views:

97

answers:

2

I watched a ASLRed dll images's based address for 32bit Process.
It's not a fully randomization. It just randomizated 1/2 probability.

For example, once I load a dll then the image is loaded on 0x12345678.
And I load the image again, the image is loaded on 0x23456789.(Base address is chagned!)
But I load the image again
0x12345678
0x23456789
0x12345678
0x23456789

...

Why they did implement like this?
Is it for a crash report's frequency?(For getting same crash addresses of re-deployed dlls)

A: 

It's documented as being at one of 1 of 256 possible starting addresses.

But i didn't think it even applied to a process, but to shared DLL's.

ASLR: is not on by default for process images. It's an opt-in thing, for compatiblity.(3)

Address Space Layout Randomization (ASLR)

ASLR moves executable images into random locations when a system boots, making it harder for exploit code to operate predictably. For a component to support ASLR, all components that it loads must also support ASLR. For example, if A.exe consumes B.dll and C.dll, all three must support ASLR. By default, Windows Vista and later will randomize system DLLs and EXEs, but DLLs and EXEs created by ISVs must opt in to support ASLR using the /DYNAMICBASE linker option.

ASLR also randomizes heap and stack memory:

  • When an application creates a heap in Windows Vista and later, the heap manager will create that heap at a random location to help reduce the chance that an attempt to exploit a heap-based buffer overrun succeeds. Heap randomization is enabled by default for all applications running on Windows Vista and later.

  • When a thread starts in a process linked with /DYNAMICBASE, Windows Vista and later moves the thread's stack to a random location to help reduce the chance that a stack-based buffer overrun exploit will succeed.

Ian Boyd
Please give me a URL of the document.
Benjamin
Thanks lan. For a EXE PE, I think it might be right. But for a Dll, it still works 1/2 probability. It's weird. Is Michael Howard wrong? -Of course I don't believe he is wrong. There might be something I misunderstand.
Benjamin
Both of my test exe and dll was applied ASLR. Why didn't the dll work well?(1 of 256 probability)
Benjamin
+2  A: 

This is by design. Normally, Windows selects a preferred base address for an ASLR DLL when the DLL is first loaded, and then it keeps using that address until the system is rebooted. That way the DLL will be mapped at the same address in every process that loads it, allowing code pages to be shared.

However, if a DLL has been unloaded from every process, the system may sometimes select a different base address the next time the DLL is loaded. It does this to reduce virtual address space fragmentation, not for security reasons. This is what seems to be happening in your case.

Pavel Lebedinsky
Who are you. What a nice guy you are!
Benjamin