简体繁体 English

微软的ASLR很奇怪

[英]Microsoft's ASLR is weird

原文 2010-09-07 01:24:59 7 3 windows/ dll/ portable-executable/ aslr

I watched a ASLRed dll images's based address for 32bit Process. 我观看了一个ASLRed dll图像基于32位进程的地址。
It's not a fully randomization. 这不是完全随机化。 It just randomizated 1/2 probability. 它只是随机化了1/2概率。

For example, once I load a dll then the image is loaded on 0x12345678 . 例如，一旦我加载一个DLL，然后图像加载到0x12345678 。
And I load the image again, the image is loaded on 0x23456789 .(Base address is changed!) 然后我再次加载图像，图像加载到0x23456789 。（基地址已更改！）
But I load the image again 但我再次加载图像
0x12345678 0×12345678
0x23456789 0x23456789
0x12345678 0×12345678
0x23456789 0x23456789
... ...

Why they did implement like this? 为什么他们这样实施？
Is it for a crash report's frequency?(For getting same crash addresses of re-deployed dlls) 它是否适用于崩溃报告的频率？（用于获取重新部署的dll的相同崩溃地址）

3 个解决方案

This is by design. 这是设计的。 Normally, Windows selects a preferred base address for an ASLR DLL when the DLL is first loaded, and then it keeps using that address until the system is rebooted. 通常，Windows在首次加载DLL时为ASLR DLL选择首选基址，然后它会继续使用该地址，直到系统重新启动。 That way the DLL will be mapped at the same address in every process that loads it, allowing code pages to be shared. 这样，DLL将在加载它的每个进程中映射到相同的地址，从而允许共享代码页。

However, if a DLL has been unloaded from every process, the system may sometimes select a different base address the next time the DLL is loaded. 但是，如果已从每个进程卸载DLL，则系统有时可能在下次加载DLL时选择不同的基址。 It does this to reduce virtual address space fragmentation, not for security reasons. 这样做是为了减少虚拟地址空间碎片，而不是出于安全原因。 This is what seems to be happening in your case. 这就是你的情况似乎正在发生的事情。

It's documented as being at one of 1 of 256 possible starting addresses . 它被记录为256个可能的起始地址中的一个。

But i didn't think it even applied to a process, but to shared DLL's. 但我不认为它甚至适用于一个进程，而是应用于共享DLL。

ASLR: is not on by default for process images . ASLR：默认情况下不启用过程映像。 It's an opt-in thing, for compatiblity.( 3 ) 这是一个选择性的东西，兼容性。（ 3 ）

Address Space Layout Randomization (ASLR) 地址空间布局随机化（ASLR）

ASLR moves executable images into random locations when a system boots, making it harder for exploit code to operate predictably. 当系统启动时，ASLR会将可执行映像移动到随机位置，这使得漏洞利用代码更难以可预测地运行。 For a component to support ASLR, all components that it loads must also support ASLR. 对于支持ASLR的组件，它加载的所有组件也必须支持ASLR。 For example, if A.exe consumes B.dll and C.dll, all three must support ASLR. 例如，如果A.exe使用B.dll和C.dll，则所有三个都必须支持ASLR。 By default, Windows Vista and later will randomize system DLLs and EXEs, but DLLs and EXEs created by ISVs must opt in to support ASLR using the /DYNAMICBASE linker option. 默认情况下，Windows Vista及更高版本将随机化系统DLL和EXE，但ISV创建的DLL和EXE必须使用/ DYNAMICBASE链接器选项选择支持ASLR。

ASLR also randomizes heap and stack memory: ASLR还随机化堆和堆栈内存：

When an application creates a heap in Windows Vista and later, the heap manager will create that heap at a random location to help reduce the chance that an attempt to exploit a heap-based buffer overrun succeeds. 当应用程序在Windows Vista及更高版本中创建堆时，堆管理器将在随机位置创建该堆，以帮助减少尝试利用基于堆的缓冲区溢出成功的可能性。 Heap randomization is enabled by default for all applications running on Windows Vista and later. 默认情况下，对Windows Vista及更高版本上运行的所有应用程序启用堆随机化。

When a thread starts in a process linked with /DYNAMICBASE, Windows Vista and later moves the thread's stack to a random location to help reduce the chance that a stack-based buffer overrun exploit will succeed. 当线程在与/ DYNAMICBASE链接的进程中启动时，Windows Vista及更高版本会将线程的堆栈移动到随机位置，以帮助减少基于堆栈的缓冲区溢出漏洞利用成功的可能性。

Had installed new Win8 RC x64 yesterday. 昨天安装了新的Win8 RC x64。

Watch out! 小心！

Kernel32.dll (64-bit version) have different base address in different processes (in single session, of course). Kernel32.dll（64位版本）在不同的进程中具有不同的基址（当然，在单个会话中）。 Only ntdll.dll base address remains constant. 只有ntdll.dll基地址保持不变。 I had to change the code, you can no longer rely on the permanent address Loadlibrary. 我不得不改变代码，你不能再依赖永久地址Loadlibrary了。