aslr

问题 I am a student who studies reverse engineering. After I studied ASLR on Windows, I was going to check it. following capture: the image base of notepad are same on first and second time. Whenever I restart notepad on ollydbg, imagebase is same. I checked ASLR attributes on file via PEView and registry value on Windows 10 too. they are normal. is there any reason not be changed imagebase of notepad ? 回答1: Base address will change on PC's restart. It will not change on app's restart. Writing

问题 For Windows 8 application certification, there are (among other) these requirements: 3.2 Your app must be compiled using the /SafeSEH flag to ensure safe exceptions handling 3.3 Your app must be compiled using the /NXCOMPAT flag to prevent data execution 3.4 Your app must be compiled using the /DYNAMICBASE flag for address space layout randomization (ASLR) I wasn't able to find out how to enable either of these in C++Builder XE. For /NXCOMPAT and /DYNAMICBASE , one can use editbin.exe from VS

问题 I'm debugging a shared library. I found that the bug can be trigger when I enable ASLR in Linux host, while the bug disappears when ASLR is disabled. I want to further debug the shared library with gdb. But I found it always loaded the shared library at a fixed address, which made the bug disappear. Is there any way to disable this gdb's feature? 回答1: Is there any way to disable this gdb's feature? Yes, you can set disable-randomization off before running the program. See this part of gdb

问题 Essentially I want to disable ASLR in Mac OS X Snow Leopard and use gcc todo some buffer overflowing and stack overflows. Anyone know how to disable ASLR? 回答1: Asan authors listed several ways to disable ASLR in MacOS: https://code.google.com/p/address-sanitizer/issues/detail?id=29 For 10.6 export DYLD_NO_PIE=1 For 10.7 and newer: "unset the MH_PIE bit in an already linked executable" with --no-pie flag of the script http://src.chromium.org/viewvc/chrome/trunk/src/build/mac/change_mach_o

问题 Essentially I want to disable ASLR in Mac OS X Snow Leopard and use gcc todo some buffer overflowing and stack overflows. Anyone know how to disable ASLR? 回答1: Asan authors listed several ways to disable ASLR in MacOS: https://code.google.com/p/address-sanitizer/issues/detail?id=29 For 10.6 export DYLD_NO_PIE=1 For 10.7 and newer: "unset the MH_PIE bit in an already linked executable" with --no-pie flag of the script http://src.chromium.org/viewvc/chrome/trunk/src/build/mac/change_mach_o

问题 Setup: Ubuntu 18x64 x86_64 application Arbitrary code execution from inside the application I'm trying to write code which should be able to find structures in memory even with ASLR enabled. Sadly, I couldn't find any static references to those regions, so I'm guessing I have to use the bruteforce way and scan the process memory. What I tried to do was to scan the whole address space of the application, but that doesn't work as some memory areas are not allocated and therefore yield SIGSEGV

问题 Do different sections of libc (such as .text , .plt , .got , .bss , .rodata , and others) get loaded at the same offset relative to the libc base address every time? I know the loader loads libc at a random location every time I run my program. Thank you in advance. 回答1: I guess I found the answer to my own question. I wrote a pin-tool using Intel PIN that on every libc section get loaded outputs the section offset relative to the address of libc . Here are the sections having get loaded at

问题 I've asked Google and did some research on StackOverflow. My question is that when I enter the main() function in a C++ program and declare the very first variable, why is it that the address of this variable can vary upon different executions? Please see my example program below: #include <iostream> int main() { int *a = new int; int *b = new int; std::cout << "address: " << a << " " << b << std::endl; std::cout << "address of locals: " << &a << " " << &b << std::endl; return 0; } Result on

问题 In Linux, I've tried (just for fun) to modify the kernel source in process.c create a stack address that has more entropy, i.e. in particular the line: sp -= get_random_int() % 8192; When I change this too much, the kernel halts or I get some seemingly undefined behavior. I'm guessing that this causes PAGE_ALIGN() to fail in some way? I'm not that interested in why PAGE_ALIGN() in particular fails, or exactly what piece of code in the kernel that fails (although that too would be nice to know

问题 If I am not mistaken, ASLR will make the local variables in C compilers have a different address each time I run the program. But when I tried it in Turbo C++ and Dev-CPP IDE, it just returns a similar address for local variables. The code i tried: #include <stdio.h> #include <conio.h> int main() { int x = 10; int *ptr = &x; printf("%d", ptr); getch(); return 0; } Before, I thought the address of the local variables are the same because it is allocated in the same stack area and thus the same