Wednesday, October 31, 2007

Funny Vista Tricks with ASLR

While doing alot of testing around the implementation of ASLR on both OSX and Vista I noticed something odd. 3rd party dlls in the Internet Explorer don’t seem to change addresses. See the screenshot below. Googletoolbar and flash9d stay at the same address through multiple reboots. I thought this was odd.

Flash9d and Googletoolbar stay at the same address.

Doing some reading it turns out that a linker flag, /dynamicbase, is what tells Vista that it is ok to rebase a DLL. This gave me a bright idea that maybe I could manually enable ASLR support in a DLL. The first step to this is to find out exactly what the /dynamicbase flag does to a binary. I did a couple of things to run this down, but mainly I compared a DLL that utilized ASLR versus one that doesn't. Mshtml.dll takes advantage of ASLR so that the target. Googletoolbar is the binary I want to force to use ASLR. After comparing alot of fields in the PE header i narrowed it to an option in the PE header, DLL Characteristics. Setting this field to 0x40 enables rebasing the DLL.

The real difference is the DLL Characteristic field which has to get set to 0x40.

1. The first step in enabling ASLR for this program is to save a copy of the original file so that it can be restored in case of an accident.

2. The next step is to open the Googletoolbar in a hex editor and find the DLL Characteristics field and set it to 0x40.
These are images of modifying the googletoolbar dll. The byte that is changed is on the bottom role on the right.

3. Save the file. B00m, some ASLR action for Googletoolbar.
Every reboot changes the load address of GoogleToolbar now.

I was worried that this would not work because of application signing. I thought that once an application is modified it would no longer run. No problems like that occurred. The toolbar seemed to work just fine.

I am not advocating doing this to your system DLLs, I just thought it was interesting.

4 comments:

Unknown said...

I wonder how this might change when Sp1 comes out. As far as the beta stands now, there is no mention of any changes implemented or planned as far as ASLR in Vista is concerned.

mokum von Amsterdam said...

"I thought that once an application is modified it would no longer run. No problems like that occurred. The toolbar seemed to work just fine." <-- this really scares me... What's the point in signing if one can alter the gut of the beast?

Didier Stevens said...

So this means that I can disable ASLR for any MS DLL, given that they are not protected by WFP?

Would WFP even detect the bit toggle?

For the application signing, you're talking about Authenticode?

Rhys Kidd said...

Dave,

You might find some of these Immunity Debugger scripts useful (especially ASLRdynamicbase.py that did much of the work you talk about here in Aug 07).

http://www.openrce.org/repositories/browse/Faithless

AFAIK, WFP doesn't protect the PE header itself, only the image, resc etc.