SVV on a No-eXecute enabled system versus 2
systems without this hardware feature
Summary
Having tried the SVV on a workstation based on an Opteron processor, it was
found that SVV could not gain access to the NTOSKRNL. This prompted a
check whether this was due to software based protection which proved not
to be the case. Instead, the outcome was that the hardware-based No eXecute
support and interfaced with MS-Windows XP’s Data Execution Prevention (DEP) was
the real reason. The result is, if the NX-bit is properly supported, users
will be significantly safer against malware/rootkit attacks.
Test
Trying out the SVV program on the Opteron-based workstation, it was noticed
that the output did not appear quite like in the video files from the
presentation at Black Hat Aug. 2006 in Las Vegas. This gave an indication that
it might be relevant to see how SVV works on different PC’s and that is how the
apparent significance of the NX function in relation to SVV was discovered.
Initially, it was thought that the extra protection was due to ZoneAlarm Pro,
but disabling ZApro showed no difference in results. It was when SVV was
run on two older PCs the real reason appeared – this is however in relation to
Windows XP natively, not VISTA under a virtualization system. This is,
by the way, a great example of the benefits of the No-execute (NX) bit,
pioneered by AMD in the K8 together with Microsoft. Intel followed suit later
with their 90-nm Pentium 4 "Prescott" CPUs. All 3 systems used in the test
were configured with the same software. All systems run MS-Defender, Spybot
S&D, ZoneAlarm PRO, and Norton AV.
1. Current-generation PC/workstation
(ASUS SK8V w. BIOS1003, AMD Opteron 265, 2GB OCZ Reg ECC, MS-Windows XP
Pro SP2+)
In this case: full protection against this tool from the NX-bit & DEP.
2. Results from the previous generation PC
(ASUS A7A-266E, BIOS 1012, AMD-XP2000-b, 1GB PC2100, MS-Windows XP Pro
SP2+):
Here SVV runs fine
and finds the NTOSKRNL. Changing the
settings to see if Microsoft’s claim
that DEP on non-hardware supported
platforms made any difference here – it did not (upon re-boot) in this case.
SVV flies happily through in either case. The processor, AMD XP2000-b, does not
support the NX-bit function.
3. Lastly, a 5 year old PC
(ASUS K7V-T BIOS 1007, AMD Slot-A 950Mhz T-bird, 512MB SD-133, MS-Windows 2000 SP4+)
Here it also runs fine and does find the NTOSKRNL. Windows 2000 does
not support the DEP concept.
The NX-bit was perhaps not even a concept when the AMD Slot-A processor was
designed. . .
(back)