aslr

问题 Before asking my question, I would like to cover some few technical details I want to make sure I've got correct: A Position Independent Executable (PIE) is a program that would be able to execute regardless of which memory address it is loaded into, right? ASLR (Address Space Layout Randomization) pretty much states that in order to keep addresses static, we would randomize them in some manner, I've read that specifically within Linux and Unix based systems, implementing ASLR is possible

问题 I need to get base address of stack inside my running process. This would enable me to print raw stacktraces that will be understood by addr2line (running binary is stripped, but addr2line has access to symbols). I managed to do this by examining elf header of argv[0] : I read entry point and substract it from &_start : #include <stdio.h> #include <execinfo.h> #include <unistd.h> #include <elf.h> #include <stdio.h> #include <string.h> void* entry_point = NULL; void* base_addr = NULL; extern

问题 I need to get base address of stack inside my running process. This would enable me to print raw stacktraces that will be understood by addr2line (running binary is stripped, but addr2line has access to symbols). I managed to do this by examining elf header of argv[0] : I read entry point and substract it from &_start : #include <stdio.h> #include <execinfo.h> #include <unistd.h> #include <elf.h> #include <stdio.h> #include <string.h> void* entry_point = NULL; void* base_addr = NULL; extern

来源： https://stackoverflow.com/questions/38818084/why-does-aslr-not-seem-to-be-working

来源： https://stackoverflow.com/questions/38818084/why-does-aslr-not-seem-to-be-working

来源： https://stackoverflow.com/questions/38818084/why-does-aslr-not-seem-to-be-working

问题 I have the following code snippet: #include <inttypes.h> #include <stdio.h> uint64_t esp_func(void) { __asm__("movl %esp, %eax"); } int main() { uint32_t esp = 0; __asm__("\t movl %%esp,%0" : "=r"(esp)); printf("esp: 0x%08x\n", esp); printf("esp: 0x%08lx\n", esp_func()); return 0; } Which prints the following upon multiple executions: ❯ clang -g esp.c && ./a.out esp: 0xbd3b7670 esp: 0x7f8c1c2c5140 ❯ clang -g esp.c && ./a.out esp: 0x403c9040 esp: 0x7f9ee8bd8140 ❯ clang -g esp.c && ./a.out esp:

问题 Breakpoint 1, 0x00007ffff7de8060 in __libc_start_main () from /usr/lib/libc.so.6 (gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/firstlove/projects/org-ioslide/example/a.out Breakpoint 1, 0x00007ffff7de8060 in __libc_start_main () from /usr/lib/libc.so.6 (gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/firstlove/projects/org-ioslide/example/a

问题 I expect that due to Address Space Layout Randomization (ALSR) a process forked from another process will have different addresses returned when calling mmap . But as I found out, that was not the case. I made the following test program for that purpose. All the addresses returned by malloc are exactly the same for the parent and the child. Note that the malloc for cl1 , cl2 , pl1 , pl2 internally uses mmap because they are large blocks. So, my question is, why mmap is not returning different

问题 From a Microsoft article: Address Space Layout Randomization (ASLR) ASLR moves executable images into random locations when a system boots, making it harder for exploit code to operate predictably. For a component to support ASLR, all components that it loads must also support ASLR. For example, if A.exe consumes B.dll and C.dll, all three must support ASLR. By default, Windows Vista and later will randomize system DLLs and EXEs , but DLLs and EXEs created by ISVs must opt in to support ASLR