New application security features in Clarion - Clarion (clarionsharp.com)
Clarion 11.13622 Sept. 4, 2020 - ide / Releases - ClarionHub
FEATURE: New DYNAMIC_BASE command in the EXP file and /DYNAMIC_BASE option in the LNK file
This is what MS says on /DYNAMICBASE
/DYNAMICBASE (Use address space layout randomization) | Microsoft Docs
The /DYNAMICBASE option modifies the header of an executable image , a .dll or .exe file, to indicate whether the application should be randomly rebased at load time, and enables virtual address allocation randomization, which affects the virtual memory location of heaps, stacks, and other operating system allocations. The /DYNAMICBASE option applies to both 32-bit and 64-bit images. ASLR is supported on Windows Vista and later operating systems. The option is ignored by earlier operating systems.
By default, /DYNAMICBASE is enabled. To disable this option, use /DYNAMICBASE:NO . The /DYNAMICBASE option is required for the /HIGHENTROPYVA option to have an effect.
We dont have 64bit so the below doesnt apply yet.
/HIGHENTROPYVA (Support 64-Bit ASLR) | Microsoft Docs
/HIGHENTROPYVA
modifies the header of an executable image file (for example, a.dll
or.exe
file), to indicate whether ASLR can use the entire 64-bit address space. To have an effect, set the option on both the executable and all modules that it depends on. Then an operating system that supports 64-bit ASLR can rebase the executable image’s segments at load time by using 64-bit randomized virtual addresses. This large address space makes it more difficult for an attacker to guess the location of a particular memory region.
I think it will be interesting to see just how it modifies the exe or dll. I havent worked out if the MAP file changes or not, but I’ve only got 11.0.13244, havent got any later version so cant tell.
Dumpbin might work on Clarion exe’s, I havent tried yet.
DUMPBIN Reference | Microsoft Docs
/BASE (Base Address) | Microsoft Docs
The /BASE option sets a base address for the program, overriding the default location for an .exe or DLL file. The default base address for an .exe file is 0x400000 for 32-bit images or 0x140000000 for 64-bit images. For a DLL, the default base address is 0x10000000 for 32-bit images or 0x180000000 for 64-bit images. On operating systems that do not support address space layout randomization (ASLR), or when the /DYNAMICBASE:NO option was set, the operating system first attempts to load a program at its specified or default base address. If sufficient space is not available there, the system relocates the program. To prevent relocation, use the /FIXED option.
If you look in the MAP files, (Project folder\map\debug) you will see things like Library is my app/exe name.
Address offset Type description
401508 CB5 Code ABBREAK_TEXT
4021C0 7757 Code ABBROWSE_TEXT
409918 185B Code ABEIP_TEXT
40B174 3B1B Code ABERROR_TEXT
40EC90 9B80 Code ABFILE_TEXT
418810 28E Code ABFUZZY_TEXT
418AA0 28CC Code ABPOPUP_TEXT
41B36C 2E2E Code ABQUERY_TEXT
41E19C 1D23 Code ABREPORT_TEXT
41FEC0 27BA Code ABRESIZE_TEXT
42267C 94 Code ABRPATMG_TEXT
422710 10C0 Code ABRPPSEL_TEXT
4237D0 97D Code ABTOOLBA_TEXT
424150 3765 Code ABUTIL_TEXT
4278B8 2879 Code ABWINDOW_TEXT
42A134 5E40 Code ABWMFPAR_TEXT
42FF74 2AD1 Code BRWEXT_TEXT
432A48 16B Code CWSYNCHC_TEXT
432BB4 23 Code IEXE32_TEXT
432BD8 1EAF Code INIT_TEXT
434A88 37 Code INST00_TEXT
434AC0 D32 Code LIBRARY001_TEXT
4357F4 C17 Code LIBRARY003_TEXT
43640C 51 Code LIBRARY004_TEXT
436460 2B4B Code LIBRARY005_TEXT
SNIP
4789AC 421A Code LIBRARY101_TEXT
47CBC8 5D35 Code LIBRARY_BC0_TEXT
482900 5CB1 Code LIBRARY_BC1_TEXT
4885B4 54A Code LIBRARY_BC2_TEXT
488B00 5C Code LIBRARY_BC_TEXT
488B5C 34E Code LIBRARY_TEXT
489000 1290 Initialized Data $DEFAULTERRORS_DATA
48A290 6F Initialized Data ABBREAK_CONST
48A300 13F Initialized Data ABBROWSE_CONST
48A440 DF4 Initialized Data ABBROWSE_DATA
48B234 50 Initialized Data ABEIP_CONST
48B284 B4 Initialized Data ABEIP_DATA
48B338 2AF Initialized Data ABERROR_CONST
48B5E8 AD0 Initialized Data ABERROR_DATA
48C0B8 6F5 Initialized Data ABFILE_CONST
48C7B0 410 Initialized Data ABFILE_DATA
48CBC0 B4 Initialized Data ABFUZZY_DATA
48CC74 106 Initialized Data ABPOPUP_CONST
48CD7C 128 Initialized Data ABPOPUP_DATA
SNIP
48ECCC 48 Initialized Data CWSYNCHC_DATA
48ED14 E Initialized Data CWUTIL_CONST
48ED24 36 Initialized Data CWUTIL_DATA
48ED5C 44 Initialized Data IEXE32_DATA
48EDA0 A0 Initialized Data LIBRARY001_CONST
48EE40 290 Initialized Data LIBRARY001_DATA
SNIP
4BBE30 EFA Initialized Data LIBRARY_CONST
4BCD2C 1993 Initialized Data LIBRARY_DATA
4BE6C0 0 Initialized Data __CPPINI_CONS
4BE6C0 DC8 Initialized Data __CPPINI_CONST
4BF488 4 Initialized Data __CPPINI_END
4BF48C 0 Initialized Data __INIVMT_CONS
4BF48C 8E8 Initialized Data __INIVMT_CONST
4BFD74 0 Initialized Data __INIVMT_CONST_END
4BFD80 1623 Un-initialized Data $FUZZYMATCHER_BSS
4C13A4 40 Un-initialized Data ABEIP_BSS
4C13E4 404 Un-initialized Data ABERROR_BSS
4C17E8 10 Un-initialized Data ABFILE_BSS
SNIP
4C1900 0 Un-initialized Data CWUTIL_BSS
4C1900 64 Un-initialized Data LIBRARY001_BSS
4C1964 284 Un-initialized Data LIBRARY_BSS
4C2000 8 __T_L_S__DAT
4C2008 2E54 __T_L_S__DATA
4C4E5C 0 __T_L_S__DATA_END
4C4E60 0 __T_L_S__BS
4C4E60 28804 __T_L_S__BSS
4ED664 0 __T_L_S__BSS_END
SNIP (the below are some of the methods from the LevelManager Class seen in abbreak.inc)
401508 EVALUATELEVEL@F17LEVELMANAGERCLASSs
4015D4 RESTORERESETBUFFER@F17LEVELMANAGERCLASSs
40168C SAVERESETBUFFER@F17LEVELMANAGERCLASSs
40176C RESTOREBUFFEROFF@F17LEVELMANAGERCLASS
4017FC RESTOREBUFFERON@F17LEVELMANAGERCLASS
SNIP
488B00 DCTKILL@F
488B28 DCTINIT@F
488B5C _main
488CBC DESTRUCT@F10DICTIONARY
488CE0 CONSTRUCT@F10DICTIONARY
SNIP (below TYPE$ are Classes with the TYPE attribute - Virtual Memory table (VMT) in)
489000 $DEFAULTERRORS
48A440 $OVERRIDECHARACTERS
48A460 $SCROLL:NAME
48A58C $SCROLL:ALPHA
48A654 TYPE$BROWSECLASS
48AA3C TYPE$BROWSEEIPMANAGER
48AD10 VMT$BROWSEEIPMANAGER
48ADB8 VMT$BROWSECLASS
48AF8C TYPE$STANDARDBEHAVIOR
48AFC8 VMT$STANDARDBEHAVIOR
SNIP
4DB9BC LIBRARY_BC2$_HIDE:RELATE:VALUEMAX
4DB9C0 LIBRARY_BC2$_HIDE:ACCESS:VALUEMAX
4DB9C4 $FILESMANAGER
4DB9DC $SZDBTEXTLOG
4DC2D0 WMFINFILE$WMFF@:RECORD
4DD658 $CLS_COUNTER
4EE000 __import_section_start
4F0004 __import_section_end
SNIP (module(‘winapi’) and procedure prototypes )
Imports
ADVAPI32.dll:ConvertSecurityDescriptorToStringSecurityDescriptorA 4EE0D4,401000
ADVAPI32.dll:ConvertSidToStringSidA 4EE0D8,401008
ADVAPI32.dll:GetAce 4EE0DC,401010
ADVAPI32.dll:GetAclInformation 4EE0E0,401018
ADVAPI32.dll:GetExplicitEntriesFromAclA 4EE0E4,401020
ADVAPI32.dll:GetNamedSecurityInfoA 4EE0E8,401028
ADVAPI32.dll:GetSecurityDescriptorControl 4EE0EC,401030
ADVAPI32.dll:GetSecurityInfo 4EE0F0,401038
ADVAPI32.dll:GetUserNameA 4EE0F4,401040
ADVAPI32.dll:IsValidSecurityDescriptor 4EE0F8,401048
ADVAPI32.dll:IsValidSid 4EE0FC,401050
ADVAPI32.dll:LookupAccountSidA 4EE100,401058
SNIP (Clarion dll’s)
ClaASC.dll:ASCII 4EE110
ClaDOS.dll:DOS 4EE120
ClaRUN.dll:Cla$ACCEPTED 4EE510,401060
ClaRUN.dll:Cla$ADDqueue 4EE514
ClaRUN.dll:Cla$ADDqueuekey 4EE518,401068
ClaRUN.dll:Cla$ADDqueueptr 4EE51C
ClaRUN.dll:Cla$ADDqueueskey 4EE520
SNIP (clarion and more Module(winapi) with kernel32.dll and user32.dll
ClaRUN.dll:NewCriticalSection 4EE8C4,401450
ClaRUN.dll:THR$GetInstance 4EE8C8,401458
ClaRUN.dll:VIEWDRIVER 4EE8CC
ClaRUN.dll:_exit 4EE8D0,401460
ClaRUN.dll:_fnsplit 4EE8D4,401468
ClaRUN.dll:_free 4EE8D8
ClaRUN.dll:_malloc 4EE8DC
ClaRUN.dll:__a_chkstk 4EE8E0,401470
ClaRUN.dll:__e_index 4EE8E4,401478
ClaRUN.dll:__e_stack 4EE8E8,401480
ClaRUN.dll:__sysinit 4EE8EC,401488
ClaRUN.dll:__sysstart 4EE8F0,401490
ClaTPS.dll:TOPSPEED 4EE900
KERNEL32.dll:CloseHandle 4EE92C,401498
KERNEL32.dll:CreateProcessA 4EE930,4014A0
KERNEL32.dll:GetCurrentProcess 4EE934,4014A8
KERNEL32.dll:GetLastError 4EE938,4014B0
KERNEL32.dll:LocalFree 4EE93C,4014B8
KERNEL32.dll:MulDiv 4EE940,4014C0
KERNEL32.dll:OutputDebugStringA 4EE944,4014C8
KERNEL32.dll:Sleep 4EE948,4014D0
USER32.dll:CloseDesktop 4EE96C,4014D8
USER32.dll:EnumWindows 4EE970,4014E0
USER32.dll:GetWindowTextA 4EE974,4014E8
USER32.dll:GetWindowThreadProcessId 4EE978,4014F0
USER32.dll:OpenDesktopA 4EE97C,4014F8
USER32.dll:WaitForInputIdle 4EE980,401500
SNIP
Line numbers for Library.clw
1138: 488B87 1141: 488B94 1143: 488BB3 1145: 488BBA
1147: 488BCF 1148: 488BD9 1149: 488BE7 1150: 488BF5
1151: 488C19 1152: 488C1E 1153: 488C4E 1155: 488C53
1156: 488C58 1157: 488C66 1158: 488C70 1159: 488C7A
SNIP
Line numbers for ABQUERY.CLW
374: 41B36C 375: 41B388 375: 41B39F 376: 41B3A4
376: 41B3D6 377: 41B3DB 377: 41B42F 378: 41B431
379: 41B48B 380: 41B491 344: 41B4B0 345: 41B4CD
Entry Point: 432BB4
So working from the bottom up
Entry Point for this EXE is 432BB4 which further up the map file shows
432BB4 23 Code IEXE32_TEXT
The Clarion help doc page Module Definition Files (.EXP Files) explains about the .exp file, but there isnt too much info on the .map file which is what the compiler seems to use.
Anyway I wonder if the /Dynamic_base will alter these addresses seen in the map file when its toggled. Does anyone know?
Edit Found this discussion on dynamic base as well.
New application security features in Clarion - Clarion - marketplace / clarionsharp.com/blog/ - ClarionHub
This blog post might be useful too
/DYNAMICBASE and /NXCOMPAT - C++ Team Blog (microsoft.com)