.
  Starting with the 80286 in the Intel processor family (previousl common on
larger machines), it became possible for the load instructions to the OS
which each program and DLL contains to designate some regions of RAM as data
and some as code, and since Windows NT 3.1 and 95, all Windows versions have
run primarily in CPU modes that support this designation.
  Many "buffer overflow" exploits, however, rely on the OS not *enforcing*
this distinction, allowing bits received as supposed input data to wind up
getting executed as CPU instructions.  There's a whole black art of crafting
such malicious inputs.

  "Data Execution Prevention" is a new feature in XP SP2 that adds such
enforcement.  It appears that there is at least one DLL file on your machine
which is being fed to RunDLL.exe which violates this designation; there is a
strong likelihood that this DLL is some sort of malware (virus, trojan,
spyware...) component, which previously enjoyed free reign.  (It may be that
it's trying to shut down Norton Antivirus to avoid discovery....)
  I'd suggest a reboot to safe mode and a thorough scan with NAV and a
couple of anti-spyware utilities.

David Gillett

On 2 Mar 2005 at 19:04, Bill wrote:

> From: William Patton
> Subject: Data Execution Prevention
> Date: March 2, 2005
>
> I am running WinXPHome SP2.  I just began receiving the following dialog:
> "To help protect your computer, windows has closed this program: Name-Run a
> DLL as an App, Publisher-Microsoft, Data Executive Prevention"  The only
> change to my system is I just added two applications to Norton Systemworks-
> I
> previously had Systemworks with just Ghost.  I now added Norton Utilities
> and Norton Antivirus.  Please advise.  This dialog keeps coming up now.  I
> read the Windows Help file on this, but am still unclear what is causing it
> or what to do.  Also how is shuting down "Data Execution Prevention" helping
> to
> protect my computer?  Thank You, William Patton

              The NOSPIN Group is now offering Free PC Tech
                     support at our newest website:
                          http://freepctech.com

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG