SpeedUtilities Processes | DLLs | Operating systems | Manufacturers | CPUs | Ports | Services | Log files | Directories | Internet services | Software packages | Viruses | Network adapters | Internet bots
» An ultimate catalog of computer data
Popular: svchost.exe | csrss.exe | spoolsv.exe | mrt.exe | lsass.exe

Forum posts for kernel32.dll

ASLR and Windows System DLLs for non-aware executables?

From a Microsoft article:


Address Space Layout Randomization (ASLR)

ASLR moves executable images into random locations when a system
boots, making it harder for exploit
code to operate predictably. For a
component to support ASLR, all
components that it loads must also
support ASLR. For example, if A.exe
consumes B.dll and C.dll, all three
must support ASLR. By default, Windows
Vista and later will randomize system
DLLs and EXEs, but DLLs and EXEs
created by ISVs must opt in to support
ASLR using the /DYNAMICBASE linker
option.


I don't quite get it. Take the base system DLLs loaded by every process on WIndows: NtDll.dll and kernel32.dll.

If a have a non-aware executable, will these system DLLs use ASLR? That is, will they load at a different base address after every system reboot on Win 7 for this executable or will they always load at the same base address after system reboot like they do on Win XP?

To make it more clear what I mean: My typical dummy program's startup stack will look like this:

write_cons.exe!wmain() Line 8 C++
write_cons.exe!__tmainCRTStartup() Line 583 + 0x19 bytes C
write_cons.exe!wmainCRTStartup() Line 403 C
> kernel32.dll!_BaseProcessStart@4() + 0x23 bytes


Looking at the asm of BaseProcessStart, I see on my XP box here:

_BaseProcessStart@4:
7C817054 push 0Ch
7C817056 push 7C817080h
7C81705B call __SEH_prolog (7C8024D6h)
7C817060 and dword ptr [ebp-4],0
...


Now what interests me is the following:

On Windows XP, the address will always be 0x7C817054, regardless of how many times I reboot this machine. If I were on Win7 with ASLR, will this address change between reboots if the executable that loads kernel32.dll is not enabled for ASLR?

(Note: For me, atm., there is only one minor use-case this address would be useful for: In Visual Studio, I can only set a 'Data Breakpoint' for assembly level functions, that is a breakpoint @ 0x7... - If I want to break in a specific ntdll.dll or kernel32.dll function, in Windows XP I do not have to adjust my breakpoints between reboots. With ASLR kicking in (the scope of this question) I would have to change the Data Breakpoints between reboots.)

View complete forum thread with replies

Other posts related to kernel32.dll

See Related Forum Messages: Follow the Links Below to View Complete Thread

Why are there two functions with the same name, but followed with 'A' and 'W' in .dll files?
how to get Processor ID using Kernel32.dll
C# GetProcAddress Returns Zero
ASLR and Windows System DLLs for non-aware executables?
status failed for LdrLoadDll
When you edit dll in memory, do other applications see changes?
C# EntryPointNotFoundException Unable to find an entry point named 'SetDllDirectory' in DLL …

What is the carbon footprint of your coffee?

Is it low? Is it high? Can this things really kill the planet Earth? Maybe the answer will surprise you. Maybe not.
>>> Check it now at GreenOrDie.org
Privacy | Best registry cleaners | SpeedUtilities.com