Vista ASLR

Polar · October 27, 2006, 4:30pm

Hi all,
I’m a newbie and I’d like to study Vista’s ASLR, in particular I’d like
to know which part of the kernel is involved in assigning the address
space to a randomized process, and which part randomize the stack and
the heap of the process. Someone told me that randomization is
accomplished by the memory manager (maybe MmCreateProcessAddressSpace?),
and someone else told me that only the loader is involved in the process.
Could you please help me :)? Is there a function I can look for?
Thanx a lot to everyone

Tim_Roberts · October 27, 2006, 5:39pm

Polar wrote:

Hi all,
I’m a newbie and I’d like to study Vista’s ASLR, in particular I’d like
to know which part of the kernel is involved in assigning the address
space to a randomized process, and which part randomize the stack and
the heap of the process. Someone told me that randomization is
accomplished by the memory manager (maybe MmCreateProcessAddressSpace?),
and someone else told me that only the loader is involved in the process.
Could you please help me :)? Is there a function I can look for?

MmCreateProcessAddressSpace just creates a page directory. It doesn’t
put anything in it.

http://blogs.msdn.com/michael_howard/archive/2006/05/26/608315.aspx
http://blogs.msdn.com/michael_howard/archive/2006/10/04/Alleged-Bugs-in-Windows-Vista_1920_s-ASLR-Implementation.aspx

It isn’t all that complicated. The load address for an exe or dll is
randomized, the start address of the stack is randomized, and the base
address of the heap is randomized. The first two would be handled by
the module loader; the second could be done in user-mode.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Lyndon_J_Clarke-2 · October 27, 2006, 6:33pm

Not complicated and …
http://blogs.msdn.com/michael_howard/archive/2005/09/30/475763.aspx … ?!@!

“Tim Roberts” wrote in message news:xxxxx@ntdev…
> Polar wrote:
>
>>Hi all,
>>I’m a newbie and I’d like to study Vista’s ASLR, in particular I’d like
>>to know which part of the kernel is involved in assigning the address
>>space to a randomized process, and which part randomize the stack and
>>the heap of the process. Someone told me that randomization is
>>accomplished by the memory manager (maybe MmCreateProcessAddressSpace?),
>>and someone else told me that only the loader is involved in the process.
>>Could you please help me :)? Is there a function I can look for?
>>
>>
>
> MmCreateProcessAddressSpace just creates a page directory. It doesn’t
> put anything in it.
>
> http://blogs.msdn.com/michael_howard/archive/2006/05/26/608315.aspx
> http://blogs.msdn.com/michael_howard/archive/2006/10/04/Alleged-Bugs-in-Windows-Vista_1920_s-ASLR-Implementation.aspx
>
> It isn’t all that complicated. The load address for an exe or dll is
> randomized, the start address of the stack is randomized, and the base
> address of the heap is randomized. The first two would be handled by
> the module loader; the second could be done in user-mode.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>