Partager via

ASLR and the new linker

  • Article

Well, the VS team shipped VS2005 SP1. You'll need the updated linker to support ASLR on Windows Vista. All it does is add a new setting to your PE header.

So grab the update, and link your EXE with the new /dynamicbase option.

Voila!

Comments

  • Anonymous
    December 17, 2006
    Could people using downlevel linkers simply add the appropriate bit to the EXE header if switching linkers is inconvenient?  Perhaps EDITBIN.EXE or a new third-party utility could be used for this?

  • Anonymous
    December 17, 2006
    Any idea why the RTM SDK didn't support this, or perhaps when you expect to see it added? (cf. http://www.nynaeve.net/?p=100).

  • Anonymous
    December 19, 2006
    Hey Michael,  Are there any other security features that are new in VS2005 SP1? Thanks, Kyle Randolph

  • Anonymous
    December 19, 2006
    >>Kyle Randolph afaik, that's all; it's a service pack, not a "feature pack" after all.

  • Anonymous
    December 20, 2006
    Bovine: Yes, if they were using link.exe + editbin.exe from VS 2005 SP1 or the WDK.  You need to use that version of the linker in order to have it set the flag.  (Remember that editbin.exe is a thin wrapper that simply launches link.exe with a special parameter that puts it into "editbin" mode.)

  • Anonymous
    December 21, 2006
    The comment has been removed

  • Anonymous
    December 21, 2006
    Dejani

  1. ASLR does not require DEP to make ASLR work. ASLR works better when DEP is enabled. XPSP2 and later support another form of DEP, named software DEP, which does not require CPU support. This other form of DEP is also called SafeSEH, and it's also a linker flag (/safeseh)
  2. what you're seeing is expected. The stack address will juggle around as each thread starts up, but the base image address is fixed until the system is restarted. We "assign" image addresses on reboot only.

  • Anonymous
    December 28, 2006
    Just 1 question  Is ASLR applied for the kernel(NTOSKRNL.EXE) itself.     Is ASLR applied on kernel mode drivers. waiting 4 the reply

  • Anonymous
    December 31, 2006
    Kernel mode has always had a form of ASLR.

  • Anonymous
    January 02, 2007
    The comment has been removed

  • Anonymous
    January 06, 2007
    Hi dejani, Please check the phrase "However, Windows can use DEP software to help prevent some types of attacks" that You've posted. Wasn't it really "However, Windows can use software DEP to help prevent some types of attacks"? The order of words is critical here.

  • Anonymous
    January 14, 2007
    The comment has been removed

  • Anonymous
    February 28, 2007
    The comment has been removed

  • Anonymous
    February 28, 2007
    ss, sure they often find APIs dynamically - by calling LoadLibrary, which is at a random location.

  • Anonymous
    March 01, 2007
    Michael: no, I meant without even using LoadLibrary. You can just find image base of the library e.g. by searching 'MZ' in the memory and taking into account that it is always page-aligned, when find the PE header and finally reach the export table.

  • Anonymous
    March 01, 2007
    The comment has been removed