Okay, having read the page, here is what I am able to say...
quoted from the link you posted:
"
Software-enforced DEP
Software-enforced DEP performs additional checks on exception handling
mechanisms in Windows. If the program's image files are built with Safe
Structured Exception Handling (SafeSEH), software-enforced DEP ensures that
before an exception is dispatched, the exception handler is registered in
the function table located within the image file.
If the program's image files are not built with SafeSEH, software-enforced
DEP ensures that before an exception is dispatched, the exception handler is
located within a memory region marked as executable."
If you read what it says, it says that it will only operate with apps that
are written using SafeSEH encoding, that will specify what handles in the
active function table is located. In this instance, it will monitor the
execution of exception handlers and limit their ability to execute code
outside what is in the table. What this means is that if a person wrote a
piece of malware that INCLUDED a portion of the stack that he wanted to
crash in his exception handler, then the S/W based DEP would allow this to
occur. Not much protection there. In the last sentence, it states that in
the absence of SafeSEH image files, the program will simply be terminated.
It this means that a handle is called in for instance the RPC stack, then
the RPC stack will simply be terminated. Sound familiar? It should.
SASSER depended on a buffer overrun to cause a failure of the RPC stack with
an exception handler that pointed to a piece of code that would count down
and shut down the computer. So, having read the above paragraph, it simply
terminates the stack without the exception handler, but then your computer
will have to be rebooted. Not much protection there. I would not even want
to test this "software-based DEP". I would caution you that what you are
worrying yourself over is only very slightly better than no protection at
all. I would not depend on it to do anything other than perhaps render the
computer unusable until it is rebooted. I would rather have a SPI firewall
and an up to date antivirus app than depend on the questionable benefit of
"software-based DEP".
You must understand that the hardware DEP is something valuable. It simply
will not allow the execution of any code that attempts to cause an execution
or buffer overrun that will cause a failure of a heap or a stack. It won't
terminate the process, it will simply not allow the exception handler to
access anything outside the hardware protected execution area. This means
that the computer will not be affected by the type of code that depends on
the failure of a heap or a stack to execute. Your computer will continue to
function as normal, with no ill effect from the offending code. With the
software based DEP, the exception could still gain control of your system,
and if the code is not written with the proper image files, then the stack
or heap will terminate, which is what the malicious code intended to do.
If you are truly concerned about using DEP, I would urge you to get an AMD64
based computer. The only "real" DEP protection depends on the Processor
having the necessary hardware to run it. The "software-enabled DEP" seems
to serve no useful purpose, and I think it was probably added as a way to
save Intel from the embarrassing fact that their chips cannot support
hardware based DEP. Intel is losing market share steadily to AMD, and this
is yet another reason, among many, that they are rightfully losing share.
Bobby
