Home/ Questions/Q 6027597
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T04:36:57+00:00

From a Microsoft article : Address Space Layout Randomization (ASLR) ASLR moves executable images

  • 0

From a Microsoft article:

Address Space Layout Randomization (ASLR)

ASLR moves executable images into random locations when a system
boots, making it harder for exploit
code to operate predictably. For a
component to support ASLR, all
components that it loads must also
support ASLR. For example, if A.exe
consumes B.dll and C.dll, all three
must support ASLR. By default, Windows
Vista and later will randomize system
DLLs and EXEs, but DLLs and EXEs
created by ISVs must opt in to support
ASLR using the /DYNAMICBASE linker
option.

I don’t quite get it. Take the base system DLLs loaded by every process on WIndows: NtDll.dll and kernel32.dll.

If a have a non-aware executable, will these system DLLs use ASLR? That is, will they load at a different base address after every system reboot on Win 7 for this executable or will they always load at the same base address after system reboot like they do on Win XP?

To make it more clear what I mean: My typical dummy program’s startup stack will look like this:

    write_cons.exe!wmain()  Line 8  C++
    write_cons.exe!__tmainCRTStartup()  Line 583 + 0x19 bytes   C
    write_cons.exe!wmainCRTStartup()  Line 403  C
>   kernel32.dll!_BaseProcessStart@4()  + 0x23 bytes

Looking at the asm of BaseProcessStart, I see on my XP box here:

_BaseProcessStart@4:
7C817054  push        0Ch  
7C817056  push        7C817080h 
7C81705B  call        __SEH_prolog (7C8024D6h) 
7C817060  and         dword ptr [ebp-4],0 
...

Now what interests me is the following:

On Windows XP, the address will always be 0x7C817054, regardless of how many times I reboot this machine. If I were on Win7 with ASLR, will this address change between reboots if the executable that loads kernel32.dll is not enabled for ASLR?

(Note: For me, atm., there is only one minor use-case this address would be useful for: In Visual Studio, I can only set a “Data Breakpoint” for assembly level functions, that is a breakpoint @ 0x7… – If I want to break in a specific ntdll.dll or kernel32.dll function, in Windows XP I do not have to adjust my breakpoints between reboots. With ASLR kicking in (the scope of this question) I would have to change the Data Breakpoints between reboots.)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Technically whether the system dlls get relocated or not, it shouldn’t matter, as the linker will bind to symbols, not addresses. These symbols are resolved by the runtime loader into to addresses for the instanced system dlls, thus your binary should be none the wiser. From what i’ve seen however, windows 7 will reset the base randomization every reboot, including system dlls(note: this is from debuging WOW64 apps on widows server 2008 R2). You can also do a system wide disabling of ASLR via some registery edits, but thats not really relevant…

    Update:

    the section on ASLR in this article explains what gets relocated and when.
    it doesn’t mention if the base will reset every reboot, but for system dlls, its never going to be guaranteed to load at the same address twice, reboot or no reboot.
    the important thing is according to article, everything needs to opt-in to ASLR for system dll’s to be relocated.

    • 0