32

How do you disable ASLR on Windows 7 x64 so that my program will always load the shared CRT at the same address?

Andrew Diamond
  • 6,295
  • 1
  • 15
  • 33
user541686
  • 205,094
  • 128
  • 528
  • 886
  • 3
    Do you _need_ to do this, or does it just make something easier? –  Mar 05 '12 at 02:55
  • 1
    @unclebrad: I really do *need* to do this. – user541686 Mar 05 '12 at 03:11
  • 2
    Note that this significantly degrades the security of the system and should be done only with the permission of the user. – Raymond Chen Mar 05 '12 at 03:34
  • 1
    @RaymondChen: Right, I *am* the user. (The only user, and the only administrator, in fact. :P) – user541686 Mar 05 '12 at 03:52
  • 1
    @Galaxas0: Haha... IMHO when you're an administrator, you **should** be able to do whatever you want, by definition. – user541686 Mar 07 '12 at 18:35
  • The shared CRT isn't your DLL, so you can't disable ASLR for it. You can only disable ASLR for EXEs and DLLs that you own (by disabling the DLL_IMAGE_RELOCATABLE flag in the PE header). The reason for this is that Windows Vista and above relocate some key windows binaries during system boot so that they can share the relocated memory across processes - this includes stuff like ntdll, kernel32, gdi32, user32, wininet and sadly for you, mscrt. – SecurityMatt Mar 07 '12 at 23:21
  • @Mehrdad, this is true, this is true xD. SecurityMatt: You are INDEED allowed to disable CRT ASLR, as an administrator, as it's a registry key- in my answer below. – Aditya Vaidyam Mar 08 '12 at 00:01
  • @Galaxas0 - Ok, you're allowed to disable ASLR and DEP *system wide* (which is a horrific thing to do - you're literally putting the whole system at risk) but you are not allowed to disable it just in your process. – SecurityMatt Mar 08 '12 at 00:08
  • ^ This is true, and that's also what I was trying to say to Mehrdad, but I guess he really, really, really needed it. – Aditya Vaidyam Mar 08 '12 at 00:24
  • Hmm, of course, the day after I answer this question: http://9to5google.com/2012/03/07/vupen-conquers-chrome-at-pwn2own-security-conference-google-must-pay-cash-reward-for-french-teams-hack/ Suspicious much? :D – Aditya Vaidyam Mar 08 '12 at 04:27
  • @Galaxas0: Lollllll indeed it is O_O – user541686 Mar 08 '12 at 05:02
  • 2
    Yes, indeed. Well, this is what happens when you disable ASLR, so be cautious! – Aditya Vaidyam Mar 08 '12 at 07:03
  • 6
    Don't disable ASLR! Kittehs die every time someone disables ASLR... Come on, maybe @Mehrdad just needs to test an exploit technique under a VM. – JSmyth Jul 24 '15 at 23:40
  • @SecurityMatt Can you please check this question. Seems you are an expert regarding this https://stackoverflow.com/questions/72569189/i-dont-have-the-linker-option-in-visual-studio-2013-how-to-enable-it – Prageeth Liyanage Jun 10 '22 at 05:08
  • @PrageethLiyanage: I don't know if this is possible with C#, but if it is, you need to use the EditBin tool as someone already told you. You should give that a try and ask about it if you get stuck. – user541686 Jun 11 '22 at 03:15

4 Answers4

32

Previously you had to opt in to allowing the linker to use ASLR. Now, you have to opt out:

/DYNAMICBASE[:NO]

(Visual Studio 2012: Configuration Properties -> Linker -> Advanced -> "Randomized Base Address")

You can also do it programmatically.

RJFalconer
  • 10,890
  • 5
  • 51
  • 66
Mr. S
  • 1,469
  • 2
  • 15
  • 27
21

The Enhanced Mitigation Experience Toolkit (EMET), downloadable from Microsoft, allows to enable/disable ASLR it on a system or process basis.

OzgurH
  • 443
  • 2
  • 13
josh
  • 211
  • 1
  • 2
  • 2
    For anyone wondering if EMET would install on Win 10: no, the install fails. – shekh Jul 29 '21 at 09:34
  • 2
    EMET has been end-of-lifed, but you can achieve the same using the windows defender exploit protection module. Windows Security > App & browser control > Exploit protection, set "Randomise memory allocations" to "Off by default" either system-wide or per-program. Only for windows 10+ though so I'm not writing it as an answer since OP asked for win7. – Annonymus Jul 26 '22 at 13:33
17

A registry setting is available to forcibly enable or disable ASLR for all executables and libraries and is found at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages.

T.Todua
  • 53,146
  • 19
  • 236
  • 237
Aditya Vaidyam
  • 6,259
  • 3
  • 24
  • 26
  • 28
    Don't change global system settings to make *your* program work – Ana Betts Mar 05 '12 at 03:37
  • +1 I'll try this out. It seems to be what I need, since changing it on a per-program basis won't affect how the (shared) CRT is loaded. – user541686 Mar 05 '12 at 03:53
  • ^ This. But you should remember that if this is a distributed application, you should not do this, and if it's an ABSOLUTE MUST, prompt the user before programmatically doing it. – Aditya Vaidyam Mar 05 '12 at 04:12
  • The CRT is mapped for every process independently - even though the CRT might be *loaded* only once (i.e. it only occupies a single place in physical memory), its *virtual address* will be different for every process. – Ana Betts Mar 05 '12 at 06:36
  • @Galaxas0: Don't worry, it's only for myself, since I need to disable it to test something. And thanks, it looks like it works well! – user541686 Mar 05 '12 at 09:15
  • This setting disables ASLR for the entire system, which massively reduces your protection against remote exploit attacks. – SecurityMatt Mar 07 '12 at 23:21
  • @Paul Betts: Not true. ASLR is per-session, not per-process. Kernel32 is loaded at the same address in all of my processes, but probably at a different address to all of your processes (and your processes will all be the same as well) – SecurityMatt Mar 07 '12 at 23:22
  • You're right, but only because Kernel32 and ntdll are "magical". Other DLLs will be at random locations – Ana Betts Mar 07 '12 at 23:28
  • 3
    @Paul Betts: Kernel32 and ntdll are certainly magical, but the same is also true of other DLLs. If someone loads a DLL in process A and then someone opens it again in Process B they'll get the same address (this allows the kernel to have both processes backed by the same pages to save RAM). Consequently if you have Sophos installed, for instance, it will have it's DLLs in every process at the same address. The difference with normal DLLs is that it is possible for them to all become unloaded when everyone gets bored of them, at which point the next load will have a new address. – SecurityMatt Mar 08 '12 at 00:15
  • 2
    Also in the event that the Process B has something in the way of where Process A loaded the DLL, then Process B is forced to relocate it. This is not true of the magical system DLLs which never relocate except at boot – SecurityMatt Mar 08 '12 at 00:17
  • SecurityMatt, you're kind of blowing my mind here, Upvotes for you! – Ana Betts Mar 08 '12 at 05:44
  • Well his name IS SecurityMatt. Security must be his forte. :D – Aditya Vaidyam Mar 08 '12 at 07:04
  • 3
    This didn't work for me (Windows 7 Professional 64bit, SP1). Note however, that that registry key didn't exist so I created it (as a DWORD = 0) and rebooted. (Side note: As a developer it can sometimes be useful to disable ASLR when debugging and investigating issues). – redcalx Jul 10 '15 at 09:55
  • Update. Sysinternals VMMap shows loaded assemblies in .NET with 'ASLR' against them, however, IE now errors when I try to run it so I suspect I have partially disabled ASLR with this reg key (Since IE failing seems to be one of the symptoms of disabling ASLR). – redcalx Jul 10 '15 at 10:05
  • Update. SO it looks like the reg key does disable ASLR and that VMMap is merely indicating if an assembly has been marked as supporting/allowing ASLR. The EMET UI also has an option to diable ASLR, and this appears to be a UI over the same reg key (when I used EMET to disable ASLR it recreated the key and set it to zero). – redcalx Jul 10 '15 at 10:31
-1

Method 1 (by disabling it globally)

(as noted in above comment, that might not be desirable for your system and maybe you can restore that back after your small task is done)

from cmd/Batch you can try adding these two values:

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v MitigationOptions /t REG_BINARY /d "00000000000000000000000000000000" /f

Method 2 - disabling for just specific app

from powershell:

Get-Item -Path "C:\Program Files\Git\usr\bin\*.exe" | %{ Set-ProcessMitigation -Name $_.Name -Disable ForceRelocateImages }

or with the help of experimental app:

cd %tmp%
wget http://www.didierstevens.com/files/software/setdllcharacteristics_v0_0_0_1.zip -o sdc.zip
Expand-Archive -Path sdc.zip -DestinationPath ./
./setdllcharacteristics.exe -d "C:\path\to\your\app.exe"
T.Todua
  • 53,146
  • 19
  • 236
  • 237
  • Isn't there already an answer saying the same thing? Did you ChatGPT this? https://stackoverflow.com/a/9561263/541686 – user541686 May 20 '23 at 18:04