Windows Vista 下的指针稳定性 [英] Pointer stability under Windows Vista
问题描述
我在 Windows XP Pro 64 位下使用 Visual Studio 2005 进行 C 和 C++ 项目已有一段时间了.我在调试器中不时使用的流行技巧之一是记住程序先前调试运行中的数字指针值(例如 0x00000000FFAB8938),将其添加到监视窗口正确的类型转换(例如,((MyObject *) 0x00000000FFAB8938)->data_field),然后在下一次调试运行期间观察对象占用的内存.在许多情况下,这是一件非常方便和有用的事情,因为只要代码保持不变,预期分配的内存布局也将保持不变是合理的.简而言之,它有效.
但是,最近我开始在装有 Windows Vista(家庭高级版)64 位的笔记本电脑上使用相同版本的 Visual Studio.奇怪的是,在那个设置中使用这个技巧要困难得多.实际的内存地址似乎经常在没有明显原因的情况下从运行到运行发生变化,即即使程序的代码根本没有改变.看起来实际地址并不是完全随机变化的,它只是从一组固定的或多或少稳定的值中选择一个值,但无论如何这使得进行这种类型的内存观察变得更加困难.
有谁知道这种行为在 Windows Vista 中的原因?是什么导致内存布局发生变化?这是其他[系统]进程对进程地址空间的某种外部入侵吗?或者它是 Vista 下堆 API 实现的一些怪癖/功能?有什么办法可以防止这种情况发生吗?
Windows Vista 实现 地址空间布局随机化、堆随机化和堆栈随机化.这是一种安全机制,试图防止依赖于了解每段代码和数据在内存中的位置的缓冲区溢出攻击.
可以通过设置 MoveImages 注册表值来关闭 ASLR.我找不到禁用堆随机化的方法,但一些微软人建议计算相对于 _crtheap.即使堆四处移动,相对地址也可能保持稳定.
I have been using Visual Studio 2005 under Windows XP Pro 64-bit for C and C++ projects for a while. One of the popular tricks I have been using from time to time in the debugger was to remember a numeric pointer value from the previous debugging run of the program (say 0x00000000FFAB8938), add it to watch window with a proper typecast (say, ((MyObject *) 0x00000000FFAB8938)->data_field) and then watch the memory occupied by the object during the next debugging run. In many cases this is quite a convenient and useful thing to do, since as long as the code remains unchanged, it is reasonable to expect that the allocated memory layout will remain unchanged as well. In short, it works.
However, relatively recently I started using the same version of Visual Studio on a laptop with Windows Vista (Home Premium) 64-bit. Strangely enough, it is much more difficult to use this trick in that setup. The actual memory address seems to change rather often from run to run for no apparent reason, i.e. even when the code of the program was not changed at all. It appears that the actual address is not changing entirely randomly, it just selects one value from a fixed more-or-less stable set of values, but in any case it makes it much more difficult to do this type of memory watching.
Does anyone know the reason of this behavior in Windows Vista? What is causing the change in memory layout? Is that some external intrusion into the process address space from other [system] processes? Or is it some quirk/feature of Heap API implementation under Vista? Is there any way to prevent this from happening?
Windows Vista implements address space layout randomization, heap randomization, and stack randomization. This is a security mechanism, trying to prevent buffer overflow attacks that rely on the knowledge of where each piece of code and data is in memory.
It's possible to turn off ASLR by setting the MoveImages registry value. I couldn't find a way to disable heap randomization, but some Microsoft guy recommends computing addresses relative to _crtheap. Even if the heap moves around, the relative address may remain stable.
这篇关于Windows Vista 下的指针稳定性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
