How to disable address randomization (ASLR) from an ELF file?
Question
Solved: The solution was calling personality(0x40000). See details below in the comments.
Where does the ASLR flag resides within an ELF file? I need to disable ASLR for a specific library (.so). I've tried using objdump but I couldn't find out how to do so.
I can't use /proc because it doesn't appear to work on my Android 4.4.4, so I'm trying to modify the binary.
Edit: I've compiled the following:
#include <stdio.h>
void* getEIP()
{
return __builtin_return_address(0) - 0x5;
}
int main(int argc, char** argv)
{
printf("EIP located at: %p\n", getEIP());
return 0;
}
without ASLR (PIE):
arm-linux-androideabi-gcc.exe code.c -o noPIE --sysroot=%NDK%\platforms\android-3\arch-arm
with ASLR (PIE):
arm-linux-androideabi-gcc.exe -fPIE -pie code.c -o withPIE --sysroot=%NDK%\platforms\android-3\arch-arm
The noPIE binary indeed isn't being randomized, even though:
# cat /proc/sys/kernel/randomize_va_space
2
2 answers
solution1
2 ACCPTED 2015-10-13 03:41:19
I need to disable ASLR for a specific library (.so).
You can't (and the ASLR does not reside anywhere in the ELF file because it's not a property of the ELF, it's a property of the kernel).
What you can do is disable randomization for a given process. setarch -R is your friend .
solution2
1 2015-10-12 13:05:32
I believe ASLR is happening in both cases. See also this .
But in the first case ( noPIE binary), the executable itself is having a fixed address; however all the calls to mmap(2) without MAP_FIXED are randomized, and this includes the loading of the shared libraries.
In the second case ( PIE binary), even the executable itself is loaded at some random address by execve(2) (and also of course the shared libraries, which are later mmap -ed by ld-linux(8) mentioned as the "interpreter" inside your ELF files).
You could check by strace(1) -ing both executions.
ASLR is part of the kernel state. Chaning it for mmap -ing a particular shared object does not make any sense, but, as Employed Russian answered , you could disable it with setarch -R for a process and its future child processes (perhaps your parent shell and all its children).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.