OD: aslr

Aslr, address space layout randomization, a protection mechanism that interferes with shellcode locating by loading programs without using a fixed base address, including image randomization, stack randomization, peb and Teb randomization. The implementation of aslr also requires the support of the program and the operating system, but the support of the program is not necessary.

Aslr has been proposed in the XP era, but the aslr function on XP is limited, only Simple Randomization of peb and Teb. It is not until Windows Vista appears that aslr actually works.

Programs that support aslr will set the image_dll_characteristics_dynamic_base ID in the PE Header. In VS 2005 SP1, the/dynamicbase link option is added to support aslr (Project-project properties-configuration properties-linker-advanced-randomized base address ).

 

Image randomization

The virtual address of the program image is randomly processed. The address is determined at system startup and changes after restart. Image randomization can be set through the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImagesDWORD: 0        DisabledDWORD: -1       Force EnabledDWORD: other    Normal 

Image randomization invalidates stepping stone commands. However, only the first two bytes of the base address are randomly processed during image randomization. The low 2 bytes of the entry points of each module remain unchanged.

 

Stack randomization

In stack randomization, the base address is determined each time a program is loaded.

The use of jmp esp and heap spray makes stack randomization have limited impact on overflow utilization.

 

Peb, Teb randomization

The Randomization of peb and Teb is introduced in XP SP2, Which is previously fixed base address: peb: 0x7ffdf000, Teb: 0x7ffde000. The reference code for obtaining the current peb and Teb is as follows:

 1 #include "stdafx.h" 2  3 int _tmain(int argc, _TCHAR* argv[]) 4 { 5     unsigned int teb; 6     unsigned int peb; 7     __asm{ 8         mov eax,FS:[0x18] 9         mov teb,eax10         mov eax,dword ptr[eax+0x30]11         mov peb,eax12     }13     printf("peb: %#x\nteb: %#x\n",peb,teb);14     getchar();15     return 0;16 }

The randomization Effect of peb and Teb is not very good, and there are other methods to obtain these two values during overflow exploitation.

OD: aslr