2

From a Microsoft article:

Address Space Layout Randomization (ASLR)

ASLR moves executable images into random locations when a system boots, making it harder for exploit code to operate predictably. For a component to support ASLR, all components that it loads must also support ASLR. For example, if A.exe consumes B.dll and C.dll, all three must support ASLR. By default, Windows Vista and later will randomize system DLLs and EXEs, but DLLs and EXEs created by ISVs must opt in to support ASLR using the /DYNAMICBASE linker option.

I don't quite get it. Take the base system DLLs loaded by every process on WIndows: NtDll.dll and kernel32.dll.

If a have a non-aware executable, will these system DLLs use ASLR? That is, will they load at a different base address after every system reboot on Win 7 for this executable or will they always load at the same base address after system reboot like they do on Win XP?

To make it more clear what I mean: My typical dummy program's startup stack will look like this:

    write_cons.exe!wmain()  Line 8  C++
    write_cons.exe!__tmainCRTStartup()  Line 583 + 0x19 bytes   C
    write_cons.exe!wmainCRTStartup()  Line 403  C
>   kernel32.dll!_BaseProcessStart@4()  + 0x23 bytes

Looking at the asm of BaseProcessStart, I see on my XP box here:

_BaseProcessStart@4:
7C817054  push        0Ch  
7C817056  push        7C817080h 
7C81705B  call        __SEH_prolog (7C8024D6h) 
7C817060  and         dword ptr [ebp-4],0 
...

Now what interests me is the following:

On Windows XP, the address will always be 0x7C817054, regardless of how many times I reboot this machine. If I were on Win7 with ASLR, will this address change between reboots if the executable that loads kernel32.dll is not enabled for ASLR?

(Note: For me, atm., there is only one minor use-case this address would be useful for: In Visual Studio, I can only set a "Data Breakpoint" for assembly level functions, that is a breakpoint @ 0x7... - If I want to break in a specific ntdll.dll or kernel32.dll function, in Windows XP I do not have to adjust my breakpoints between reboots. With ASLR kicking in (the scope of this question) I would have to change the Data Breakpoints between reboots.)

Martin Ba
  • 37,187
  • 33
  • 183
  • 337
  • Debug + Windows + Modules, Address column. Reboot a few times, let us know what you find out. – Hans Passant Jun 18 '11 at 15:32
  • @Hans: This was just something that piqued my interest. Unfortunately the only Win7 Dev boxes available to me, personally, atm. are 2008R2 servers and I'm not going to reboot our CI servers just to try that out ;-) – Martin Ba Jun 18 '11 at 17:51
  • +1 because I wanted to ask the same question. I experimented a bit on Windows 7 64-bit and after reading the answers and comments, I've reached the conclusion that the base of system DLLs is relocated per reboot. The base of other, non-system DLLs inside my executable, which are not linked with `/DYNAMICBASE`, are not relocated. – Benny Mar 20 '14 at 07:46

2 Answers2

4

Technically whether the system dlls get relocated or not, it shouldn't matter, as the linker will bind to symbols, not addresses. These symbols are resolved by the runtime loader into to addresses for the instanced system dlls, thus your binary should be none the wiser. From what i've seen however, windows 7 will reset the base randomization every reboot, including system dlls(note: this is from debuging WOW64 apps on widows server 2008 R2). You can also do a system wide disabling of ASLR via some registery edits, but thats not really relevant...

Update:

the section on ASLR in this article explains what gets relocated and when. it doesn't mention if the base will reset every reboot, but for system dlls, its never going to be guaranteed to load at the same address twice, reboot or no reboot. the important thing is according to article, everything needs to opt-in to ASLR for system dll's to be relocated.

Necrolis
  • 25,836
  • 3
  • 63
  • 101
  • "windows 7 will reset the base randomization every reboot" ... what do you mean with "reset", exactly? – Martin Ba Jun 21 '11 at 07:12
  • @martin: if something has a preferred base address, it'll load there for the first instance, the it will be relocated, however after rebooting it'll load at the preferred base for the first load again etc. – Necrolis Jun 21 '11 at 10:59
  • @Necrolis : I thought with ASLR on Windows, each system DLL will always load on the same address for all processes, but this address would change between reboots for the system DLLs ... ?? – Martin Ba Jun 21 '11 at 11:11
  • @martin: according to MS, if ASLR applies to the process, the base is randomized for all dlls, including system dlls. for my experience, the first time load of a dll occurs at its preferred address even if ASLR is in effect (this might not apply to system dlls). – Necrolis Jun 21 '11 at 14:53
  • @Necrolis: Regarding your update: The article you link to is the article I cite in my question. And it is exactly *not* clear to me how the statements in this article relate to System DLLs in non-aware processes. I do not deduce your view "everything needs to opt-in to ASLR for system dll's to be relocated" from this article. Have you done any experiments on Win7? – Martin Ba Jun 22 '11 at 15:11
  • @martin: the article clearly states: `For a component to support ASLR, all components that it loads must also support ASLR`, thus if 1 thing in a process is not enabled for ASLR, nothing will have ASLR applied (I checked this on my server 2008 R2 machine) – Necrolis Jun 22 '11 at 15:34
  • A late-ish reply: S.O. helpfully links in [can we rebase kernel32.dll](http://stackoverflow.com/q/6732680/321013) that links to [this blob post](http://www.nynaeve.net/?p=198). >>>> If the base address for kernel32.dll must be the same for *all* processes and ASLR for kernel32.dll is enabled and working for *some* processes, then the base address effectively is randomized (per reboot) for *all* processes. How did you test? – Martin Ba Aug 19 '11 at 11:18
  • 1
    @Martin: I tested using ollydbg and a process that had ASLR disabled (confirmed with ProcessExplorer), started the app up a few times, no relocations of any of the dlls, rebooted, repeated the check, rebooted again did the checks a 3rd time (this is on windows server 2008 R2 SP1). I am checking a WOW64 process however – Necrolis Aug 19 '11 at 13:53
1

Your program will resolve calls into system DLLs wherever they happen to be loaded. But, unless your executable is linked with /DYNAMICBASE, it will not be given a randomized base address. In other words, your exe will always load at the same base address.

If you want your exe to load at a randomized address, then you have to link it with /DYNAMICBASE, and every DLL that it references must also have been linked with /DYANMICBASE. The system DLLs (starting in Vista) are all linked with /DYNAMICBASE.

Adrian McCarthy
  • 45,555
  • 16
  • 123
  • 175
  • "wherever they happen to be loaded" ... so that means their addresses *will* vary between reboots on Win7? – Martin Ba Jun 20 '11 at 10:17
  • Yes, I believe the system DLLs on Vista and Windows 7 will be loaded at randomized addresses regardless of whether your application or its DLLs support ASLR. – Adrian McCarthy Jun 23 '11 at 20:07
  • Thanks for your update. Somehow it seems your answer/comment and the answer/comment of @Necrolis are at odds :-) – Martin Ba Jun 24 '11 at 06:29
  • Actually, with the Update I see in his answer right now, I think we're in agreement. System DLLs will be loaded at randomized addresses. Your stuff won't be, unless you enable it. – Adrian McCarthy Jun 24 '11 at 17:11
  • hmmm ... Necrolis wrote: "but for system dlls, its never going to be guaranteed to load at the same address twice" vs. "but for system dlls, its never going to be guaranteed to load at the same address twice" ... I'm sure confused by now :-) – Martin Ba Jun 24 '11 at 18:56