DEP and ASLR – the intentional and the unavoidable
So far, we've only mentioned these concepts in passing: DEP, also called NX for no-execute) and ASLR. I'm afraid we can't put them off forever. I think I hear a couple of hackers at the back saying, good! It took the impact out of the demonstrations when we had to disable basic protection to make the attack work. Fair enough. When we introduced a basic buffer overflow in Chapter 7, Stack and Heap–Memory Management, we explicitly disabled ASLR; and in the last chapter on heap spraying, we relied on DEP being weakly configured. (To be fair, Windows 7 comes out of the box like that.) This is all by design, though: we can't understand the core concept without taking a step back first. These protection mechanisms are responses to the attacks we've demonstrated. But look at me, going off on a tangent again without defining these simple concepts.
Understanding DEP
Remember where we stuff our shellcode? Into the stack or the heap, which is memory...