Sorry if this seems like a silly question. I am working on practicing backdooring applications for a cert I am working on, and one of the methods is to use existing code caves. The issue is, these caves are often found in the .data segment of an executable. In order to execute code from there, I need to use a PE editor to mark the .data segment as executable. If the PE is then backdoored, and launched on a Window system with DEP, will DEP accept the executable flag on the .data segment, or will it prevent any code from executing from the .data segment, despite the executable flag being set? I have been trying to find an answer so documentation is also appreciated.
Asked
Active
Viewed 364 times
1
-
I believe after reading through the MSDN details on DEP it appears that setting an executable flag on the .data segment would allow code execution. I will also test, the issue is if I have trouble its better to know beforehand if DEP is causing my issue or incorrectly written shellcode etc. Can anyone confirm that setting the executable flag will indeed allow execution from the .data segment? – NetSec Jul 11 '17 at 16:16
-
When you enumerate the sections in your infector check the characteristics of each section and if a suitable code cave is found modify the PE header to allow execution of memory in that section. – xvk3 Jul 18 '17 at 11:53