Real Geek Forums > Archives > Operating Systems > Windows Vista > Windows Vista Security > system dlls are not loaded at preferred image base in RC2 (5744)

system dlls are not loaded at preferred image base in RC2 (5744)

Posted: 11-07-2006, 11:53 PM
Arpi Jakab
Guest
Posts: n/a
 
Hi,

The preferred loading address for ntdll.dll v6.0.5744.16384 is 0x77EE0000,
yet the loader rebases the dll to 0x77AE0000. Since ntdll is the first to
load, it is certainly not colliding with other system dlls that would cause
the rebase. Not sure about RC1, but this certainly worked in XP. I noticed
that kernel32.dll is also rebased. This seems like a general problem with
the loader.

- Arpi



Reply With Quote

Responses to "system dlls are not loaded at preferred image base in RC2 (5744)"

Alan Adams
Guest
Posts: n/a
 
Re: system dlls are not loaded at preferred image base in RC2 (5744)
Posted: 11-08-2006, 10:59 AM
"Arpi Jakab" <arpi_AT_replaysolutions_DOT_COM> wrote:
> The preferred loading address for ntdll.dll v6.0.5744.16384 is 0x77EE0000,
> yet the loader rebases the dll to 0x77AE0000. Since ntdll is the first to
> load, it is certainly not colliding with other system dlls that would cause
> the rebase. Not sure about RC1, but this certainly worked in XP. I noticed
> that kernel32.dll is also rebased. This seems like a general problem with
> the loader.
Also known as the feature Address Space Layout Randomization (ASLR).
http://blogs.msdn.com/michael_howard...26/608315.aspx
http://blogs.msdn.com/michael_howard...mentation.aspx

Alan Adams
Reply With Quote
Arpi Jakab
Guest
Posts: n/a
 
Re: system dlls are not loaded at preferred image base in RC2 (5744)
Posted: 11-08-2006, 07:26 PM
Thanks that helps. The benefits of ASLR are clear for published
applications, although the non-determinism of dll base addresses does pose
some cross-box or cross-reboot debugging difficulties. Is there a way to
disable ASLR or just the rebasing of system dlls in RC2?

- Arpi

"Alan Adams" <alanadams@nospam.nospam> wrote in message
news:50e3l21cd8n04fme47f7h8ol4t2kbetovq@4ax.com...
> "Arpi Jakab" <arpi_AT_replaysolutions_DOT_COM> wrote:
>
>> The preferred loading address for ntdll.dll v6.0.5744.16384 is
>> 0x77EE0000,
>> yet the loader rebases the dll to 0x77AE0000. Since ntdll is the first to
>> load, it is certainly not colliding with other system dlls that would
>> cause
>> the rebase. Not sure about RC1, but this certainly worked in XP. I
>> noticed
>> that kernel32.dll is also rebased. This seems like a general problem with
>> the loader.
>
> Also known as the feature Address Space Layout Randomization (ASLR).
> http://blogs.msdn.com/michael_howard...26/608315.aspx
> http://blogs.msdn.com/michael_howard...mentation.aspx
>
> Alan Adams

Reply With Quote
Alan Adams
Guest
Posts: n/a
 
Re: system dlls are not loaded at preferred image base in RC2 (5744)
Posted: 11-10-2006, 04:45 AM
"Arpi Jakab" <arpi_AT_replaysolutions_DOT_COM> wrote:
> Thanks that helps. The benefits of ASLR are clear for published
> applications, although the non-determinism of dll base addresses does pose
> some cross-box or cross-reboot debugging difficulties. Is there a way to
> disable ASLR or just the rebasing of system dlls in RC2?
I don't know of, but have never looked for, such control.

Seems a little reaching though to try and call it a "debugging
difficulty". I'm assuming you're saying that you can't look at where,
for example, ntdll!ZwCreateFile is on one process and assume its still
at that address the next time the process loads and/or on another
machine.

While true, you can no longer assume that, its not that the debuggers
haven't long provided us the means with which to easily deal with
that. You would debug no differently that if you were chasing a DLL
that constantly collides; setting breakpoints by symbol offset rather
than address, etc.

The need for ASLR in a published application is actually the more
dubious proposition for me. Non-predictability of Windows system APIs
is actually the stronger suit of ASLR on Windows, from my perspective
anyway.

Alan Adams
Reply With Quote
 
LinkBack Thread Tools Display Modes
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
base system device Tono Windows XP Device Drivers 4 10-14-2006 07:25 PM
Unloading DLLs Joseph Windows XP WMI 1 09-21-2005 01:49 PM
RIS & Slipstreaming SP1 to XP base image Nicholas Windows XP Setup 0 08-05-2003 03:13 PM
XP Needed Dlls Jeep Windows XP Setup 0 07-22-2003 03:32 AM
Preferred Domain Controller for WinXP ? Mark Greifenberg Windows XP Network & Web 1 07-09-2003 01:30 PM