0

How do get the (relocated) entry point of an executable participating in ASLR on Windows?

Suppose the executable has been loaded and that it participates in ASLR.

The PE header gives the executable's entry point when loaded without ASLR. However, ASLR should be "random", so the header cannot tell anything about the new entry point?

How would I locate my ASLR executable in memory, so that, e.g., I can inspect it and (possible) modify it.

Shuzheng
  • 11,288
  • 20
  • 88
  • 186
  • 1
    That depends on the context in which your code is running, and the state of the target process. Is the code part of the same executable you are trying to query? Has it been injected into the executable? Is it part of a completely different process? Is the target process running, or was it launched with the `CREATE_SUSPENDED` flag? Do you actually want to find the executable's entry point, or the main() function? – Harry Johnston May 11 '17 at 06:02
  • Yes, the code is part of the same executable. I consider only a single process initialized with the executable under consideration, I.e, it is not loaded dynamically by an already running process. Does this answer your questions? – Shuzheng May 11 '17 at 06:12
  • Do you want the executable's entry point, or do you want the main() function? I don't see any use to you in obtaining the former, and the latter is trivial, at least in C/C++ or any other language that supports function pointers. – Harry Johnston May 11 '17 at 06:14
  • To makes things simple, suppose I'm a user double clicking on the executable, which then loads up in a ASLR process. Now I want to find the entry point (or start of PE header). – Shuzheng May 11 '17 at 06:15
  • I cannot assume C++. But thanks for the tip. – Shuzheng May 11 '17 at 06:16
  • I want a general way to find the executable no matter how the program was written. – Shuzheng May 11 '17 at 06:17
  • *To makes things simple, suppose I'm a user double clicking on the executable* - that directly contradicts your first comment. Which is it? – Harry Johnston May 11 '17 at 06:20
  • I guess I misunderstand what you mean by "code". The code is the executable's code - is that what you mean? I have not injected any code into the executable to locate it in memory. I consider any executable in general without any assumptions on the way it was written, and then I want to locate its entry point. – Shuzheng May 11 '17 at 06:26
  • So *your* code - the code that you're going to write that will find the entry point of an executable - will be a separate process to the target executable? – Harry Johnston May 11 '17 at 06:28
  • I think [this existing answer](http://stackoverflow.com/a/14467493/886887) addresses your question. Does that look like the right answer? – Harry Johnston May 11 '17 at 06:31
  • Yeah, that would be a different process (could also be injected assembly, but not any high-level constructs). Using injected assembly could I achieve my goal? – Shuzheng May 11 '17 at 06:39
  • Running in the context of the target process? GetModuleHandle or GetModuleHandleEx, passing NULL as the module name. – Harry Johnston May 11 '17 at 06:43
  • Thanks, I could try that. If you want points, you may write an answer :-) – Shuzheng May 11 '17 at 06:49
  • if you want get image base of *self* pe - simply use `&__ImageBase` – RbMm May 11 '17 at 06:49
  • I will inject ASM at entry point of EXE to look up the entry point at runtime and possibly print it out. – Shuzheng May 11 '17 at 06:51
  • @RbMm What is that? – Shuzheng May 11 '17 at 06:51
  • if you `injected ASM at entry point of EXE` - you of course can not use [`&__ImageBase`](http://stackoverflow.com/a/557859/6401656) – RbMm May 11 '17 at 06:53
  • @RbMm - could I locate this symbol from an external process? – Shuzheng May 11 '17 at 07:04
  • no, this is internal *link.exe* symbol. so if link normally any pe file - you can use it. but only in compile/link time. you can not access this external – RbMm May 11 '17 at 08:25
  • Is it updated in relocation (ASLR)? @RbMm – Shuzheng May 11 '17 at 10:46
  • of course yes. strange question – RbMm May 11 '17 at 10:48

1 Answers1

2

If your code is running in the context of the process whose main module you want to locate, you can call either GetModuleHandle or GetModuleHandleEx, passing NULL instead of a module name.

Note that in 32-bit or 64-bit Windows, a "module handle" is in fact a pointer to the virtual address of the module. (This wasn't true in 16-bit Windows.)

If your code is running in a separate process, you can use EnumProcessModules as described here.

Community
  • 1
  • 1
Harry Johnston
  • 35,639
  • 6
  • 68
  • 158
  • Thanks. But you say that the handle is a RVA. How do I get the base address; without it, the RVA is worth nothing? – Shuzheng May 13 '17 at 05:01
  • The handle is not an RVA, it is the absolute address of the start of the module in the virtual address space of the process. – Harry Johnston May 13 '17 at 05:23
  • Aha, if I look at this module in memory after ASLR has been performed, will all fields (e.g, RVA's of sections) be adjusted properly to reflect the new memory layout? I guess, original RVA's won't hold anymore, since this is not very random. – Shuzheng May 13 '17 at 05:57
  • ASLR does not relocate individual sections in a module, only the module as a whole. The RVAs are unaffected. – Harry Johnston May 13 '17 at 06:53
  • But the base field of the PE header is changed right (the address RVA's are relative to)? Could you point to a ressource on Windows ASLR details? Otherwise, how would I get the new base address? From the module handle? – Shuzheng May 13 '17 at 07:40
  • Yes, of course from the module handle. As I've already said twice, the module handle *is* the base address of the module. The RVAs are relative to that. See https://msdn.microsoft.com/en-us/library/ms809762.aspx – Harry Johnston May 13 '17 at 08:04
  • Thanks for your guidance. – Shuzheng May 13 '17 at 09:07