ASLR and Windows System DLLs for Unregistered Executables?
From Microsoft article :
Spatial Address Location Randomization (ASLR)
ASLR moves executable images to random locations when the system boots up, making it harder for the code to predict. For a component to support ASLR, all components that it loads must also support ASLR. For example, if A.exe consumes B.dll and C.dll, all three must support ASLR. By default, Windows Vista and the subsequent DLL and EXE randomization system, but DLLs and EXEs created by ISVs, must select ASLR support using the / DYNAMICBASE linker option.
I don't quite understand. Take the base system DLLs loaded by each process in WIndows: NtDll.dll
and kernel32.dll
.
If you have an unregistered executable file, will these system DLLs use ASLR? That is, will they load at a different base address after every system reboot in Win 7 for that executable, or will they always load at the same base address after a system reboot, as they do in Win XP?
To make it clearer what I mean: My typical program start is as follows:
write_cons.exe!wmain() Line 8 C++
write_cons.exe!__tmainCRTStartup() Line 583 + 0x19 bytes C
write_cons.exe!wmainCRTStartup() Line 403 C
> kernel32.dll!_BaseProcessStart@4() + 0x23 bytes
Looking at asm BaseProcessStart
I can see my XP here:
_BaseProcessStart@4:
7C817054 push 0Ch
7C817056 push 7C817080h
7C81705B call __SEH_prolog (7C8024D6h)
7C817060 and dword ptr [ebp-4],0
...
Now I am interested in the following:
On Windows XP, the address will always be 0x7C817054, no matter how many times I restart this computer. If I were on Win7 with ASLR, would this address change between reboots if the executable that loads kernel32.dll is not enabled for ASLR?
(Note: For me, atm., There is only one small use case, this address would be useful for: In Visual Studio, I can set a "data breakpoint" for assembly level functions, i.e. the breakpoint @ 0x7 ... - If I want to break a specific ntdll.dll or kernel32.dll function, on Windows XP I don't need to set breakpoints between reboots. With ASLR doing the notation (the scope of this question), I would have to change data breakpoints between reboots.)
source to share
Technically, whether the system DLLs are moved or not is irrelevant, since the linker will bind to symbols, not addresses. These characters are resolved by the bootloader at runtime to addresses for instantiated system dlls, so your binary shouldn't be any wiser. From what I've seen, Windows 7 will reset the base randomization on every reboot, including system DLLs (note: this is debugging WOW64 applications on widows 2008 R2 server). You can also make the system disable ASLR with some registry changes, but this is not very important ...
Update:
source to share
Your program will resolve calls to system DLLs wherever they are loaded. But, if your executable is not associated with / DYNAMICBASE, it will not be given a randomized base address. In other words, your exe will always boot with the same base address.
If you want your exe to load at a randomized address, you need to link it to / DYNAMICBASE, and every DLL associated with it must also link to / DYANMICBASE. System DLLs (since Vista) are linked to / DYNAMICBASE.
source to share