{"id":95205,"date":"2017-01-18T07:00:00","date_gmt":"2017-01-18T22:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/?p=95205"},"modified":"2019-03-13T01:04:53","modified_gmt":"2019-03-13T08:04:53","slug":"20170118-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20170118-00\/?p=95205","title":{"rendered":"Does ASLR relocate all DLLs by the same offset?"},"content":{"rendered":"

I’ve seen multiple claims that the Windows implementation of ASLR<\/a> chooses a single random offset and applies that same offset to all DLL base addresses. <\/p>\n

When the operating system loads, it applies a fixed random value to the DLL base<\/a>. … The ASLR doesn’t move DLL randomly. Without ASLR, if you get collisions, then you will get them with ASLR. <\/p><\/blockquote>\n

If two DLLs have base addresses to designed to place them consecutively, they’ll still be consecutive even with ASLR<\/a>. <\/p><\/blockquote>\n

In other words, the claim is that if you have two DLLs, call them DLL1 with base address base1<\/var> and DLL2 with base address base2<\/var>, then, assuming there are no base address collisions with already-loaded DLLs, ASLR will load the two DLLs at base1<\/var> + N<\/var> and base2<\/var> + N<\/var> for some value of N<\/var> (possibly negative). In particular, this means that if base1<\/var> and base2<\/var> are adjacent, then the two DLLs will remain adjacent after ASLR, and if the two DLLs have colliding base addresses, then they will also have colliding base addresses after ASLR. <\/p>\n

But it’s not true, and as far as I can tell, it has never been true. <\/p>\n

ASLR chooses the base address pseudo-randomly, though it does take some of the original base addresses into account. For example, if the original base address was below the 4GB<\/a> boundary, then the new pseudo-random base address will also be below the 4GB boundary. <\/p>\n

But it doesn’t try to preserve relative base addresses. Each DLL is assigned a new pseudo-random base address independently. There is no correlation, or at least there is no conscious effort to correlate them. <\/p>\n","protected":false},"excerpt":{"rendered":"

No.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-95205","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"

No.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/95205","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=95205"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/95205\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=95205"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=95205"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=95205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}