page-180

Chapter 4/ System Briefing

If you create the Movelmages registry value and set it to zero, you can effec¬

tively disable ASLR, If you set this value to OxFFFFFFFF, it enables ASLR

regardless of the flags set in the Dll Characteristics field.

ASLR affects the offset in memory at which executable images, DLLs,

stacks, and heaps begin. DLLs are a spccia) case given that they're set up

to reside at the same address for each process that uses them (so that the

processes can leverage code sharing). When the memory manager loads the

first DLL that uses ASLR, it loads it into memory at some random address

(referred to as an "image-load bias") that's established when the machine

boots up. The loader then works its way toward higher memory, assigning

load addresses to the remaining ASLR-capable DLLs (see Figure 4,9).

User S pace

Process A

ASLR-DLL-4

ASLR-DLL 3

ASLR-DLL-2

ASLR-DLL-1

User Space

Process B

ASLR-DLL-4

ASLR-DLL-3

ASLR-DLL-2

ASLR-DLL-)

User Space

Process C

ASLR-DLL-4

ASLR-DLL-3

ASLR-DLL-2

ASLR-DLL-1

0X7FFFFFFF

' Image Bias

0x00000000

Figure 4.9

To see ASLR in action, crank up the Process Explorer tool from Sysinternals.

Select the View menu, and toggle the Show Lower Pane option. Then select

the View menu, again, and select the Lower Pane View submenu. Select the

DLLs option. This will display all of the DLLs being used by the executable

selected in the tool's top pane. In this example, I selected the Explorer,exe

image. This is a binary that ships with Windows and thus is ensured to have

been built with ASLR features activated. In the lower pane, I also selected the

ntdl 1. dl 1 DLL as the subject for examination (see Figure 4.10).

Process Expr�rer ■ cofn fWiri07'VM\jy»p] \-0"\\ -51

File Siptionf Process Fjnd £LL �sers Hdp

H|[�i

PID CP J DMcnptKin

Company Nanw

npmprcxy.d

NSid

Descnptior

NetvMdc bat Manager �roxy

K5E Lberfliodc nt«ffsce DLL

mrfTu.cf

rrishnj.djikjl

OLEAa:.dl

OLEAUT32(l

ConparTj' l�ame

Mcosoft Cotpontton

McreioFi Cotpcntion

j jTSBtBu c:

Wnkw�NT MARTApfovKler

StMl fljlensnrs for iiiABig

SM edenslofis for shanno

OLEfor

Activ« AccBwMty Cere Compgncrt

AiC|iv« AOQewWy [>LL

fAcTOJofI Co(pc«3(>Qn

CupOTiidKin

Mcroson Cotporabon

Microsof) Cofpcatton

Mcro-9c41 Co(po(atiDn

HcnuofI Coiparation

Vennr

e.V7€0l}.l£�&

6,176® 16355

6.1 7601.tTSW

e,i7G0i mu

7,0,0,0

6.1 7fiOl 17576

CPUUi«gei0.77% CommitChirge;22M% Prec&KR41 PhiysieatUsage:4310%

Figure 4.10