Windows Vista Address Space Load Randomization - The way vista loads DLL's
Lets talk about what is a Dll and why we need it first ... dynamic-link library (DLL) is shared code and data that an application can load and call at run time. A DLL typically exports a set of routines for applications to use and contains other routines for internal use. This technique enables code reuse by allowing multiple applications to share common functionality in a library and load it on demand. Advantages of using DLLs include reduced code footprint, lower memory utilization due to single-copy-sharing and much more.
The original purpose for DLLs was saving both disk space and memory required for Windows applications by sharing a single library between two loaded programs. In a conventional non-shared library, sections of code are simply added to the calling program when its executable is built at the linking phase; if two programs use the same routine, the code has to be included in both. Instead, code which multiple applications share can be separated into a DLL which only exists as a single, separate file, loaded only once into memory during usage. Extensive use of DLLs allowed early versions of Windows to work under tight memory conditions, in an environment in which all programs shared the same address space,
How these Dll's and exe files are loaded?
This is done by Loader. Loader is the part of an operating system that is responsible for loading programs from executables (i.e., executable files) into memory, preparing them for execution and then executing them. The loader is usually a part of the Operating system's kernel and usually is loaded at system boot time and stays in memory until the system is rebooted, shut down, or powered off.
https://support.microsoft.com/kb/100635
Now what is the change in vista and what is this Address space load randomization?
Let’s see it practically
I attached debugger with msiexec.exe and we see the loaded modules below.
Before reboot In windows vista
CommandLine: C:\Windows\System32\msiexec.exe
Symbol search path is: SRV*C:\WINDOWS\Symbols*\\symbols\symbols
Executable search path is:
ModLoad: 00ab0000 00ac4000 msiexec.exe
ModLoad: 772c0000 773de000 ntdll.dll
ModLoad: 771e0000 772b8000 C:\Windows\system32\kernel32.dll
ModLoad: 768e0000 7699f000 C:\Windows\system32\ADVAPI32.dll
ModLoad: 769a0000 76a63000 C:\Windows\system32\RPCRT4.dll
ModLoad: 76ed0000 76f6e000 C:\Windows\system32\USER32.dll
ModLoad: 76a70000 76abb000 C:\Windows\system32\GDI32.dll
ModLoad: 76f70000 7701a000 C:\Windows\system32\msvcrt.dll
ModLoad: 76790000 768d4000 C:\Windows\system32\ole32.dll
ModLoad: 72950000 72b54000 C:\Windows\System32\msi.dll-----------------------------In legacy OS scenario …if I want to write a bad code…or want to modify something on your machine..i know that msi.dll is going to load here every time + even if I am not going to use this dll later, I m going to keep this address for msi.dll once it is loaded but in vista due to address space load randomization, I will unload/reload it later at some other address…and when I am not using this dll..i need not to reserve the address for it. BENEFIT:----the same address can be used by next dll which is going to load… creating larger regions of free memory for contiguous memory allocations, reducing the number of page tables the memory manager allocates to keep track of address-space layout.
After reboot
=========
Executable search path is:
ModLoad: 005b0000 005c4000 msiexec.exe
ModLoad: 77540000 7765e000 ntdll.dll
ModLoad: 763e0000 764b8000 C:\Windows\system32\kernel32.dll
ModLoad: 776c0000 7777f000 C:\Windows\system32\ADVAPI32.dll
ModLoad: 75ed0000 75f93000 C:\Windows\system32\RPCRT4.dll
ModLoad: 769d0000 76a6e000 C:\Windows\system32\USER32.dll
ModLoad: 764c0000 7650b000 C:\Windows\system32\GDI32.dll
ModLoad: 767c0000 7686a000 C:\Windows\system32\msvcrt.dll
ModLoad: 76290000 763d4000 C:\Windows\system32\ole32.dll
ModLoad: 72c40000 72e44000 C:\Windows\System32\msi.dll-----------------------------------address have changed--dynamically loaded
Later I did similar test on win2k3 machine for notepad.exe and we see dll load at same address even after reboot
Before reboot
Executable search path is:
ModLoad: 01000000 01014000 C:\WINNT\system32\notepad.exe
ModLoad: 7c800000 7c8c0000 C:\WINNT\system32\ntdll.dll
ModLoad: 77e40000 77f42000 C:\WINNT\system32\kernel32.dll
ModLoad: 762b0000 762f9000 C:\WINNT\system32\comdlg32.dll
ModLoad: 77ba0000 77bfa000 C:\WINNT\system32\msvcrt.dll
ModLoad: 77da0000 77df2000 C:\WINNT\system32\SHLWAPI.dll
ModLoad: 77c00000 77c48000 C:\WINNT\system32\GDI32.dll
ModLoad: 77380000 77411000 C:\WINNT\system32\USER32.dll
ModLoad: 77f50000 77feb000 C:\WINNT\system32\ADVAPI32.dll
ModLoad: 77c50000 77cef000 C:\WINNT\system32\RPCRT4.dll
ModLoad: 76f50000 76f63000 C:\WINNT\system32\Secur32.dll
ModLoad: 77420000 77523000 C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\COMCTL32.dll
ModLoad: 7c8d0000 7d0cf000 C:\WINNT\system32\SHELL32.dll
ModLoad: 73070000 73097000 C:\WINNT\system32\WINSPOOL.DRV
ModLoad: 4b3c0000 4b410000 C:\WINNT\system32\MSCTF.dll
ModLoad: 71b70000 71ba6000 C:\WINNT\system32\UxTheme.dll
After reboot
==============
Executable search path is:
ModLoad: 01000000 01014000 C:\WINNT\system32\notepad.exe
ModLoad: 7c800000 7c8c0000 C:\WINNT\system32\ntdll.dll
ModLoad: 77e40000 77f42000 C:\WINNT\system32\kernel32.dll
ModLoad: 762b0000 762f9000 C:\WINNT\system32\comdlg32.dll
ModLoad: 77ba0000 77bfa000 C:\WINNT\system32\msvcrt.dll
ModLoad: 77da0000 77df2000 C:\WINNT\system32\SHLWAPI.dll
ModLoad: 77c00000 77c48000 C:\WINNT\system32\GDI32.dll
ModLoad: 77380000 77411000 C:\WINNT\system32\USER32.dll
ModLoad: 77f50000 77feb000 C:\WINNT\system32\ADVAPI32.dll
ModLoad: 77c50000 77cef000 C:\WINNT\system32\RPCRT4.dll
ModLoad: 76f50000 76f63000 C:\WINNT\system32\Secur32.dll
ModLoad: 77420000 77523000 C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\COMCTL32.dll
ModLoad: 7c8d0000 7d0cf000 C:\WINNT\system32\SHELL32.dll
ModLoad: 73070000 73097000 C:\WINNT\system32\WINSPOOL.DRV
ModLoad: 4b3c0000 4b410000 C:\WINNT\system32\MSCTF.dll
ModLoad: 71b70000 71ba6000 C:\WINNT\system32\UxTheme.dll
now i wanted to see that whats the change in msi.dll on win2k3 and vista so i dumped both of them using following command...i knew that there is a new flag on vista msi.dll ......dynamic relocation flag in the header of the msi.dll...but i guess i was not able to see it because link.exe that i was using was not from vista SDK.
C:\Users\ganand\Desktop\internals\TOOLS>link.exe -dump -headers c:\windows\system32\msi.dll
Microsoft (R) COFF/PE Dumper Version 7.10.2179
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file c:\windows\system32\msi.dll
PE signature found
File Type: DLL
FILE HEADER VALUES
14C machine (x86)
5 number of sections
4549BD89 time date stamp Thu Nov 02 15:12:33 2006
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
2102 characteristics
Executable
32 bit word machine
DLL
OPTIONAL HEADER VALUES
10B magic # (PE32)
8.00 linker version
1DAE00 size of code
25200 size of initialized data
0 size of uninitialized data
7B2D entry point (751F7B2D)
1000 base of code
For more information refer to https://www.microsoft.com/technet/technetmag/issues/2007/04/VistaKernel/default.aspx
===============================
Gaurav Anand
This posting is provided "AS IS" with no warranties, and confers no rights.
Comments
- Anonymous
January 01, 2003
PingBack from http://geeklectures.info/2008/01/04/windows-vista-address-space-load-randomization-the-way-vista-loads-dlls/