Announcement

Collapse
No announcement yet.

PB DLLs and ASLR

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • PB DLLs and ASLR

    First, I'll apologize in advance if I'm getting any of the terminology wrong. This topic is pretty far outside my wheelhouse.

    Client's CSO asked if the application is ASLR (Address Space Layout Randomization) enabled. Using Process Explorer with the ASLR column shown, the PB DLLs are not.

    After some 'light' (sarcasm) reading, it looks like ASLR is controlled by a flag in the DLL header. I found a utility PESecInfo that allows you to enable / disable the flag. Now the DLLs are showing ASLR in Process Explorer. I've run many tests and cannot find a problem in the application with the ASLR flag set.

    My question is: Is that all there is to enabling ASLR on a PB DLL?



  • #2
    Originally posted by Raymond Leech View Post
    My question is: Is that all there is to enabling ASLR on a PB DLL?
    Short answer: Probably

    Long answer:

    I wondered whether this could be handled directly in a manifest file ... Mr. Google pointed me here:

    Link: https://support.microsoft.com/en-us/...-or-in-windows

    [1] "Currently ASLR is enabled for any image built by using Microsoft Visual C++ 2008 or a later edition unless the linker flag /DYNAMICBASE:NO is used to opt out.
    This flag setting tells the linker not to set a special ASLR bit in the final executable image file.

    [2] "Executable images that do not have the ASLR bit set will generally load at their preferred base address"


    Comment


    • #3
      What you get when you run GetProcessDEPPolicy?

      Code:
      #COMPILE EXE '#Win#
      #DIM ALL
      #REGISTER NONE
      #INCLUDE "Win32Api.inc"
      '#RESOURCE MANIFEST, 1, "XPTheme.xml"
      
      GLOBAL hDlg AS DWORD
      
      $AppName ="ASLR Data Execution Prevention"
      
      '_____________________________________________________________________________
      
      FUNCTION WinError$(BYVAL ErrorCode AS DWORD) AS STRING
       LOCAL pzError  AS ASCIIZ POINTER 'Max is 64K
       LOCAL ErrorLen AS DWORD
      
       ErrorLen = FormatMessage(%FORMAT_MESSAGE_FROM_SYSTEM OR %FORMAT_MESSAGE_ALLOCATE_BUFFER, _
                                BYVAL %NULL, ErrorCode, %NULL, BYVAL VARPTR(pzError), %NULL, BYVAL %NULL)
       IF ErrorLen THEN
         REPLACE $CRLF WITH $SPC IN @pzError
         FUNCTION = "Error" & STR$(ErrorCode) & " (0x" & HEX$(ErrorCode) & ") : " & @pzError
         LocalFree(pzError)
       ELSE
         FUNCTION = "Unknown error" & STR$(ErrorCode) & " (0x" & HEX$(ErrorCode) & ")"
       END IF
      
      END FUNCTION
      '_____________________________________________________________________________
      
      CALLBACK FUNCTION DlgProc
       LOCAL CurrentFlag  AS DWORD
       LOCAL FlagToSet    AS DWORD
       LOCAL Permanent    AS LONG
       LOCAL LastError    AS LONG
      
       SELECT CASE CBMSG
      
         CASE %WM_INITDIALOG
      
           MessageBox(hDlg, "GetSystemDEPPolicy = " & _
                      CHOOSE$(GetSystemDEPPolicy()+ 1, "AlwaysOff", "AlwaysOn", "OptIn", "OptOut"), _
                      "GetSystemDEPPolicy", %MB_OK OR %MB_TOPMOST)
      
           IF GetProcessDEPPolicy(GetCurrentProcess(), CurrentFlag, Permanent) THEN
             MessageBox(hDlg, "PROCESS_DEP_ENABLE = " & _
                        IIF$((CurrentFlag AND %PROCESS_DEP_ENABLE), "TRUE", "FALSE") & $CRLF & _
                        "PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION = " & _
                        IIF$((CurrentFlag AND %PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION), "TRUE", "FALSE") & $CRLF & _
                        "Permanent = " & IIF$(Permanent, "TRUE", "FALSE"), _
                        "GetProcessDEPPolicy", %MB_OK OR %MB_TOPMOST)
           END IF
      
           FlagToSet = %PROCESS_DEP_ENABLE OR %PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION
           SetProcessDEPPolicy(FlagToSet)
           LastError = GetLastError()
           IF LastError THEN
             MessageBox(hDlg, "Error = " & _
                        WinError$(LastError), _
                        "SetProcessDEPPolicy", %MB_OK OR %MB_TOPMOST)
           END IF
      
           IF GetProcessDEPPolicy(GetCurrentProcess(), CurrentFlag, Permanent) THEN
             MessageBox(hDlg, "PROCESS_DEP_ENABLE = " & _
                        IIF$((CurrentFlag AND %PROCESS_DEP_ENABLE), "TRUE", "FALSE") & $CRLF & _
                        "PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION = " & _
                        IIF$((CurrentFlag AND %PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION), "TRUE", "FALSE") & $CRLF & _
                        "Permanent = " & _
                        IIF$(Permanent, "TRUE", "FALSE"), _
                        "GetProcessDEPPolicy", %MB_OK OR %MB_TOPMOST)
           END IF
      
        END SELECT
      
      END FUNCTION
      '_____________________________________________________________________________
      
      FUNCTION PBMAIN()
       LOCAL hIcon AS DWORD
      
       DIALOG FONT "Segoe UI", 9
       DIALOG NEW %HWND_DESKTOP, $AppName, , , 200, 150, _
       %WS_CAPTION OR %WS_MINIMIZEBOX OR %WS_SYSMENU, %WS_EX_LEFT TO hDlg
      
       hIcon = ExtractIcon(GetModuleHandle(""), "Shell32.dll", 294) 'o
       SetClassLong(hDlg, %GCL_HICON, hIcon)
       SetClassLong(hDlg, %GCL_HICONSM, hIcon)
      
       DIALOG SHOW MODAL hDlg CALL DlgProc
      
       DestroyIcon(hIcon)
      
      END FUNCTION
      '_____________________________________________________________________________
      '

      Comment


      • #4
        I wrote some code to set or reset the IMAGE_DLLCHARACTERISTICS_NX_COMPAT flag.

        Without calling SetProcessDEPPolicy(), the result is that, GetProcessDEPPolicy() if set, will return
        -PROCESS_DEP_ENABLE = TRUE
        -PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION = TRUE
        -Permanent = TRUE

        With IMAGE_DLLCHARACTERISTICS_NX_COMPAT not set,
        GetProcessDEPPolicy() will return false, false, false.

        So to the question: Is that all there is to enabling ASLR on a PB DLL?
        the answer really seems to be yes.

        Comment


        • #5
          Originally posted by Pierre Bellisle View Post
          What you get when you run GetProcessDEPPolicy?
          I get the following results regardless if the ASLR flag was applied to the exe or not.

          Code:
          GetSystemDEPPolicy Dialog
            GetSystemDEPPolicy = Optin
          
          GetProcessDEPPolicy Dialog
            Process_DEP_Enable = False
            Process_DEP_Disable_ATL_Thunk_Emulation = False
            Permanent = False
          
          GetProcessDEPPolicy Dialog
            Process_DEP_Enable = True
            Process_DEP_Disable_ATL_Thunk_Emulation = True
            Permanent = True
          
          ASLR Data Execution Prevention
          [empty window]
          FYI: the utility command line I used was:
          pesecinfo testdep.exe -e aslr




          Comment


          • #6
            Is this only an issue with DLL's? A normal PB.EXE would not have to deal with this?

            Comment


            • #7
              @Raymond,
              I see, my code do the same as pesecinfo testdep.exe -e dep

              Reading pssecinfo.asm, for the ASLR side it work on IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE flag.

              pssecinfo say that the flags are checked by the Windows loader so by manipulating them,
              we can disable (or enable) these security features from the target EXE or DLL.

              Plus Kevin infos, I'd say you are in business...

              Comment


              • #8
                Originally posted by Pierre Bellisle View Post
                @Raymond,
                I see, my code do the same as pesecinfo testdep.exe -e dep
                The client evidently controls DEP through the Advanced System Properties, turned on for everything but their 'exception list'. Do I gain anything by setting it myself? Again, pardon my ignorance, but in the past I've never had to worry about DEP at the process level, only the system level.

                Comment


                • #9
                  Originally posted by David Clarke View Post
                  Is this only an issue with DLL's? A normal PB.EXE would not have to deal with this?
                  David, when doing my research through Process Explorer, I found the ASLR colum set on both executables and their DLLs (that supported it). I assume it applies to both.

                  Comment


                  • #10
                    For the DEP part, reading SetProcessDEPPolicy remark,
                    it says you won't gain anything if DEP is already set through the Advanced System Properties.

                    MS: The SetProcessDEPPolicy function overrides the system DEP policy for the current process unless its DEP policy was specified at process creation. The system DEP policy setting must be OptIn or OptOut. If the system DEP policy is AlwaysOff or AlwaysOn, SetProcessDEPPolicy returns an error. After DEP is enabled for a process, subsequent calls to SetProcessDEPPolicy are ignored.

                    Comment


                    • #11
                      Thank you everyone for the information! Much appreciated.

                      Comment


                      • #12
                        Raymond,

                        To be clear as mud (as Lance used to say), the DEP side of my answer wasn't what you asked for.

                        So for the question: Is that all there is to enabling ASLR on a PB DLL?

                        %IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE flag mean the DLL can be relocated at load time.

                        All stuff I read convert to says that setting the ASLR flag is all that's needed when the OS load the code.
                        Are you convinced as I am?

                        Comment


                        • #13
                          Pierre, although not my original question, the DEP information was insightful and appreciated. I suppose they are somewhat complimentary.

                          I thought I was ok on ASLR, but it's not acting very 'random' (as in not random at all). Without ASLR flag set, each invocation of the executable loads the DLL at a different load address. With it set, it always loads at the same base address according to process explorer (I'm not rebasing them for this exercise). Also, I'm only running one instance at a time, not concurrent.


                          Comment


                          • #14
                            Hi All
                            I'm confused, does the following code

                            Code:
                             FlagToSet = %PROCESS_DEP_ENABLE OR %PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION
                                 SetProcessDEPPolicy(FlagToSet)
                            works only on an EXE file and won't work in a DLL file ?



                            Comment


                            • #15
                              Hi Tim,
                              SetProcessDEPPolicy will work in both an exe and a dll.

                              Comment


                              • #16
                                I didn't have ASLR or DEP columns selected in Process Explorer. There was only a few processes which did not have ASLR enabled. Shock horror, my Encrypternet application had DEP enabled but not ASLR. It does now for 32-bit and 64-bit.

                                With FreeBASIC it looks like the gcc compiler that I use does not force ASLR to be enabled; and Windows 10 doesn't either. Bit of reading and I found that if I add '-Wl -dynamicbase' to the compiler options then I get ASLR enabled. Magic!

                                Many thanks, Raymond, for bringing this subject up.

                                Comment


                                • #17
                                  Originally posted by Yours truly
                                  Bit of reading and I found that if I add '-Wl -dynamicbase' to the compiler options then I get ASLR enabled. Magic!
                                  Well, that didn't last long - for some reason subsequent compilations do not see ASLR enabled. PESecInfo tells me it is but Process Explorer tells me it isn't. Very weird!

                                  Comment


                                  • #18
                                    It looks like, IMO, my FreeBASIC compiler builds cannot produce position independent executables (PIEs) and ASLR will not work even when enabled. PowerBASIC, on the other, seems to be doing just that without asking for it.

                                    Comment


                                    • #19
                                      For the adventurous, you can randomly alter the stack address by adding or subtracting from ESP right at the start of an executable file. I think the old stack exploits of years ago no longer work so dynamically hacking an executable is far more difficult.

                                      To try it out, generate a random number between 0 and 255, multiply it by 4 then either add it or subtract it from the content of ESP.
                                      hutch at movsd dot com
                                      The MASM Forum

                                      www.masm32.com

                                      Comment


                                      • #20
                                        David,
                                        On my side, under Se7en, setting the ASLR IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE flag
                                        works as expected in PowerBASIC and FreeBasic, either 32 or 64.
                                        I didn't test Windows 10.

                                        Comment

                                        Working...
                                        X