Clever Geek Handbook

ASLR and Windows System DLLs for Unregistered Executables?

From Microsoft article :

Spatial Address Location Randomization (ASLR)

ASLR moves executable images to random locations when the system boots up, making it harder for the code to predict. For a component to support ASLR, all components that it loads must also support ASLR. For example, if A.exe consumes B.dll and C.dll, all three must support ASLR. By default, Windows Vista and the subsequent DLL and EXE randomization system, but DLLs and EXEs created by ISVs, must select ASLR support using the / DYNAMICBASE linker option.

I don't quite understand. Take the base system DLLs loaded by each process in WIndows: NtDll.dll

and kernel32.dll

.

If you have an unregistered executable file, will these system DLLs use ASLR? That is, will they load at a different base address after every system reboot in Win 7 for that executable, or will they always load at the same base address after a system reboot, as they do in Win XP?

To make it clearer what I mean: My typical program start is as follows:

    write_cons.exe!wmain()  Line 8  C++
    write_cons.exe!__tmainCRTStartup()  Line 583 + 0x19 bytes   C
    write_cons.exe!wmainCRTStartup()  Line 403  C
>   kernel32.dll!_BaseProcessStart@4()  + 0x23 bytes

Looking at asm BaseProcessStart

I can see my XP here:

_BaseProcessStart@4:
7C817054  push        0Ch  
7C817056  push        7C817080h 
7C81705B  call        __SEH_prolog (7C8024D6h) 
7C817060  and         dword ptr [ebp-4],0 
...

Now I am interested in the following:

On Windows XP, the address will always be 0x7C817054, no matter how many times I restart this computer. If I were on Win7 with ASLR, would this address change between reboots if the executable that loads kernel32.dll is not enabled for ASLR?

(Note: For me, atm., There is only one small use case, this address would be useful for: In Visual Studio, I can set a "data breakpoint" for assembly level functions, i.e. the breakpoint @ 0x7 ... - If I want to break a specific ntdll.dll or kernel32.dll function, on Windows XP I don't need to set breakpoints between reboots. With ASLR doing the notation (the scope of this question), I would have to change data breakpoints between reboots.)

+2


source to share


2 answers


Technically, whether the system DLLs are moved or not is irrelevant, since the linker will bind to symbols, not addresses. These characters are resolved by the bootloader at runtime to addresses for instantiated system dlls, so your binary shouldn't be any wiser. From what I've seen, Windows 7 will reset the base randomization on every reboot, including system DLLs (note: this is debugging WOW64 applications on widows 2008 R2 server). You can also make the system disable ASLR with some registry changes, but this is not very important ...

Update:



The ASLR section in this article explains what happens to transition and when. it doesn't mention whether the base will reset every reboot, but for system dlls it will never be guaranteed to load at the same address twice, reboot, or not reboot. important thing according to the article, everything must be included in the ASLR to reinstall the dll system.

+4


source


Your program will resolve calls to system DLLs wherever they are loaded. But, if your executable is not associated with / DYNAMICBASE, it will not be given a randomized base address. In other words, your exe will always boot with the same base address.



If you want your exe to load at a randomized address, you need to link it to / DYNAMICBASE, and every DLL associated with it must also link to / DYANMICBASE. System DLLs (since Vista) are linked to / DYNAMICBASE.

+1


source






More articles:


All Articles