Comments on: Vista ASLR is not on by default for image base addresses

By: nova

nova — Fri, 04 Apr 2008 23:29:45 +0000

@amit: one way, you can use the ASLRdynamicbase.py script with Immunity Debugger

the script can be found here (you’ll need to make an account tho)
http://www.openrce.org/repositories/browse/Faithless

By: Amit

Amit — Fri, 22 Feb 2008 07:57:32 +0000

How can I detect whether the given assembly is having the PE header “DLL flags” set to 0×0040

By: Mike

Mike — Thu, 11 Jan 2007 05:31:05 +0000

OK. I fully understand it. Thanks a lot.
I ask those qustion because I wonder if following method is possible after ASLR.
http://www.codeproject.com/useritems/selfdel.asp
It seems it still can work in IA32.
Thanks again.

By: Skywing

Skywing — Thu, 11 Jan 2007 04:38:42 +0000

1. There is one randomization for a particular DLL per lifetime of the section object (typically, per boot). All processes will use the same randomization set if they load that DLL, which means it’ll try to put it at the same base address. Relocations for ASLR are performed only for physical pages being in-paged, so ASLR-relocated pages are typically shared between processes unless written to.
2. Sure, that’s possible. Vista’s ASLR is only really designed to protect against remote attacks where it is not easy to determine the memory layout – against local attacks, where an attacker could load a DLL to find its randomization address, it’s not particularly effective (nor is it really designed to be in this case).

By: Mike

Mike — Thu, 11 Jan 2007 02:38:24 +0000

Thanks for your reply! You are so nice. I still get confusion ideas:
1. As my understanding, Dlls like kernel32.dll can have one copy of image in memory because it most likely is mapped to same address in those processes which use it. So the relocation will properly never happen. If relocation happens in one process, we will get new copy of dll(code changed) in memory and relocation takes time. So after using ASLR, whenever and wherever relocation happened, code are changed. Do you think it will take time and space to do that?
2. For example, I build a Trojan with this switch. A victim got it. After reboot, my Trojan get to run. It want to inject shellcode into explore.exe. The shellcode has to do some system call, using functions in kernel32.dll for instance. Because image base address changes only after reboot, the Trojan can get function address from its own process and fix the function pointer in shellcode. Then the bad thing will happen. God bless the victim. :) Do you think it will happen?

By: Skywing

Skywing — Wed, 10 Jan 2007 16:33:48 +0000

1. Negligible performance impact. This is due to some clever tricks done on Microsoft’s part, and the fact that there is only ever one randomized instance of an image in-play on any given system at a time. Specifically, Vista ASLR takes care of the relocation problem by moving relocations from the user mode loader and into the memory manager. Vista now performs relocations on the fly as pages are in-paged from disk instead of doing them all up front. Relocations can be discarded if memory pressure forces otherwise un-modified pages to be removed, and then seemlessly reapplied during the in-paging process. This mechanism requires no additional storage to contain the relocated versions of images, and thus minimizes the negative performance impact of ASLR.

2. This is only likely to occur for images which were either built without relocations or built without /dynamicbase. Note that there are only 256 possibilities, so with enough reboots it is probable that you’ll eventually see a duplicate.

By: Mike

Mike — Wed, 10 Jan 2007 10:01:14 +0000

Hi, I have lots of question about ASLR:
1. Original windows dlls from MS have been carefully build to diff address to avoid runtime relocation. After ASLR, is there big impact on performance? Do all these dll need to be relocated?
2. After reboot, does any process have same address of some functiones from other dll ( such as ExitProcess). It is happned on WinXP. So if I can run a process on target machine, I still can inject some shellcode into other process like explore.exe, and the shellcode can call kernel function, address of which comes from former process. Is it true?
Thanks.

By: Maxim Masiutin

Maxim Masiutin — Fri, 05 Jan 2007 15:12:54 +0000

Thank you very much, Skywing!

BTW, your blog is very interesting.

By: Skywing

Skywing — Wed, 03 Jan 2007 18:45:55 +0000

The value returned by GetProcAddress can be thought of a 32-bit RVA from the image base of the associated module. So unless the module base has changed since the last time you recalled it (in the most common case, after a reboot), then you’ll get the same address back for a particular exported symbol.

By: Maxim Masiutin

Maxim Masiutin — Tue, 02 Jan 2007 21:50:28 +0000

Thank you! Is it intended by Microsoft that ASLR doesn’t affect the results of GetProcAddress? E.g. it always returns 0×7700D85E as an address for ExitProcess() API function. Does it mean that I can simply jump to 0×7700D85E to get this API function called? What is the point of ASLR then?