(With full source code)

BOWall is the program that implement protection against buffer overflow attacks for the binary executed Windows NT 4.0 files. The protection is given as two methods.

1) Vulnerable functions monitoring

The updating of set potentially vulnerable DLL functions is made. List of such functions concern strcpy, wstrcpy, strncpy, wstrncpy, strcat, wcscat, strncat, wstrncat, memcpy, memmove, sprintf, swprintf, scanf, wscanf., gets, getws, fgets, fgetws. The updating consists in addition of a integrity check code that checks local variable frame base pointer. More detail

2) Obstacle to execution of dynamic libraries functions from data and stack memory

The essence of method consists in an obstacle to exploit functionality. It's produced at the expense of updating exported vulnerable DLL functions by addition of check code that checks the address of a call of the given functions. If the address of a call belongs to data or stack then program execution is blocked. More detail

Both methods are implemented to detect buffer overflow or exploit activity and terminate process by call of the privileged instruction at triggered state. The given protection methods only detect the fact of overflow, but not prevent overflow.

Functioning Description


BOWall v 1.21

BOWall v 1.2b

Full source code

(C) 2000, Andrey Kolishak