Windows Vista Address Space Load Randomization - The way vista loads DLL's

  • Article

Lets talk about what is a Dll and why we need it first ... dynamic-link library (DLL) is shared code and data that an application can load and call at run time. A DLL typically exports a set of routines for applications to use and contains other routines for internal use. This technique enables code reuse by allowing multiple applications to share common functionality in a library and load it on demand. Advantages of using DLLs include reduced code footprint, lower memory utilization due to single-copy-sharing and much more.

The original purpose for DLLs was saving both disk space and memory required for Windows applications by sharing a single library between two loaded programs. In a conventional non-shared library, sections of code are simply added to the calling program when its executable is built at the linking phase; if two programs use the same routine, the code has to be included in both. Instead, code which multiple applications share can be separated into a DLL which only exists as a single, separate file, loaded only once into memory during usage. Extensive use of DLLs allowed early versions of Windows to work under tight memory conditions, in an environment in which all programs shared the same address space,

How these Dll's and exe files are loaded?

This is done by Loader. Loader is the part of an operating system that is responsible for loading programs from executables (i.e., executable files) into memory, preparing them for execution and then executing them. The loader is usually a part of the Operating system's kernel and usually is loaded at system boot time and stays in memory until the system is rebooted, shut down, or powered off.

https://support.microsoft.com/kb/100635

Now what is the change in vista and what is this Address space load randomization?

Let’s see it practically

I attached debugger with msiexec.exe and we see the loaded modules below.

Before reboot In windows vista

CommandLine: C:\Windows\System32\msiexec.exe

Symbol search path is: SRV*C:\WINDOWS\Symbols*\\symbols\symbols

Executable search path is:

ModLoad: 00ab0000 00ac4000 msiexec.exe

ModLoad: 772c0000 773de000 ntdll.dll

ModLoad: 771e0000 772b8000 C:\Windows\system32\kernel32.dll

ModLoad: 768e0000 7699f000 C:\Windows\system32\ADVAPI32.dll

ModLoad: 769a0000 76a63000 C:\Windows\system32\RPCRT4.dll

ModLoad: 76ed0000 76f6e000 C:\Windows\system32\USER32.dll

ModLoad: 76a70000 76abb000 C:\Windows\system32\GDI32.dll

ModLoad: 76f70000 7701a000 C:\Windows\system32\msvcrt.dll

ModLoad: 76790000 768d4000 C:\Windows\system32\ole32.dll

ModLoad: 72950000 72b54000 C:\Windows\System32\msi.dll-----------------------------In legacy OS scenario …if I want to write a bad code…or want to modify something on your machine..i know that msi.dll is going to load here every time + even if I am not going to use this dll later, I m going to keep this address for msi.dll once it is loaded but in vista due to address space load randomization, I will unload/reload it later at some other address…and when I am not using this dll..i need not to reserve the address for it. BENEFIT:----the same address can be used by next dll which is going to load… creating larger regions of free memory for contiguous memory allocations, reducing the number of page tables the memory manager allocates to keep track of address-space layout.

After reboot

=========

Executable search path is:

ModLoad: 005b0000 005c4000 msiexec.exe

ModLoad: 77540000 7765e000 ntdll.dll

ModLoad: 763e0000 764b8000 C:\Windows\system32\kernel32.dll

ModLoad: 776c0000 7777f000 C:\Windows\system32\ADVAPI32.dll

ModLoad: 75ed0000 75f93000 C:\Windows\system32\RPCRT4.dll

ModLoad: 769d0000 76a6e000 C:\Windows\system32\USER32.dll

ModLoad: 764c0000 7650b000 C:\Windows\system32\GDI32.dll

ModLoad: 767c0000 7686a000 C:\Windows\system32\msvcrt.dll

ModLoad: 76290000 763d4000 C:\Windows\system32\ole32.dll

ModLoad: 72c40000 72e44000 C:\Windows\System32\msi.dll-----------------------------------address have changed--dynamically loaded

Later I did similar test on win2k3 machine for notepad.exe and we see dll load at same address even after reboot

 

Before reboot

 

Executable search path is:

ModLoad: 01000000 01014000 C:\WINNT\system32\notepad.exe

ModLoad: 7c800000 7c8c0000 C:\WINNT\system32\ntdll.dll

ModLoad: 77e40000 77f42000 C:\WINNT\system32\kernel32.dll

ModLoad: 762b0000 762f9000 C:\WINNT\system32\comdlg32.dll

ModLoad: 77ba0000 77bfa000 C:\WINNT\system32\msvcrt.dll

ModLoad: 77da0000 77df2000 C:\WINNT\system32\SHLWAPI.dll

ModLoad: 77c00000 77c48000 C:\WINNT\system32\GDI32.dll

ModLoad: 77380000 77411000 C:\WINNT\system32\USER32.dll

ModLoad: 77f50000 77feb000 C:\WINNT\system32\ADVAPI32.dll

ModLoad: 77c50000 77cef000 C:\WINNT\system32\RPCRT4.dll

ModLoad: 76f50000 76f63000 C:\WINNT\system32\Secur32.dll

ModLoad: 77420000 77523000 C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\COMCTL32.dll

ModLoad: 7c8d0000 7d0cf000 C:\WINNT\system32\SHELL32.dll

ModLoad: 73070000 73097000 C:\WINNT\system32\WINSPOOL.DRV

ModLoad: 4b3c0000 4b410000 C:\WINNT\system32\MSCTF.dll

ModLoad: 71b70000 71ba6000 C:\WINNT\system32\UxTheme.dll

 

 

After reboot

==============

Executable search path is:

ModLoad: 01000000 01014000 C:\WINNT\system32\notepad.exe

ModLoad: 7c800000 7c8c0000 C:\WINNT\system32\ntdll.dll

ModLoad: 77e40000 77f42000 C:\WINNT\system32\kernel32.dll

ModLoad: 762b0000 762f9000 C:\WINNT\system32\comdlg32.dll

ModLoad: 77ba0000 77bfa000 C:\WINNT\system32\msvcrt.dll

ModLoad: 77da0000 77df2000 C:\WINNT\system32\SHLWAPI.dll

ModLoad: 77c00000 77c48000 C:\WINNT\system32\GDI32.dll

ModLoad: 77380000 77411000 C:\WINNT\system32\USER32.dll

ModLoad: 77f50000 77feb000 C:\WINNT\system32\ADVAPI32.dll

ModLoad: 77c50000 77cef000 C:\WINNT\system32\RPCRT4.dll

ModLoad: 76f50000 76f63000 C:\WINNT\system32\Secur32.dll

ModLoad: 77420000 77523000 C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\COMCTL32.dll

ModLoad: 7c8d0000 7d0cf000 C:\WINNT\system32\SHELL32.dll

ModLoad: 73070000 73097000 C:\WINNT\system32\WINSPOOL.DRV

ModLoad: 4b3c0000 4b410000 C:\WINNT\system32\MSCTF.dll

ModLoad: 71b70000 71ba6000 C:\WINNT\system32\UxTheme.dll

 

now i wanted to see that whats the change in msi.dll on win2k3 and vista so i dumped both of them using following command...i knew that there is a new flag on vista msi.dll ......dynamic relocation flag in the header of the msi.dll...but i guess i was not able to see it because link.exe that i was using was not from vista SDK.

C:\Users\ganand\Desktop\internals\TOOLS>link.exe -dump -headers c:\windows\system32\msi.dll

Microsoft (R) COFF/PE Dumper Version 7.10.2179

Copyright (C) Microsoft Corporation. All rights reserved.

Dump of file c:\windows\system32\msi.dll

PE signature found

File Type: DLL

FILE HEADER VALUES

             14C machine (x86)

               5 number of sections

        4549BD89 time date stamp Thu Nov 02 15:12:33 2006

               0 file pointer to symbol table

               0 number of symbols

              E0 size of optional header

            2102 characteristics

                   Executable

                   32 bit word machine

                   DLL

OPTIONAL HEADER VALUES

             10B magic # (PE32)

            8.00 linker version

          1DAE00 size of code

           25200 size of initialized data

               0 size of uninitialized data

            7B2D entry point (751F7B2D)

            1000 base of code

 

For more information refer to https://www.microsoft.com/technet/technetmag/issues/2007/04/VistaKernel/default.aspx

 

===============================

 

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.