Turn on ASLR via /DYNAMICBASE and DEP via SetProcessDEPPolicy().

svn path=/trunk/; revision=34137

capinfos.c

@@ -816,7 +816,7 @@ main(int argc, char *argv[])
   /*
    * Get credential information for later use.
    */
-  get_credential_info();
+  init_process_policies();
 
 #ifdef HAVE_PLUGINS
   /* Register wiretap plugins */

config.nmake

@@ -780,6 +780,7 @@ LOCAL_CFLAGS=$(LOCAL_CFLAGS) /D_BIND_TO_CURRENT_CRT_VERSION=1
 !IF "$(MSVC_VARIANT)" == "MSVC2008" || "$(MSVC_VARIANT)" == "MSVC2008EE" || "$(MSVC_VARIANT)" == "MSVC2010" || "$(MSVC_VARIANT)" == "MSVC2010EE"
 LOCAL_CFLAGS= $(LOCAL_CFLAGS) /MP
 !ENDIF
+
 # Linker flags:
 # /DEBUG  generate debug info
 # /PROFILE generate map file(s) for profiling
@@ -792,6 +793,15 @@ DLL_LDFLAGS =
 DLL_LDFLAGS = /MANIFEST:no
 !ENDIF
 
+# Enable ASLR. Requires VS2008 or later.
+# http://blogs.msdn.com/b/vcblog/archive/2009/05/21/dynamicbase-and-nxcompat.aspx
+# DEP is handled in init_process_policies()
+
+# ASLR http://msdn.microsoft.com/en-us/library/bb384887.aspx
+!IF $(MSC_VER_REQUIRED) >= 1500
+LOCAL_LDFLAGS= $(LOCAL_LDFLAGS) /DYNAMICBASE
+!ENDIF
+
 PLUGIN_LDFLAGS = /NOLOGO /INCREMENTAL:no $(LOCAL_LDFLAGS) $(DLL_LDFLAGS)
 
 #

dftest.c

@@ -68,7 +68,7 @@ main(int argc, char **argv)
 	/*
 	 * Get credential information for later use.
 	 */
-	get_credential_info();
+	init_process_policies();
 
 	/*
 	 * Attempt to get the pathname of the executable file.

dumpcap.c

@@ -3569,7 +3569,7 @@ main(int argc, char *argv[])
   /*                                                                   */
   /* ----------------------------------------------------------------- */
 
-  get_credential_info();
+  init_process_policies();
 
 #ifdef HAVE_LIBCAP
   /* If 'started with special privileges' (and using libcap)  */

editcap.c

@@ -383,9 +383,9 @@ set_strict_time_adj(char *optarg_str_p)
       optarg_str_p++;
   }
 
-  /* 
-   * check for a negative adjustment 
-   * A negative strict adjustment value is a flag 
+  /*
+   * check for a negative adjustment
+   * A negative strict adjustment value is a flag
    * to adjust all frames by the specifed delta time.
    */
   if (*optarg_str_p == '-') {
@@ -807,7 +807,7 @@ main(int argc, char *argv[])
   /*
    * Get credential information for later use.
    */
-  get_credential_info();
+  init_process_policies();
 
 #ifdef HAVE_PLUGINS
   /* Register wiretap plugins */
@@ -1226,9 +1226,9 @@ main(int argc, char *argv[])
                 phdr = &snap_phdr;
               }
             } else {
-              /* 
-               * A negative strict time adjustment is requested. 
-               * Unconditionally set each timestamp to previous 
+              /*
+               * A negative strict time adjustment is requested.
+               * Unconditionally set each timestamp to previous
                * packet's timestamp plus delta.
                */
               snap_phdr = *phdr;

gtk/main.c

@@ -2116,7 +2116,7 @@ main(int argc, char *argv[])
    * before doing anything else.
    * Let the user know if anything happened.
    */
-  get_credential_info();
+  init_process_policies();
   relinquish_special_privs_perm();
 
   /*

rawshark.c

@@ -453,7 +453,7 @@ main(int argc, char *argv[])
     /*
      * Get credential information for later use.
      */
-    get_credential_info();
+    init_process_policies();
 
     /*
      * Clear the filters arrays
@@ -480,7 +480,7 @@ main(int argc, char *argv[])
     /*
      * Get credential information for later use.
      */
-    get_credential_info();
+    init_process_policies();
 
     /* nothing more than the standard GLib handler, but without a warning */
     log_flags =

tshark.c

@@ -824,7 +824,7 @@ main(int argc, char *argv[])
   /*
    * Get credential information for later use.
    */
-  get_credential_info();
+  init_process_policies();
 
   /*
    * Attempt to get the pathname of the executable file.

wsutil/libwsutil.def

@@ -42,7 +42,7 @@ mpa_samples
 mpa_version
 
 ; privileges.c
-get_credential_info
+init_process_policies
 get_cur_groupname
 get_cur_username
 npf_sys_is_running

wsutil/privileges.c

@@ -44,8 +44,19 @@
  * we'll need later.
  */
 void
-get_credential_info(void)
+init_process_policies(void)
 {
+	typedef BOOL (*SetProcessDEPPolicyHandler)(DWORD);
+	SetProcessDEPPolicyHandler PSetProcessDEPPolicy;
+
+#ifndef PROCESS_DEP_ENABLE
+#define PROCESS_DEP_ENABLE 1
+#endif
+
+	if (PSetProcessDEPPolicy = (SetProcessDEPPolicyHandler) GetProcAddress(GetModuleHandle(_T("kernel32.dll")), "SetProcessDEPPolicy")) {
+		PSetProcessDEPPolicy(PROCESS_DEP_ENABLE);
+	}
+
 	npf_sys_is_running();
 }
 
@@ -149,7 +160,7 @@ npf_sys_is_running() {
 
 static uid_t ruid, euid;
 static gid_t rgid, egid;
-static gboolean get_credential_info_called = FALSE;
+static gboolean init_process_polices_called = FALSE;
 
 /*
  * Called when the program starts, to save whatever credential information
@@ -157,14 +168,14 @@ static gboolean get_credential_info_called = FALSE;
  * That'd be the real and effective UID and GID on UNIX.
  */
 void
-get_credential_info(void)
+init_process_polices(void)
 {
 	ruid = getuid();
 	euid = geteuid();
 	rgid = getgid();
 	egid = getegid();
 
-	get_credential_info_called = TRUE;
+	init_process_polices_called = TRUE;
 }
 
 /*
@@ -174,7 +185,7 @@ get_credential_info(void)
 gboolean
 started_with_special_privs(void)
 {
-	g_assert(get_credential_info_called);
+	g_assert(init_process_polices_called);
 #ifdef HAVE_ISSETUGID
 	return issetugid();
 #else

wsutil/privileges.h

@@ -23,10 +23,10 @@
  */
 
 /**
- * Called when the program starts, to save whatever credential information
- * we'll need later.
+ * Called when the program starts, to enable security features and save
+ * whatever credential information we'll need later.
  */
-extern void get_credential_info(void);
+extern void init_process_policies(void);
 
 /**
  * Was this program started with special privileges?  get_credential_info()