In addition there are many other types of vulnerability, the final performance and the above issue, you can perform a fixed pointer, but can not control the pointer value. In the absence of the DEP environment, these vulnerabilities are not difficult to use, as long as the injected code to be executed address. While in the DEP environment, these vulnerabilities are usually considered to be impossible to use. But if the in anticipation will be executed to address the injection the following data: !
Even in the DEP environment, although the heap spray memory area is determined certainly not to perform, but you will be surprised to find that the system seems to be performed these instructions, Skip to the ecx for the set of address go to. As long as the ecx is set to the appropriate value, you can jump to any address, and then execute the ROP chain. This is because Windows System for compatibility with some old version of the program, achieve a set called ATL thunk emulation mechanism. The system kernel in the processing execution access exception, check the exception at the address of the code compliance with the ATL thunk characteristics. Meet the ATL thunk characteristics of the code, the kernel will use KiEmulateAtlThunk()function to simulate the execution of them. ATL thunk emulation mechanism will check to jump to the address in the PE file, in support of the CFG on the system will confirm that you want to jump to the address of the CAN through the CFG to check. At the same time, in Vista after the Windows default DEP policy, the ATL thunk emulation mechanism only is not set IMAGE_DLLCHARACTERISTICS_NX_COMPAT the program to take effect. If the program is compiled specifying the/NXCOMPAT parameters, it is no longer compatible with the ATL thunk emulation. But still there are many programs to support ATL thunk emulation, for example, many third-party applications, and 3 2-bit iexplore.exe the. So, similar to the Hacking Team leaks the message in the CVE-2 0 1 5-2 4 2 5, As can be to use some kind of heap spray successfully seize the memory, also can take the skills to achieve the exploit. Thus, the use of the system exception handling process in the ATL thunk emulation can directly execute non-execute memory feature, you can make some generally considered unable to take advantage of the vulnerability back to life. This article most of the content completed in 2 0 1 4 years 1 0 months, relates to the module address, the symbol information and the like based on the Windows Technical Preview 6.4.9841 x64 with Internet Explorer 1 1 in.