raj_delphi 0 Posted December 1, 2023 Hi, My application required to enable SafeSEH and CFG flags for the security vulnerability issue, is it possible to enable the same? If yes, How? I have followed this https://blogs.embarcadero.com/rad-studio-11-1-and-windows-pe-security-flags/ for ASLR, DEP flags. Share this post Link to post
Kas Ob. 121 Posted December 1, 2023 7 minutes ago, raj_delphi said: SafeSEH and CFG To my knowledge, Delphi compiler doesn't support both, both are specific structures and code snippets generated by the compiler to help Windows OS, where the compiler must add specific structures/procedures in the code (and data/heap/stack) in very specific way to help the OS monitor intrusions or malicious interventions But i can be mistaken and Delphi compiler is already doing that, (highly unlikely!) Share this post Link to post
DelphiUdIT 176 Posted December 1, 2023 (edited) For SEH you can look at this: https://github.com/vic4key/SEH-For-DELPHI For CFG (Control Flow Guard), you can set the flag that signal that your program adheres to, but there is not implementation in Delphi compiler (the same like @Kas Ob., I not sure about that). Put in you DPR source this line, Process Explorer will show you that the flag is activated.: {$SETPEOPTFLAGS $4000} //SET CFG ON (Control Flow Guard) For your DLL you can use this (I use it in C++): IMAGE_DLLCHARACTERISTICS_GUARD_CF("IMAGE_DLLCHARACTERISTICS_GUARD_CF", 0x4000, "Image supports Control Flow Guard.") P.S.: I DON'T KNOW HOW THESE SETTINGS WORK IN A CFG-AWARE Operating System (like Windows Server) ... you must try ... Edited December 1, 2023 by DelphiUdIT Share this post Link to post
Kas Ob. 121 Posted December 1, 2023 26 minutes ago, DelphiUdIT said: For SEH you can look at this: https://github.com/vic4key/SEH-For-DELPHI That is SEH, a normal SEH, has nothing to do with SafeSEH from Windows OS. The resources about it are scarce but here a pointer https://stackoverflow.com/questions/25081033/what-safesehno-option-actually-do For SafeSEH you need the compiler and the linker to jointly produce Windows SafeSEH compliant structure. 31 minutes ago, DelphiUdIT said: Put in you DPR source this line, Process Explorer will show you that the flag is activated.: {$SETPEOPTFLAGS $4000} //SET CFG ON (Control Flow Guard) For your DLL you can use this: IMAGE_DLLCHARACTERISTICS_GUARD_CF("IMAGE_DLLCHARACTERISTICS_GUARD_CF", 0x4000, "Image supports Control Flow Guard.") This will not help too, it will only make the OS more aggressive against your application with near zero tolerance for page faults. Code Flow Guard (CFG) is very similar to SafeSEH from https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection-reference?view=o365-worldwide#control-flow-guard-cfg Quote Control flow guard (CFG) Description Control flow guard (CFG) mitigates the risk of attackers using memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may use a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program). This mitigation is provided by injecting another check at compile time. Before each indirect function call, another instructions are added which verify that the target is a valid call target before it's called. If the target isn't a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation. Hope that clear things. 1 Share this post Link to post
DelphiUdIT 176 Posted December 1, 2023 19 minutes ago, Kas Ob. said: This will not help too, it will only make the OS more aggressive against your application with near zero tolerance for page faults. I use that flag in Delphi and in C++ in all my applications since many years, and no issue was signaled about that. But i never used it in a Windows Server environment. And I noted that since I used it no signal about application is done from Defender (SmartScreen and others) and from others Corporate AntiVirus. Some of my applications run in critical secure environment (they are digitally signed too) and I know that who use them use AV control settings set to "maximum control" like Heuristics, but I'm pretty sure that they use Windows with CFG setting in normal mode. But I was probably just lucky. Application that use CFG (really use it) is working in sync mode (the compiler takes care of autonomously inserting the appropriate code) with OS (in normal mode or in strict mode). The application can use it partially or in full environment (or none) and with CFG enable in Normal Mode (or without CFG enabled) there are no issue. In "strict mode" the OS should no load any application (or DLL) that have this flag OFF. But I don't know if in this scenario the application should really use the CFG (I think that for some API functions like LoadLibrary for example the OS should react in some way, but I have not experience). For better knowledge look at this page: https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard Share this post Link to post
Remy Lebeau 1396 Posted December 1, 2023 (edited) 8 hours ago, raj_delphi said: Hi, My application required to enable SafeSEH and CFG flags for the security vulnerability issue, is it possible to enable the same? If yes, How? SafeSEH and CFG require compiler/linker support to setup additional data/code in the exe, so it's not enough to just enable their flags in the PE header. Delphi does not support SafeSEH or CFG at this time. But there is a SetProcessValidCallTargets() API you can call in your own code to implement CFG manually, at least. Edited December 1, 2023 by Remy Lebeau Share this post Link to post
raj_delphi 0 Posted December 4, 2023 On 12/1/2023 at 7:08 PM, DelphiUdIT said: For SEH you can look at this: https://github.com/vic4key/SEH-For-DELPHI For CFG (Control Flow Guard), you can set the flag that signal that your program adheres to, but there is not implementation in Delphi compiler (the same like @Kas Ob., I not sure about that). Put in you DPR source this line, Process Explorer will show you that the flag is activated.: {$SETPEOPTFLAGS $4000} //SET CFG ON (Control Flow Guard) For your DLL you can use this (I use it in C++): IMAGE_DLLCHARACTERISTICS_GUARD_CF("IMAGE_DLLCHARACTERISTICS_GUARD_CF", 0x4000, "Image supports Control Flow Guard.") P.S.: I DON'T KNOW HOW THESE SETTINGS WORK IN A CFG-AWARE Operating System (like Windows Server) ... you must try ... {$SETPEOPTFLAGS $4000} this command enabled the CFG... Thank you so much! Share this post Link to post
David Heffernan 2345 Posted December 4, 2023 12 hours ago, raj_delphi said: Thank you so much! Did you just cherry pick the content from above? Share this post Link to post
raj_delphi 0 Posted December 21, 2023 On 12/4/2023 at 11:28 PM, David Heffernan said: Did you just cherry pick the content from above? I just used added the line in Delphi project file. {$SETPEOPTFLAGS $4000} Share this post Link to post
David Heffernan 2345 Posted December 21, 2023 That's what I thought. What about the part that pointed out the futility of setting the flag without having the corresponding compiler support? 1 Share this post Link to post
Anders Melander 1783 Posted December 21, 2023 23 minutes ago, David Heffernan said: What about the part that pointed out the futility of setting the flag without having the corresponding compiler support? Nah nah nah nah, can't hear you. I just added support for Alpha AXP to my application with SetPEFlags(IMAGE_FILE_MACHINE_ALPHA). Neat huh? 2 Share this post Link to post