4

Solved: The solution was calling personality(0x40000). See details below in the comments.

Where does the ASLR flag resides within an ELF file? I need to disable ASLR for a specific library (.so). I've tried using objdump but I couldn't find out how to do so.

I can't use /proc because it doesn't appear to work on my Android 4.4.4, so I'm trying to modify the binary.

Edit: I've compiled the following:

#include <stdio.h>

void* getEIP()
{
    return __builtin_return_address(0) - 0x5;
}

int main(int argc, char** argv)
{
    printf("EIP located at: %p\n", getEIP());
    return 0;
}

without ASLR (PIE):

arm-linux-androideabi-gcc.exe code.c -o noPIE --sysroot=%NDK%\platforms\android-3\arch-arm

with ASLR (PIE):

arm-linux-androideabi-gcc.exe -fPIE -pie code.c -o withPIE --sysroot=%NDK%\platforms\android-3\arch-arm

The noPIE binary indeed isn't being randomized, even though:

# cat /proc/sys/kernel/randomize_va_space
2
Ciro Santilli OurBigBook.com
  • 347,512
  • 102
  • 1,199
  • 985
John
  • 43
  • 1
  • 4
  • 1
    AFAIK, the ASLR flag does not reside inside the ELF file. It is a dynamic property of the kernel. So if you cannot use `/proc/`, I believe you are stuck. BTW, I might be widely wrong! See also [this](http://stackoverflow.com/q/5194666/841108). And ASLR is a process-wide property of the address space so changing it only for one particular `libfoo.so` does not make any sense – Basile Starynkevitch Oct 12 '15 at 12:20
  • Perhaps I should've mentioned - I can't use /proc because it doesn't work on my Android 4.4. It simply doesn't really disable ASLR. What did work for me was compiling without ASLR. Do you know any workaround? – John Oct 12 '15 at 12:32
  • Please edit your question to explain how you are compiling without ASLR.... – Basile Starynkevitch Oct 12 '15 at 12:41
  • I used -fPIE and -pie which I assume one of them simply generates position independent code and the other sets the ASLR flag? – John Oct 12 '15 at 12:58

2 Answers2

3

I need to disable ASLR for a specific library (.so).

You can't (and the ASLR does not reside anywhere in the ELF file because it's not a property of the ELF, it's a property of the kernel).

What you can do is disable randomization for a given process. setarch -R is your friend.

Employed Russian
  • 199,314
  • 34
  • 295
  • 362
  • This works. I didn't have setarch on my android device so I used personality: http://man7.org/linux/man-pages/man2/personality.2.html I didn't find any macro to disable ASLR so I used strace like Basile Starynkevitch said on ubuntu and found out it passes 0x40000. – John Oct 13 '15 at 08:40
1

I believe ASLR is happening in both cases. See also this.

But in the first case (noPIE binary), the executable itself is having a fixed address; however all the calls to mmap(2) without MAP_FIXED are randomized, and this includes the loading of the shared libraries.

In the second case (PIE binary), even the executable itself is loaded at some random address by execve(2) (and also of course the shared libraries, which are later mmap-ed by ld-linux(8) mentioned as the "interpreter" inside your ELF files).

You could check by strace(1)-ing both executions.

ASLR is part of the kernel state. Chaning it for mmap-ing a particular shared object does not make any sense, but, as Employed Russian answered, you could disable it with setarch -R for a process and its future child processes (perhaps your parent shell and all its children).

Community
  • 1
  • 1
Basile Starynkevitch
  • 223,805
  • 18
  • 296
  • 547