tags:

views:

97

answers:

2
+1  Q: 

Microsoft's ASLR is weird.

I watched a ASLRed dll images's based address for 32bit Process.
It's not a fully randomization. It just randomizated 1/2 probability.

For example, once I load a dll then the image is loaded on 0x12345678.
And I load the image again, the image is loaded on 0x23456789.(Base address is chagned!)
But I load the image again
0x12345678
0x23456789
0x12345678
0x23456789
...

Why they did implement like this?
Is it for a crash report's frequency?(For getting same crash addresses of re-deployed dlls)

A: 

It's documented as being at one of 1 of 256 possible starting addresses.

But i didn't think it even applied to a process, but to shared DLL's.

ASLR: is not on by default for process images. It's an opt-in thing, for compatiblity.(3)

Address Space Layout Randomization (ASLR)

ASLR moves executable images into random locations when a system boots, making it harder for exploit code to operate predictably. For a component to support ASLR, all components that it loads must also support ASLR. For example, if A.exe consumes B.dll and C.dll, all three must support ASLR. By default, Windows Vista and later will randomize system DLLs and EXEs, but DLLs and EXEs created by ISVs must opt in to support ASLR using the /DYNAMICBASE linker option.

ASLR also randomizes heap and stack memory:

  • When an application creates a heap in Windows Vista and later, the heap manager will create that heap at a random location to help reduce the chance that an attempt to exploit a heap-based buffer overrun succeeds. Heap randomization is enabled by default for all applications running on Windows Vista and later.

  • When a thread starts in a process linked with /DYNAMICBASE, Windows Vista and later moves the thread's stack to a random location to help reduce the chance that a stack-based buffer overrun exploit will succeed.

Ian Boyd  2010-09-07 01:56:04
Please give me a URL of the document.
Benjamin  2010-09-07 02:01:11
Thanks lan. For a EXE PE, I think it might be right. But for a Dll, it still works 1/2 probability. It's weird. Is Michael Howard wrong? -Of course I don't believe he is wrong. There might be something I misunderstand.
Benjamin  2010-09-07 03:59:01
Both of my test exe and dll was applied ASLR. Why didn't the dll work well?(1 of 256 probability)
Benjamin  2010-09-07 04:17:40
+2  A: 

This is by design. Normally, Windows selects a preferred base address for an ASLR DLL when the DLL is first loaded, and then it keeps using that address until the system is rebooted. That way the DLL will be mapped at the same address in every process that loads it, allowing code pages to be shared.

However, if a DLL has been unloaded from every process, the system may sometimes select a different base address the next time the DLL is loaded. It does this to reduce virtual address space fragmentation, not for security reasons. This is what seems to be happening in your case.

Pavel Lebedinsky  2010-09-08 06:11:54
Who are you. What a nice guy you are!
Benjamin  2010-09-08 06:26:04

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)