| View previous topic :: View next topic |
| Author |
Message |
Maxim Masiutin
Joined: 29 Aug 2007
Posts: 4
|
 Posted: Wed Aug 29, 2007 7:29 am Post subject: The Bat! with NX enabled |
 |
|
When The Bat! is compiled with Data Execution Prevention (NX-bit) in the PE header (IMAGE_DLLCHARACTERISTICS_NX_COMPAT), than the AntiSpamSniper crashes The Bat! when The Bat! is loading the plugins.
This happens under Vista and NX-capable CPUs.
If the user removes the AntiSpamSniper plugin but keeps the other plugins (e.g. Kaspersky Antivirus), The Bat! fine.
You can download The Bat! BETA with NX-bit enabled from Ritlabs website, /download/files3/the_bat/beta/tbb399232.rar to test it with AntiSpamSniper.
Also, it would have been good if AntispamSniper.tbp would have been signed by Authenticode Digital Signature with timestamp. The Bat! in newer versions will check digital signatures of plugins before loading them. |
|
| Back to top |
|
 |
vetaltm
Author
Joined: 05 Feb 2006
Posts: 748
|
| Posted: Fri Aug 31, 2007 12:24 am Post subject: Re: The Bat! with NX enabled |
|
|
| Maxim Masiutin wrote: | When The Bat! is compiled with Data Execution Prevention (NX-bit) in the PE header (IMAGE_DLLCHARACTERISTICS_NX_COMPAT), than the AntiSpamSniper crashes The Bat! when The Bat! is loading the plugins.
This happens under Vista and NX-capable CPUs.
If the user removes the AntiSpamSniper plugin but keeps the other plugins (e.g. Kaspersky Antivirus), The Bat! fine.
You can download The Bat! BETA with NX-bit enabled from Ritlabs website, /download/files3/the_bat/beta/tbb399232.rar to test it with AntiSpamSniper.
|
The plug-in doesn't violate DEP rules, so apparently this is not the reason of described problem. The plug-in was tested successfully with TheBat 3.99.23 and 3.99.24 on systems with hardware supported DEP (Core2 Duo and AMD64), on XP sp2, XP x64 and Vista with enabled DEP. Also almost the same code works properly in plug-ins for Outlook Express and Windows Mail for x86 and x64 platforms.
I've contacted the user having this problem, so maybe things will become clearer after receiving his answers.
| Maxim Masiutin wrote: |
Also, it would have been good if AntispamSniper.tbp would have been signed by Authenticode Digital Signature with timestamp. The Bat! in newer versions will check digital signatures of plugins before loading them. |
Thank you for notifying beforehand! |
|
| Back to top |
|
|
Maxim Masiutin
Joined: 29 Aug 2007
Posts: 4
|
| Posted: Fri Aug 31, 2007 6:33 am Post subject: Re: The Bat! with NX enabled |
|
|
| vetaltm wrote: | | The plug-in doesn't violate DEP rules, so apparently this is not the reason of described problem. |
Thank you! Please also check the plugin under Windows Vista with ASLR enabled.
I guess the problems are because of ASLR, not because of DEP. |
|
| Back to top |
|
|
vetaltm
Author
Joined: 05 Feb 2006
Posts: 748
|
| Posted: Fri Aug 31, 2007 12:42 pm Post subject: Re: The Bat! with NX enabled |
|
|
| Maxim Masiutin wrote: | | vetaltm wrote: | | The plug-in doesn't violate DEP rules, so apparently this is not the reason of described problem. |
Thank you! Please also check the plugin under Windows Vista with ASLR enabled.
I guess the problems are because of ASLR, not because of DEP. |
AFAIK ASLR is enabled in Vista by default, even when DEP is disabled and with no NX-bit hardware support. The plug-in 2.6.0.9 was tested on clean DEP-enabled Vista x86/x64 with TheBat 3.99.24 - no errors occured. Perhaps some third-party software can raise the errors in plug-in or TheBat. For example it may be an antivirus or firewall with specific protection settings. But Kaspersky, Panda and Nod32 with default settings don't break things, so the exact steps to reproduce the problem are required for fixing it. |
|
| Back to top |
|
|
Maxim Masiutin
Joined: 29 Aug 2007
Posts: 4
|
| Posted: Fri Aug 31, 2007 1:01 pm Post subject: Re: The Bat! with NX enabled |
|
|
ASLR is only enabled for EXE files that have DYNAMIC_BASE flag in the PE header. Additionally, the EXE file should have a relocation table to make it support ASLR.
Previous versions of The Bat! had neither relocation table nor DYNAMIC_BASE, so The Bat! didn't use ASLR.
3.99.24 have both DYNAMIC_BASE and relocation table so it activates ASLR for it. |
|
| Back to top |
|
|
vetaltm
Author
Joined: 05 Feb 2006
Posts: 748
|
| Posted: Fri Aug 31, 2007 9:41 pm Post subject: Re: The Bat! with NX enabled |
|
|
The plug-in module supports relocations since early versions. It doesn't use fixed addresses, so ASLR and DYNAMIC_BASE flag shouldn't be a problem. I've tested the plug-in with TheBat 2.99.24, and everything works fine in test environments. And the plug-in for Windows Mail with the same linker flags works properly in WinMail.exe, which also has "Dynamic base" and "NX compatible" flags.
I have some ideas on possible sources of the problem, but cannot check them since the bug is not reproduced on test machines. The user having a problem has contacted me two days ago, but he didn't reply to my message yet. |
|
| Back to top |
|
|
marek_mikus
Joined: 06 Sep 2007
Posts: 1
|
| Posted: Thu Sep 06, 2007 4:50 pm Post subject: AV error |
|
|
I have TB 3.99.24 and ASS 2.6.1.2. Today I got AV error in LOG window, which appeared when receiving messages.
6.9.2007, 17:53:42: FETCH - receiving mail messages
!6.9.2007, 17:53:42: FETCH - Access violation at address 7C918FEA in module 'ntdll.dll'. Write of address 00000010
Can be this related? |
|
| Back to top |
|
|
vetaltm
Author
Joined: 05 Feb 2006
Posts: 748
|
| Posted: Fri Sep 07, 2007 11:17 am Post subject: Re: AV error |
|
|
| marek_mikus wrote: | | Can be this related? |
I don't think so. The original post says that "AntiSpamSniper crashes The Bat! when The Bat! is loading the plugins", i.e. the email client crashes immediately on loading.
The described AV is not raised by the plug-in directly, because version 2.6.1.2 handles own exceptions internally, including AVs. However it is possible that the plug-in makes the email client to raise exception indirectly. If you can reproduce this bug, try to reproduce it with and without the plug-in. If the problem appears only in first case in predictable manner (for example, if there is a deterministic chain of steps to reproduce AV), then probably it is possible to find the source of problem using debug version of the plug-in. |
|
| Back to top |
|
|
tericorbin29
Joined: 03 Nov 2010
Posts: 2
|
| Posted: Wed Nov 03, 2010 11:42 am Post subject: |
|
|
| I've some ideas on possible sources of the problem, but can't verify them since the bug shouldn't be reproduced on take a look at machines. The user having an issue has contacted me two days ago, but he did not reply to my message yet. The plug-in would not violate DEP guidelines, so apparently this isn't the rationale of described problem. The plug-in was tested efficiently with TheBat 3.99.23 and 3.99.24 on methods with hardware supported DEP (Core2 Duo and AMD64), on XP sp2, XP x64 and Vista with enabled DEP. Additionally virtually the identical code works correctly in plug-ins for Outlook Categorical and Home windows Mail for x86 and x64 platforms. |
|
| Back to top |
|
|
|
FAQ
Search
Profile
Log in
Register
