How to detect hardware-based DEP status

Introduction

Everybody knows that there are two forms of DEP: hardware-based and software-based. Hardware-based DEP needs support from the CPU materialized by a so-called NX bit (non-executable bit). After AMD decided to include this functionality in its AMD64 family, Intel introduced a similar feature called Execute Disable Bit (XD) in x86 processors beginning with the Pentium 4 processors based on later iterations of the Prescott core.

Background

To find out if your CPU supports DEP, try the excellent program SecurAble. I could’t find the source code in C++. So I wrote a function in this article to detect hardware-based DEP status.

Using the code

bool detect_hardbased_DEP_status();//TRUE,HardwareBased_EDP is enable,or,disabled.

bool detect_hardbased_DEP_status()
{
    HRESULT hres;
    //
    // Step 1: --------------------------------------------------
    // Initialize COM. ------------------------------------------
    //
    hres =  CoInitializeEx(0, COINIT_MULTITHREADED); 
    if (FAILED(hres))
    {
        //cout << "Failed to initialize COM library. Error code = 0x" 
        //    << hex << hres << endl;
        return 1;                  // Program has failed.
    }
    //
    // Step 2: --------------------------------------------------
    // Set general COM security levels --------------------------
    // Note: If you are using Windows 2000, you need to specify -
    // the default authentication credentials for a user by using
    // a SOLE_AUTHENTICATION_LIST structure in the pAuthList ----
    // parameter of CoInitializeSecurity ------------------------
    //
    hres =  CoInitializeSecurity(
        NULL, 
        -1,                          // COM authentication
        NULL,                        // Authentication services
        NULL,                        // Reserved
        RPC_C_AUTHN_LEVEL_DEFAULT,   // Default authentication 
        RPC_C_IMP_LEVEL_IMPERSONATE, // Default Impersonation  
        NULL,                        // Authentication info
        EOAC_NONE,                   // Additional capabilities 
        NULL                         // Reserved
        );
    //
    //                      
    if (FAILED(hres))
    {
        //cout << "Failed to initialize security. Error code = 0x" 
        //    << hex << hres << endl;
        CoUninitialize();
        return 1;                    // Program has failed.
    }
    //    
    // Step 3: ---------------------------------------------------
    // Obtain the initial locator to WMI -------------------------
    //
    IWbemLocator *pLoc = NULL;
    //
    hres = CoCreateInstance(
        CLSID_WbemLocator,             
        0, 
        CLSCTX_INPROC_SERVER, 
        IID_IWbemLocator, (LPVOID *) &pLoc);
    // 
    if (FAILED(hres))
    {
        //cout << "Failed to create IWbemLocator object."
        //    << " Err code = 0x"
        //    << hex << hres << endl;
        CoUninitialize();
        return 1;                 // Program has failed.
    }
    //
    // Step 4: -----------------------------------------------------
    // Connect to WMI through the IWbemLocator::ConnectServer method
    //
    IWbemServices *pSvc = NULL;
    // 
    // Connect to the root\cimv2 namespace with
    // the current user and obtain pointer pSvc
    // to make IWbemServices calls.
    hres = pLoc->ConnectServer(
         _bstr_t(L"ROOT\\CIMV2"), // Object path of WMI namespace
         NULL,                    // User name. NULL = current user
         NULL,                    // User password. NULL = current
         0,                       // Locale. NULL indicates current
         NULL,                    // Security flags.
         0,                       // Authority (e.g. Kerberos)
         0,                       // Context object 
         &pSvc                    // pointer to IWbemServices proxy
         );
    //    
    if (FAILED(hres))
    {
        //cout << "Could not connect. Error code = 0x" 
        //     << hex << hres << endl;
        pLoc->Release();     
        CoUninitialize();
        return 1;                // Program has failed.
    }
    //
    //cout << "Connected to ROOT\\CIMV2 WMI namespace" << endl;
    //
    //
    // Step 5: --------------------------------------------------
    // Set security levels on the proxy -------------------------
    //
    hres = CoSetProxyBlanket(
       pSvc,                        // Indicates the proxy to set
       RPC_C_AUTHN_WINNT,           // RPC_C_AUTHN_xxx
       RPC_C_AUTHZ_NONE,            // RPC_C_AUTHZ_xxx
       NULL,                        // Server principal name 
       RPC_C_AUTHN_LEVEL_CALL,      // RPC_C_AUTHN_LEVEL_xxx 
       RPC_C_IMP_LEVEL_IMPERSONATE, // RPC_C_IMP_LEVEL_xxx
       NULL,                        // client identity
       EOAC_NONE                    // proxy capabilities 
    );
    //
    if (FAILED(hres))
    {
       // cout << "Could not set proxy blanket. Error code = 0x" 
       //     << hex << hres << endl;
        pSvc->Release();
        pLoc->Release();     
        CoUninitialize();
        return 1;               // Program has failed.
    }
    //
    // Step 6: --------------------------------------------------
    // Use the IWbemServices pointer to make requests of WMI ----
    //
    // For example, get the name of the operating system
    IEnumWbemClassObject* pEnumerator = NULL;
    hres = pSvc->ExecQuery(
        bstr_t("WQL"), 
        bstr_t("SELECT * FROM Win32_OperatingSystem"),
        WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, 
        NULL,
        &pEnumerator);
    //    
    if (FAILED(hres))
    {
        //cout << "Query for operating system name failed."
        //    << " Error code = 0x" 
        //    << hex << hres << endl;
        pSvc->Release();
        pLoc->Release();
        CoUninitialize();
        return 1;               // Program has failed.
    }
    //
    // Step 7: -------------------------------------------------
    // Get the data from the query in step 6 -------------------
    // 
    IWbemClassObject *pclsObj;
    ULONG uReturn = 0;
    //   
 bool HardWare_Based_DEP_enabled;
    //
    while (pEnumerator)
    {
        HRESULT hr = pEnumerator->Next(WBEM_INFINITE, 1, 
            &pclsObj, &uReturn);
        //
        if(0 == uReturn)
        {
            break;
        }
        //
        VARIANT vtProp;
        // 
        // Get the value of the Name property
  //hr = pclsObj->Get(L"Name", 0, &vtProp, 0, 0);
        //wcout << " OS Name : " << vtProp.bstrVal << endl;
        //
  hr = pclsObj->Get(L"DataExecutionPrevention_Available", 0, &vtProp, 0, 0);
  HardWare_Based_DEP_enabled=vtProp.boolVal;
        //
  VariantClear(&vtProp);
        //
        pclsObj->Release();
    }
    // 
    // Cleanup
    // ========
    //     
    pSvc->Release();
    pLoc->Release();
    pEnumerator->Release();
    //pclsObj->Release();
    CoUninitialize();
    // 
    return HardWare_Based_DEP_enabled;   // Program successfully completed.
    //  
}//

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Jim Charles

Engineer
AntiDebugLIB Inc

United States

Member

There are so many hackers all over the world that no software can escape the doom of being cracked.And even almost everybody believe that it is impossible to protect the applications through the technology means.But we still work hard to find applications protection solution [32-bit] [64-bit] in order to protect our works.

Homepage:

http://www.antidebuglib.com/

http://www.wintsd.com/

Article Top

Poor

Excellent

Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

You must Sign In to use this message board. (secure sign-in)

Search this forum
	Profile popups Noise Layout Per page

My vote of 5

Mihai MOGA

3:58 16 Dec '11

Great article. Please keep it up!
Sign In·View Thread·Permalink

A great solution for those wanting to use WMI Randor 14:12 3 Dec '11

Hi,

Perfect for those working with WMI. However that is quite a bit of code to check for a simple bit. It could also be accomplished with the cpuid instruction in a much smaller function.

BOOL HaveHardwareDEP()
{
    BOOL bHaveNX = FALSE;
    __asm
    {
        mov eax,0x80000000
        cpuid
        cmp eax,0x80000001
        jb  no_features
        mov eax,0x80000001
        cpuid
        and edx, 0x00100000
        mov bHaveNX,edx
no_features:
    }
    return bHaveNX;
}

There is probably someone reading this post with their hand hovering over the reply button. They are probably wanting to reply with something like: 'Yeah, but you cannot use inline assembly with the Microsoft 64 bit compiler' and of course they would be correct. Rather than poison your source code with inline assembler you could use the Compiler Intrinsics[^] for your MMX,SSE or cpuid optimization. A translation of the function above would be something like:

BOOL HaveHardwareDEP()
{
	BOOL bHaveNX = FALSE;
	int cpuid[4] = {-1};
	__cpuid(cpuid, 0x80000000);
	if(0x80000001 < cpuid[0])
	{
		bHaveNX = (cpuid[3] & 0x00100000);
	}
	return bHaveNX;
}

So rather than adding 120KB to the executable size and a plethora of WMI dependencies... a small < 32 byte function might be preferable for some software engineers when checking for the NX bit.

Best Wishes,
-David Delaune

Re: A great solution for those wanting to use WMI

Jim Charles

14:39 3 Dec '11

great!
My code has an advantage,if you change parameter of Get(L"DataExecutionPrevention_Available", 0, &vtProp, 0, 0) you can get more information. These parameters maybe:
class Win32_OperatingSystem : CIM_OperatingSystem
{
string BootDevice;
string BuildNumber;
string BuildType;
string Caption;
string CodeSet;
string CountryCode;
string CreationClassName;
string CSCreationClassName;
string CSDVersion;
string CSName;
sint16 CurrentTimeZone;
boolean DataExecutionPrevention_Available;
boolean DataExecutionPrevention_32BitApplications;
boolean DataExecutionPrevention_Drivers;
uint8 DataExecutionPrevention_SupportPolicy;
boolean Debug;
string Description;
boolean Distributed;
uint32 EncryptionLevel;
uint8 ForegroundApplicationBoost;
uint64 FreePhysicalMemory;
uint64 FreeSpaceInPagingFiles;
uint64 FreeVirtualMemory;
datetime InstallDate;
uint32 LargeSystemCache;
datetime LastBootUpTime;
datetime LocalDateTime;
string Locale;
string Manufacturer;
uint32 MaxNumberOfProcesses;
uint64 MaxProcessMemorySize;
string MUILanguages[];
string Name;
uint32 NumberOfLicensedUsers;
uint32 NumberOfProcesses;
uint32 NumberOfUsers;
uint32 OperatingSystemSKU;
string Organization;
string OSArchitecture;
uint32 OSLanguage;
uint32 OSProductSuite;
uint16 OSType;
string OtherTypeDescription;
Boolean PAEEnabled;
string PlusProductID;
string PlusVersionNumber;
boolean Primary;
uint32 ProductType;
string RegisteredUser;
string SerialNumber;
uint16 ServicePackMajorVersion;
uint16 ServicePackMinorVersion;
uint64 SizeStoredInPagingFiles;
string Status;
uint32 SuiteMask;
string SystemDevice;
string SystemDirectory;
string SystemDrive;
uint64 TotalSwapSpaceSize;
uint64 TotalVirtualMemorySize;
uint64 TotalVisibleMemorySize;
string Version;
string WindowsDirectory;
};
For example DataExecutionPrevention_SupportPolicy which will be mentioned in another article.

Thanks,your idea is very great!

Smooth runs the water where the brook is deep.——Shakespeare
BLOG: Self-generating-code | Software Protection Solution | Homepage| Jim Charles

Re: A great solution for those wanting to use WMI Randor 15:46 3 Dec '11

Hi Jim Charles, (is that a pseudonym..?)

I am not a huge fan of WMI at all. I do not see anything within that struct that cannot be obtained via a registry key or other means. However I would say that one advantage of using WMI is so that you have a completely supported interface for obtaining those values. In other words... if Microsoft moves or changes the registry, file or memory containing the value... it would not break any code using the WMI interface... however would break direct registry, file or memory queries.

Jim Charles wrote:
For example DataExecutionPrevention_SupportPolicy which will be mentioned in another article.

You can get this via the GetSystemDEPPolicy function[^]. If you are in an environment where the DEP policy is 'Opt out' you could check individual processes using the GetProcessDEPPolicy function[^].

Best Wishes,
-David Delaune

Re: A great solution for those wanting to use WMI

Jim Charles

16:08 3 Dec '11

You're so smart!
By the way,I have a question to ask you.
Do you still have the idea of getting BcdOSLoaderBoolean_KernelDebuggerEnabled value of BcdOSLoaderElementTypes. Thanks first !

typedef enum BcdOSLoaderElementTypes {
BcdOSLoaderDevice_OSDevice = 0x21000001,
BcdOSLoaderString_SystemRoot = 0x22000002,
BcdOSLoaderObject_AssociatedResumeObject = 0x23000003,
BcdOSLoaderBoolean_DetectKernelAndHal = 0x26000010,
BcdOSLoaderString_KernelPath = 0x22000011,
BcdOSLoaderString_HalPath = 0x22000012,
BcdOSLoaderString_DbgTransportPath = 0x22000013,
BcdOSLoaderInteger_NxPolicy = 0x25000020,
BcdOSLoaderInteger_PAEPolicy = 0x25000021,
BcdOSLoaderBoolean_WinPEMode = 0x26000022,
BcdOSLoaderBoolean_DisableCrashAutoReboot = 0x26000024,
BcdOSLoaderBoolean_UseLastGoodSettings = 0x26000025,
BcdOSLoaderBoolean_AllowPrereleaseSignatures = 0x26000027,
BcdOSLoaderBoolean_NoLowMemory = 0x26000030,
BcdOSLoaderInteger_RemoveMemory = 0x25000031,
BcdOSLoaderInteger_IncreaseUserVa = 0x25000032,
BcdOSLoaderBoolean_UseVgaDriver = 0x26000040,
BcdOSLoaderBoolean_DisableBootDisplay = 0x26000041,
BcdOSLoaderBoolean_DisableVesaBios = 0x26000042,
BcdOSLoaderInteger_ClusterModeAddressing = 0x25000050,
BcdOSLoaderBoolean_UsePhysicalDestination = 0x26000051,
BcdOSLoaderInteger_RestrictApicCluster = 0x25000052,
BcdOSLoaderBoolean_UseBootProcessorOnly = 0x26000060,
BcdOSLoaderInteger_NumberOfProcessors = 0x25000061,
BcdOSLoaderBoolean_ForceMaximumProcessors = 0x26000062,
BcdOSLoaderBoolean_ProcessorConfigurationFlags = 0x25000063,
BcdOSLoaderInteger_UseFirmwarePciSettings = 0x26000070,
BcdOSLoaderInteger_MsiPolicy = 0x26000071,
BcdOSLoaderInteger_SafeBoot = 0x25000080,
BcdOSLoaderBoolean_SafeBootAlternateShell = 0x26000081,
BcdOSLoaderBoolean_BootLogInitialization = 0x26000090,
BcdOSLoaderBoolean_VerboseObjectLoadMode = 0x26000091,
BcdOSLoaderBoolean_KernelDebuggerEnabled = 0x260000a0,
BcdOSLoaderBoolean_DebuggerHalBreakpoint = 0x260000a1,
BcdOSLoaderBoolean_EmsEnabled = 0x260000b0,
BcdOSLoaderInteger_DriverLoadFailurePolicy = 0x250000c1,
BcdOSLoaderInteger_BootStatusPolicy = 0x250000E0
} BcdOSLoaderElementTypes;

Smooth runs the water where the brook is deep.——Shakespeare
BLOG: Self-generating-code | Software Protection Solution | Homepage| Jim Charles

Re: A great solution for those wanting to use WMI Randor 17:52 3 Dec '11

Jim Charles wrote:
You're so smart!

Not really, I have simply been anonymously studying Zui Quan Kung-Fu longer than the younger software engineering generation. Plus... I stayed at a Holiday Inn last night.

Jim Charles wrote:
Do you still have the idea of getting BcdOSLoaderBoolean_KernelDebuggerEnabled value of BcdOSLoaderElementTypes. Thanks first !

Yes, but it is a little advanced... I spent quite a bit of time reverse engineering the pseudo-documented BCD store. Btw... you can also get the DEP status from the BCD store on OS >= Vista.

Here are the steps required:

[A] First thing you will need is the disk signature at the end of the MBR from the drive where the OS booted. You can obtain it by doing something like the following:
1.) Collect all of the mounted DosDevices at HKLM\\SYSTEM\\MountedDevices and store them into a std::vector or container of your choice;
2.) Call GetSystemDirectory and compare the drive letter to the info in your std::vector and find the system drive.
3.) The bytes you see in the HKLM\SYSTEM\MountedDevices registry key... at subkey 'Data' contain the disk signature from the master boot record at sizeof(int);

[B] Now you will need to locate the GUID from the BCD store using the disk signature from the master boot record that you just obtained.
1.) Open the HKLM\\BCD00000000\\Objects registry key and loop through the GUID keys... you are looking for \\Description\\Type value of 0x10200003 (OS Loader)
2.) When you find a "Type" value of 0x10200003 then you need to read the value of \\Elements\\21000001 and compare the bytes at offset 56 sizeof(int) to the disk signature you obtained in the previous step.
3.) When you find a match... then you have found the key containing the OS loader for the current OS. Save the GUID part of the registry key.

[C] Now we have all of the information we need to read DEP status and 'kernel debugger enabled'
1.) Open HKLM\\BCD00000000\\Objects\\[GUID]\\Elements\\25000020 and read this value. This is the current DEP status.
2.) Open HKLM\\BCD00000000\\Objects\\[GUID]\\Elements\\260000a0 and read this value. This is the kernel debugger status. (key does not exist == no debugger)

Btw... that is quite a bit of work for simply checking for a kernel debugger. You would be better off calling the CheckRemoteDebuggerPresent function[^].

Or if your a really paranoid type of guy who believes that perhaps the function has been hooked... you could call NtQuerySystemInformation function[^] with the SystemKernelDebuggerInformation index at 0x23. Or from kernelmode you can call KdDebuggerEnabled.

Best Wishes,
-David Delaune

Re: A great solution for those wanting to use WMI

Jim Charles

20:32 3 Dec '11

Very Great!
My purpose is to disable PatchGuard.I need a STABLE and EASY manner.Now,I use following commands.

Bcdedit /debug ON
Bcdedit /dbgsettings SERIAL DEBUGPORT:1 BAUDRATE:115200 /start AUTOENABLE /noumex

But there are still some problems.Here is my code.

///////////////////////////////////////////////////////////////////////////

#define ADL_WIN64 //if no define ADL_WIN64,compile for win32 system.

///////////////////////////////////////////////////////////////////////////

///////////////////////////////////////////////////////////////////////////////////////////////

 
    if (Is64BitOS())
    {
        #ifdef ADL_WIN64 //NOTE:if no define ADL_WIN64,compile for win32 system.

            bool KernelDebuggerEnabled                  = detect_KernelDebugger_status();
            int DataExecutionPrevention_SupportPolicy   = get_DataExecutionPrevention_SupportPolicy();
            if(DataExecutionPrevention_SupportPolicy==3||DataExecutionPrevention_SupportPolicy==1 || !KernelDebuggerEnabled)
            {
                MessageBeep (MB_ICONEXCLAMATION);
                if (AskWarnYesNo () == IDYES)
                {
                    //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
                    //  NOTE:
                    //
                    //      You should copy "C:\Windows\System32\bcdedit.exe" file to your own install directory for win64 version program.
                    //
                    //  Uninstall:
                    //
                    //      You should invoke
                    //      "ShellExecute(NULL,"runas","bcdedit.exe"," /debug OFF","",SW_HIDE);"
                    //      and
                    //      "ShellExecute(NULL,"runas","bcdedit.exe"," /timeout 15","",SW_HIDE);"
                    //      command when uninstall your program.
                    //
                    //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
                    //
                    //  InstallShield uninstall example code:
                    //
                    //      #define APPLICATION TARGETDIR^"bcdedit.exe"
                    //
                    //      export prototype DefaultFeature_UnInstalling();
                    //      function DefaultFeature_UnInstalling()
                    //      begin
                    //          LaunchApp(APPLICATION," /debug OFF");
                    //          LaunchApp(APPLICATION," /timeout 15");
                    //      end;
                    //
                    //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
                    //
                    //  Why can't we invoke "C:\Windows\System32\bcdedit.exe" directly?
                    //
                    //      Because the authority is not enough,even with administrator privileges.
                    //      The solution is to copy it to the main program directory.
                    //
                    //      You can refer to our installation directory.
                    //
                    //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

 

                    if(DataExecutionPrevention_SupportPolicy==3||DataExecutionPrevention_SupportPolicy==1)
                    {
                        ShellExecute(NULL,"runas","bcdedit.exe"," /set {current} nx OptIn","",SW_HIDE);
                    }
 
                    if(!KernelDebuggerEnabled)
                    {
                        ShellExecute(NULL,"runas","bcdedit.exe"," /debug ON","",SW_HIDE);
                        ShellExecute(NULL,"runas","bcdedit.exe"," /dbgsettings SERIAL DEBUGPORT:1 BAUDRATE:115200 /start AUTOENABLE /noumex","",SW_HIDE);
                        ShellExecute(NULL,"runas","bcdedit.exe"," /timeout 5","",SW_HIDE);
                    }
 
                    RestartComputer();
                    ExitProcess(0);
                }
                else
                {
                    ExitProcess(0);
                }
            }
            else
            {
 
                ShellExecute(NULL,"open","ADL_Register.EXE","","",SW_SHOW);//Replace "ADL_Register.EXE" with your program name here.
                ExitProcess(0);
 
            }
 
        #else
 
            MessageBoxW(NULL, L"This program can't run in 64-bit Operating System.",L"Run failed.",MB_OK|MB_ICONWARNING);
            ExitProcess(0);
 
        #endif
    }
    else
    {
        #ifdef ADL_WIN64
 
            MessageBoxW(NULL, L"This program can't run in 32-bit Operating System.",L"Run failed.",MB_OK|MB_ICONWARNING);
            ExitProcess(0);
        #else
 
            ShellExecute(NULL,"open","ADL_Register.EXE","","",SW_SHOW);//Replace "ADL_Register.EXE" with your program name here.
            ExitProcess(0);
 
        #endif
 
    }
 

 
    ///////////////////////////////////////////////////////////////////////////////////////////////
    ExitProcess(0);
    return TRUE;  // return TRUE  unless you set the focus to a control
}

The problem is Why can't we invoke "C:\Windows\System32\bcdedit.exe" directly? Is there a better way?
In addition,about disable PatchGuard. Do you have a better way to disable PatchGuard ?STABLE and EASY.

Thanks.

Smooth runs the water where the brook is deep.——Shakespeare
BLOG: Self-generating-code | Software Protection Solution | Homepage| Jim Charles