ASLR和Windows系统DLL用于非感知可执行文件? [英] ASLR and Windows System DLLs for non-aware executables?
问题描述
从 Microsoft文章:
地址空间布局随机化(ASLR)
当系统$ b $时,ASLR将可执行映像移动到随机位置b靴子,使得更难以利用
代码来预测运行。对于支持ASLR的
组件,加载所有
组件也必须支持
支持ASLR。例如,如果A.exe
消耗B. dll和C.dll,所有三个
必须支持ASLR。默认情况下,Windows
Vista和更高版本将随机系统
DLL和EXE ,但由ISV创建的DLL和EXE
必须选择支持
ASLR使用/ DYNAMICBASE链接器
选项。
Address Space Layout Randomization (ASLR)
ASLR moves executable images into random locations when a system boots, making it harder for exploit code to operate predictably. For a component to support ASLR, all components that it loads must also support ASLR. For example, if A.exe consumes B.dll and C.dll, all three must support ASLR. By default, Windows Vista and later will randomize system DLLs and EXEs, but DLLs and EXEs created by ISVs must opt in to support ASLR using the /DYNAMICBASE linker option.
我不太明白。拿起WIndows上每个进程加载的基本系统DLL: NtDll.dll 和 kernel32.dll 。
I don't quite get it. Take the base system DLLs loaded by every process on WIndows: NtDll.dll and kernel32.dll.
如果有一个不知道的可执行文件,这些系统DLL会使用ASLR吗?也就是说,在Win 7上的每个系统重新引导之后,它们是否会在不同的基地址上加载该可执行文件,否则它们总是在系统重新启动之后加载到与Win XP相同的基地址?
If a have a non-aware executable, will these system DLLs use ASLR? That is, will they load at a different base address after every system reboot on Win 7 for this executable or will they always load at the same base address after system reboot like they do on Win XP?
为了更清楚我的意思:我的典型的虚拟程序的启动堆栈将如下所示:
To make it more clear what I mean: My typical dummy program's startup stack will look like this:
write_cons.exe!wmain() Line 8 C++
write_cons.exe!__tmainCRTStartup() Line 583 + 0x19 bytes C
write_cons.exe!wmainCRTStartup() Line 403 C
> kernel32.dll!_BaseProcessStart@4() + 0x23 bytes
查看 BaseProcessStart ,我在这里看到我的XP框:
Looking at the asm of BaseProcessStart, I see on my XP box here:
_BaseProcessStart@4:
7C817054 push 0Ch
7C817056 push 7C817080h
7C81705B call __SEH_prolog (7C8024D6h)
7C817060 and dword ptr [ebp-4],0
...
现在我感兴趣的是:
在Windows XP上,地址将始终为0x7C817054,无论我重新启动本机多少次。如果我在使用ASLR的Win7上,如果加载kernel32.dll的可执行文件不启用ASLR?,那么这个地址会在重新引导之间更改?
On Windows XP, the address will always be 0x7C817054, regardless of how many times I reboot this machine. If I were on Win7 with ASLR, will this address change between reboots if the executable that loads kernel32.dll is not enabled for ASLR?
(注意:对于我来说,atm。只有一个小小的用例,这个地址对于:在Visual Studio中,我只能为程序集级别的函数设置一个数据断点是一个断点@ 0x7 ... - 如果我想打破特定的ntdll.dll或kernel32.dll函数,在Windows XP中,我不必在重新启动之间调整我的断点。使用ASLR踢入(这个问题的范围)我必须更改重新启动之间的数据断点。)
(Note: For me, atm., there is only one minor use-case this address would be useful for: In Visual Studio, I can only set a "Data Breakpoint" for assembly level functions, that is a breakpoint @ 0x7... - If I want to break in a specific ntdll.dll or kernel32.dll function, in Windows XP I do not have to adjust my breakpoints between reboots. With ASLR kicking in (the scope of this question) I would have to change the Data Breakpoints between reboots.)
推荐答案
从技术上讲,系统是否被重新定位,它应该因为链接器将绑定到符号,而不是地址。这些符号由运行时加载程序解析为实例化系统dll的地址,因此您的二进制文件应该不会更明智。从我所看到的,然而,Windows 7将重新启动每个重新启动的基本随机化,包括系统dll(注意:这是从调试WOW64应用程序在widows服务器2008 R2)。您还可以通过一些注册表编辑系统地禁用ASLR,但这不是真正的相关...
Technically whether the system dlls get relocated or not, it shouldn't matter, as the linker will bind to symbols, not addresses. These symbols are resolved by the runtime loader into to addresses for the instanced system dlls, thus your binary should be none the wiser. From what i've seen however, windows 7 will reset the base randomization every reboot, including system dlls(note: this is from debuging WOW64 apps on widows server 2008 R2). You can also do a system wide disabling of ASLR via some registery edits, but thats not really relevant...
更新:
这个文章解释什么被重新定位和什么时候。
它没有提到如果基础将重新启动每个重新启动,但对于系统dll,它永远不会保证在相同的地址加载两次,重新启动或不重新启动。
重要的是根据文章,一切都需要选择加入ASLR才能重新安置系统dll。
the section on ASLR in this article explains what gets relocated and when. it doesn't mention if the base will reset every reboot, but for system dlls, its never going to be guaranteed to load at the same address twice, reboot or no reboot. the important thing is according to article, everything needs to opt-in to ASLR for system dll's to be relocated.
这篇关于ASLR和Windows系统DLL用于非感知可执行文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
