Uninformed: Informative Information for the Uninformed

Vol 1» 2005.May

Memory Protection

Thus far, discussions related to application memory have been sufficiently neglected, until now. This is not to say the interworkings of Windows memory management are about to be revealed, vice, a fairly pigeon holed approach will be taken for the sake of brevity and to satisfy our immediate utilitarian needs.

When an application requests memory, a region is allocated provided the requested amount is available. If the allocation is successful, this region of memory can, amongst other things, be protected. More specifically, the region has psuedo access control lists applied to it that deny or permit certain access types. A couple examples of these access types are the ability to read information from, write information to, and execute instructions at, the given region. It is these access types that will provide the ability to quickly determine with relatively high probability whether a symbol is a function or non-function. By virtue of being a function, these memory regions allow execution. Conversely, memory regions allocated for classic variables do not allow instruction execution5.1. Conveniently, WinDBG is shipped with an extension that allows the user the retrieve memory protection attributes for a given address. This extension command is !vprot. Let's select aptly named symbols to demonstrate this functionality. Type the following in the Command window:

!vprot WinMine!ShowBombs
ShowBombs was chosen as the name implies (to me) that it's a function. Let's see what !vprot says:
BaseAddress:       01002000
AllocationBase:    01000000
AllocationProtect: 00000080  PAGE_EXECUTE_WRITECOPY
RegionSize:        00003000
State:             00001000  MEM_COMMIT
Protect:           00000020  PAGE_EXECUTE_READ
Type:              01000000  MEM_IMAGE
At first glance this might appear contradictory. However, the AllocationProtect field denotes the default protection for the entire memory region. The Protect field speaks to the current protections on the specific region specified in the first argument. This, as one would expect, is set to execute and read as denoted by PAGE_EXECUTE_READ. Next, look at the memory protection for a region allocated for a suspected variable, such as WinMine!szClass.
!vprot WinMine!szClass
The expectation is !vprot will return page protection that only allows read and write access to this region.
BaseAddress:       01005000
AllocationBase:    01000000
AllocationProtect: 00000080  PAGE_EXECUTE_WRITECOPY
RegionSize:        00001000
State:             00001000  MEM_COMMIT
Protect:           00000004  PAGE_READWRITE
Type:              01000000  MEM_IMAGE
So be it. Considering the naming convention (sz preface), which implies a string type, one could easily validate the assumption by examining the data at this memory location. To do this, the display memory command can be utilized. Type the following in the Command window:
du WinMine!szClass
The 'u' modifier tells the (d)isplay memory command to interpret the string as Unicode. The results of this are:
01005aa0  "Minesweeper"
I'm convinced.