来自 Microsoft 文章:
地址空间布局随机化 (ASLR)
当系统启动时,ASLR 将可执行映像移动到随机位置
靴子,使其更难被利用
代码可预测地运行。 对于一个
支持 ASLR 的组件,全部
它加载的组件还必须
支持ASLR。例如,如果A.exe
消耗 B.dll 和 C.dll,全部三个
必须支持ASLR。 默认情况下,Windows
Vista及更高版本将随机化系统
DLL 和 EXE,但是 DLL 和 EXE
由 ISV 创建的必须选择支持
使用 /DYNAMICBASE 链接器的 ASLR
选项。
我不太明白。获取 WIndows 上每个进程加载的基本系统 DLL:NtDll.dll 和 kernel32.dll。
如果有一个非感知可执行文件,这些系统 DLL 会使用 ASLR 吗?也就是说,在 Win 7 上每次系统重新启动后,它们是否会在不同的基地址处加载此可执行文件,还是会像在 Win XP 上那样在系统重新启动后始终在相同的基地址处加载?
为了更清楚地表达我的意思:我典型的虚拟程序的启动堆栈将如下所示:
write_cons.exe!wmain() Line 8 C++
write_cons.exe!__tmainCRTStartup() Line 583 + 0x19 bytes C
write_cons.exe!wmainCRTStartup() Line 403 C
> kernel32.dll!_BaseProcessStart@4() + 0x23 bytes
查看BaseProcessStart的asm,我在我的XP盒子上看到:
_BaseProcessStart@4:
7C817054 push 0Ch
7C817056 push 7C817080h
7C81705B call __SEH_prolog (7C8024D6h)
7C817060 and dword ptr [ebp-4],0
...
现在我感兴趣的是:
在 Windows XP 上,地址始终是 0x7C817054,无论我重新启动这台机器多少次。如果我在使用 ASLR 的 Win7 上,如果加载 kernel32.dll 的可执行文件未启用 ASLR,则在重新启动期间此地址会发生变化吗?
(注意:对于我来说,atm.,这个地址只有一个小用例有用:在 Visual Studio 中,我只能为程序集级函数设置一个“数据断点”,即断点 @ 0x7.. - 如果我想中断特定的 ntdll.dll 或 kernel32.dll 函数,在 Windows XP 中,我不必在重新启动之间调整我的断点,随着 ASLR 的启动(这个问题的范围),我必须更改数据断点重新启动之间。)
From a Microsoft article:
Address Space Layout Randomization (ASLR)
ASLR moves executable images into random locations when a system
boots, making it harder for exploit
code to operate predictably. For a
component to support ASLR, all
components that it loads must also
support ASLR. For example, if A.exe
consumes B.dll and C.dll, all three
must support ASLR. By default, Windows
Vista and later will randomize system
DLLs and EXEs, but DLLs and EXEs
created by ISVs must opt in to support
ASLR using the /DYNAMICBASE linker
option.
I don't quite get it. Take the base system DLLs loaded by every process on WIndows: NtDll.dll and kernel32.dll.
If a have a non-aware executable, will these system DLLs use ASLR? That is, will they load at a different base address after every system reboot on Win 7 for this executable or will they always load at the same base address after system reboot like they do on Win XP?
To make it more clear what I mean: My typical dummy program's startup stack will look like this:
write_cons.exe!wmain() Line 8 C++
write_cons.exe!__tmainCRTStartup() Line 583 + 0x19 bytes C
write_cons.exe!wmainCRTStartup() Line 403 C
> kernel32.dll!_BaseProcessStart@4() + 0x23 bytes
Looking at the asm of BaseProcessStart, I see on my XP box here:
_BaseProcessStart@4:
7C817054 push 0Ch
7C817056 push 7C817080h
7C81705B call __SEH_prolog (7C8024D6h)
7C817060 and dword ptr [ebp-4],0
...
Now what interests me is the following:
On Windows XP, the address will always be 0x7C817054, regardless of how many times I reboot this machine. If I were on Win7 with ASLR, will this address change between reboots if the executable that loads kernel32.dll is not enabled for ASLR?
(Note: For me, atm., there is only one minor use-case this address would be useful for: In Visual Studio, I can only set a "Data Breakpoint" for assembly level functions, that is a breakpoint @ 0x7... - If I want to break in a specific ntdll.dll or kernel32.dll function, in Windows XP I do not have to adjust my breakpoints between reboots. With ASLR kicking in (the scope of this question) I would have to change the Data Breakpoints between reboots.)
发布评论
评论(2)
从技术上讲,系统 dll 是否被重定位并不重要,因为链接器将绑定到符号,而不是地址。这些符号由运行时加载器解析为实例化系统 dll 的地址,因此您的二进制文件应该不受影响。然而,据我所知,Windows 7 每次重新启动都会重置基本随机化,包括系统 dll(注意:这是来自在 widows server 2008 R2 上调试 WOW64 应用程序)。您还可以通过一些注册表编辑来在系统范围内禁用 ASLR,但这并不是真正相关...
更新:
这篇文章解释了迁移的内容和时间。
它没有提到基础是否会在每次重新启动时重置,但对于系统 dll,它永远不会保证在同一地址加载两次,重新启动或不重新启动。
重要的是根据文章,所有内容都需要选择 ASLR 才能重新定位系统 dll。
Technically whether the system dlls get relocated or not, it shouldn't matter, as the linker will bind to symbols, not addresses. These symbols are resolved by the runtime loader into to addresses for the instanced system dlls, thus your binary should be none the wiser. From what i've seen however, windows 7 will reset the base randomization every reboot, including system dlls(note: this is from debuging WOW64 apps on widows server 2008 R2). You can also do a system wide disabling of ASLR via some registery edits, but thats not really relevant...
Update:
the section on ASLR in this article explains what gets relocated and when.
it doesn't mention if the base will reset every reboot, but for system dlls, its never going to be guaranteed to load at the same address twice, reboot or no reboot.
the important thing is according to article, everything needs to opt-in to ASLR for system dll's to be relocated.
您的程序将解析对系统 DLL 的调用,无论它们在何处加载。但是,除非您的可执行文件与 /DYNAMICBASE 链接,否则不会为其提供随机基地址。换句话说,您的 exe 将始终加载到相同的基地址。
如果您希望 exe 在随机地址加载,则必须将其与 /DYNAMICBASE 链接,并且它引用的每个 DLL 也必须与 /DYANMICBASE 链接。系统 DLL(从 Vista 开始)均与 /DYNAMICBASE 链接。
Your program will resolve calls into system DLLs wherever they happen to be loaded. But, unless your executable is linked with /DYNAMICBASE, it will not be given a randomized base address. In other words, your exe will always load at the same base address.
If you want your exe to load at a randomized address, then you have to link it with /DYNAMICBASE, and every DLL that it references must also have been linked with /DYANMICBASE. The system DLLs (starting in Vista) are all linked with /DYNAMICBASE.