DYNAMIC_BASE info

New application security features in Clarion - Clarion (clarionsharp.com)

Clarion 11.13622 Sept. 4, 2020 - ide / Releases - ClarionHub

FEATURE: New DYNAMIC_BASE command in the EXP file and /DYNAMIC_BASE option in the LNK file

This is what MS says on /DYNAMICBASE
/DYNAMICBASE (Use address space layout randomization) | Microsoft Docs

The /DYNAMICBASE option modifies the header of an executable image , a .dll or .exe file, to indicate whether the application should be randomly rebased at load time, and enables virtual address allocation randomization, which affects the virtual memory location of heaps, stacks, and other operating system allocations. The /DYNAMICBASE option applies to both 32-bit and 64-bit images. ASLR is supported on Windows Vista and later operating systems. The option is ignored by earlier operating systems.

By default, /DYNAMICBASE is enabled. To disable this option, use /DYNAMICBASE:NO . The /DYNAMICBASE option is required for the /HIGHENTROPYVA option to have an effect.

We dont have 64bit so the below doesnt apply yet.
/HIGHENTROPYVA (Support 64-Bit ASLR) | Microsoft Docs

/HIGHENTROPYVA modifies the header of an executable image file (for example, a .dll or .exe file), to indicate whether ASLR can use the entire 64-bit address space. To have an effect, set the option on both the executable and all modules that it depends on. Then an operating system that supports 64-bit ASLR can rebase the executable image’s segments at load time by using 64-bit randomized virtual addresses. This large address space makes it more difficult for an attacker to guess the location of a particular memory region.

I think it will be interesting to see just how it modifies the exe or dll. I havent worked out if the MAP file changes or not, but I’ve only got 11.0.13244, havent got any later version so cant tell.

Dumpbin might work on Clarion exe’s, I havent tried yet.
DUMPBIN Reference | Microsoft Docs

/BASE (Base Address) | Microsoft Docs

The /BASE option sets a base address for the program, overriding the default location for an .exe or DLL file. The default base address for an .exe file is 0x400000 for 32-bit images or 0x140000000 for 64-bit images. For a DLL, the default base address is 0x10000000 for 32-bit images or 0x180000000 for 64-bit images. On operating systems that do not support address space layout randomization (ASLR), or when the /DYNAMICBASE:NO option was set, the operating system first attempts to load a program at its specified or default base address. If sufficient space is not available there, the system relocates the program. To prevent relocation, use the /FIXED option.

If you look in the MAP files, (Project folder\map\debug) you will see things like Library is my app/exe name.

Address    offset Type                description
  401508      CB5 Code                ABBREAK_TEXT
  4021C0     7757 Code                ABBROWSE_TEXT
  409918     185B Code                ABEIP_TEXT
  40B174     3B1B Code                ABERROR_TEXT
  40EC90     9B80 Code                ABFILE_TEXT
  418810      28E Code                ABFUZZY_TEXT
  418AA0     28CC Code                ABPOPUP_TEXT
  41B36C     2E2E Code                ABQUERY_TEXT
  41E19C     1D23 Code                ABREPORT_TEXT
  41FEC0     27BA Code                ABRESIZE_TEXT
  42267C       94 Code                ABRPATMG_TEXT
  422710     10C0 Code                ABRPPSEL_TEXT
  4237D0      97D Code                ABTOOLBA_TEXT
  424150     3765 Code                ABUTIL_TEXT
  4278B8     2879 Code                ABWINDOW_TEXT
  42A134     5E40 Code                ABWMFPAR_TEXT
  42FF74     2AD1 Code                BRWEXT_TEXT
  432A48      16B Code                CWSYNCHC_TEXT
  432BB4       23 Code                IEXE32_TEXT
  432BD8     1EAF Code                INIT_TEXT
  434A88       37 Code                INST00_TEXT
  434AC0      D32 Code                LIBRARY001_TEXT
  4357F4      C17 Code                LIBRARY003_TEXT
  43640C       51 Code                LIBRARY004_TEXT
  436460     2B4B Code                LIBRARY005_TEXT

SNIP

  4789AC     421A Code                LIBRARY101_TEXT
  47CBC8     5D35 Code                LIBRARY_BC0_TEXT
  482900     5CB1 Code                LIBRARY_BC1_TEXT
  4885B4      54A Code                LIBRARY_BC2_TEXT
  488B00       5C Code                LIBRARY_BC_TEXT
  488B5C      34E Code                LIBRARY_TEXT

  489000     1290 Initialized Data    $DEFAULTERRORS_DATA
  48A290       6F Initialized Data    ABBREAK_CONST
  48A300      13F Initialized Data    ABBROWSE_CONST
  48A440      DF4 Initialized Data    ABBROWSE_DATA
  48B234       50 Initialized Data    ABEIP_CONST
  48B284       B4 Initialized Data    ABEIP_DATA
  48B338      2AF Initialized Data    ABERROR_CONST
  48B5E8      AD0 Initialized Data    ABERROR_DATA
  48C0B8      6F5 Initialized Data    ABFILE_CONST
  48C7B0      410 Initialized Data    ABFILE_DATA
  48CBC0       B4 Initialized Data    ABFUZZY_DATA
  48CC74      106 Initialized Data    ABPOPUP_CONST
  48CD7C      128 Initialized Data    ABPOPUP_DATA

SNIP

  48ECCC       48 Initialized Data    CWSYNCHC_DATA
  48ED14        E Initialized Data    CWUTIL_CONST
  48ED24       36 Initialized Data    CWUTIL_DATA
  48ED5C       44 Initialized Data    IEXE32_DATA
  48EDA0       A0 Initialized Data    LIBRARY001_CONST
  48EE40      290 Initialized Data    LIBRARY001_DATA

SNIP

  4BBE30      EFA Initialized Data    LIBRARY_CONST
  4BCD2C     1993 Initialized Data    LIBRARY_DATA
  4BE6C0        0 Initialized Data    __CPPINI_CONS
  4BE6C0      DC8 Initialized Data    __CPPINI_CONST
  4BF488        4 Initialized Data    __CPPINI_END
  4BF48C        0 Initialized Data    __INIVMT_CONS
  4BF48C      8E8 Initialized Data    __INIVMT_CONST
  4BFD74        0 Initialized Data    __INIVMT_CONST_END
  4BFD80     1623 Un-initialized Data $FUZZYMATCHER_BSS
  4C13A4       40 Un-initialized Data ABEIP_BSS
  4C13E4      404 Un-initialized Data ABERROR_BSS
  4C17E8       10 Un-initialized Data ABFILE_BSS

SNIP

  4C1900        0 Un-initialized Data CWUTIL_BSS
  4C1900       64 Un-initialized Data LIBRARY001_BSS
  4C1964      284 Un-initialized Data LIBRARY_BSS
  4C2000        8 __T_L_S__DAT
  4C2008     2E54 __T_L_S__DATA
  4C4E5C        0 __T_L_S__DATA_END
  4C4E60        0 __T_L_S__BS
  4C4E60    28804 __T_L_S__BSS
  4ED664        0 __T_L_S__BSS_END

SNIP (the below are some of the methods from the LevelManager Class seen in abbreak.inc)

  401508 EVALUATELEVEL@F17LEVELMANAGERCLASSs
  4015D4 RESTORERESETBUFFER@F17LEVELMANAGERCLASSs
  40168C SAVERESETBUFFER@F17LEVELMANAGERCLASSs
  40176C RESTOREBUFFEROFF@F17LEVELMANAGERCLASS
  4017FC RESTOREBUFFERON@F17LEVELMANAGERCLASS

SNIP

  488B00 DCTKILL@F
  488B28 DCTINIT@F
  488B5C _main
  488CBC DESTRUCT@F10DICTIONARY
  488CE0 CONSTRUCT@F10DICTIONARY

SNIP (below TYPE$ are Classes with the TYPE attribute - Virtual Memory table (VMT) in)

  489000 $DEFAULTERRORS
  48A440 $OVERRIDECHARACTERS
  48A460 $SCROLL:NAME
  48A58C $SCROLL:ALPHA
  48A654 TYPE$BROWSECLASS
  48AA3C TYPE$BROWSEEIPMANAGER
  48AD10 VMT$BROWSEEIPMANAGER
  48ADB8 VMT$BROWSECLASS
  48AF8C TYPE$STANDARDBEHAVIOR
  48AFC8 VMT$STANDARDBEHAVIOR

SNIP

  4DB9BC LIBRARY_BC2$_HIDE:RELATE:VALUEMAX
  4DB9C0 LIBRARY_BC2$_HIDE:ACCESS:VALUEMAX
  4DB9C4 $FILESMANAGER
  4DB9DC $SZDBTEXTLOG
  4DC2D0 WMFINFILE$WMFF@:RECORD
  4DD658 $CLS_COUNTER
  4EE000 __import_section_start
  4F0004 __import_section_end

SNIP (module(‘winapi’) and procedure prototypes )

Imports
ADVAPI32.dll:ConvertSecurityDescriptorToStringSecurityDescriptorA 4EE0D4,401000
ADVAPI32.dll:ConvertSidToStringSidA 4EE0D8,401008
ADVAPI32.dll:GetAce 4EE0DC,401010
ADVAPI32.dll:GetAclInformation 4EE0E0,401018
ADVAPI32.dll:GetExplicitEntriesFromAclA 4EE0E4,401020
ADVAPI32.dll:GetNamedSecurityInfoA 4EE0E8,401028
ADVAPI32.dll:GetSecurityDescriptorControl 4EE0EC,401030
ADVAPI32.dll:GetSecurityInfo 4EE0F0,401038
ADVAPI32.dll:GetUserNameA 4EE0F4,401040
ADVAPI32.dll:IsValidSecurityDescriptor 4EE0F8,401048
ADVAPI32.dll:IsValidSid 4EE0FC,401050
ADVAPI32.dll:LookupAccountSidA 4EE100,401058

SNIP (Clarion dll’s)

ClaASC.dll:ASCII 4EE110
ClaDOS.dll:DOS 4EE120
ClaRUN.dll:Cla$ACCEPTED 4EE510,401060
ClaRUN.dll:Cla$ADDqueue 4EE514
ClaRUN.dll:Cla$ADDqueuekey 4EE518,401068
ClaRUN.dll:Cla$ADDqueueptr 4EE51C
ClaRUN.dll:Cla$ADDqueueskey 4EE520

SNIP (clarion and more Module(winapi) with kernel32.dll and user32.dll

ClaRUN.dll:NewCriticalSection 4EE8C4,401450
ClaRUN.dll:THR$GetInstance 4EE8C8,401458
ClaRUN.dll:VIEWDRIVER 4EE8CC
ClaRUN.dll:_exit 4EE8D0,401460
ClaRUN.dll:_fnsplit 4EE8D4,401468
ClaRUN.dll:_free 4EE8D8
ClaRUN.dll:_malloc 4EE8DC
ClaRUN.dll:__a_chkstk 4EE8E0,401470
ClaRUN.dll:__e_index 4EE8E4,401478
ClaRUN.dll:__e_stack 4EE8E8,401480
ClaRUN.dll:__sysinit 4EE8EC,401488
ClaRUN.dll:__sysstart 4EE8F0,401490
ClaTPS.dll:TOPSPEED 4EE900
KERNEL32.dll:CloseHandle 4EE92C,401498
KERNEL32.dll:CreateProcessA 4EE930,4014A0
KERNEL32.dll:GetCurrentProcess 4EE934,4014A8
KERNEL32.dll:GetLastError 4EE938,4014B0
KERNEL32.dll:LocalFree 4EE93C,4014B8
KERNEL32.dll:MulDiv 4EE940,4014C0
KERNEL32.dll:OutputDebugStringA 4EE944,4014C8
KERNEL32.dll:Sleep 4EE948,4014D0
USER32.dll:CloseDesktop 4EE96C,4014D8
USER32.dll:EnumWindows 4EE970,4014E0
USER32.dll:GetWindowTextA 4EE974,4014E8
USER32.dll:GetWindowThreadProcessId 4EE978,4014F0
USER32.dll:OpenDesktopA 4EE97C,4014F8
USER32.dll:WaitForInputIdle 4EE980,401500

SNIP

Line numbers for Library.clw
  1138:  488B87  1141:  488B94  1143:  488BB3  1145:  488BBA
  1147:  488BCF  1148:  488BD9  1149:  488BE7  1150:  488BF5
  1151:  488C19  1152:  488C1E  1153:  488C4E  1155:  488C53
  1156:  488C58  1157:  488C66  1158:  488C70  1159:  488C7A

SNIP

Line numbers for ABQUERY.CLW
   374:  41B36C   375:  41B388   375:  41B39F   376:  41B3A4
   376:  41B3D6   377:  41B3DB   377:  41B42F   378:  41B431
   379:  41B48B   380:  41B491   344:  41B4B0   345:  41B4CD

Entry Point: 432BB4

So working from the bottom up
Entry Point for this EXE is 432BB4 which further up the map file shows
432BB4 23 Code IEXE32_TEXT

The Clarion help doc page Module Definition Files (.EXP Files) explains about the .exp file, but there isnt too much info on the .map file which is what the compiler seems to use.

Anyway I wonder if the /Dynamic_base will alter these addresses seen in the map file when its toggled. Does anyone know?

Edit Found this discussion on dynamic base as well.
New application security features in Clarion - Clarion - marketplace / clarionsharp.com/blog/ - ClarionHub

This blog post might be useful too
/DYNAMICBASE and /NXCOMPAT - C++ Team Blog (microsoft.com)

Found what appears to be a useful tool for rebasing DLL’s.
Massive Rebase: DLL Sharing and ASLR Investigation (tmurgent.com)

In the clarion help docs " Set DLL Image Base Memory Address" or search for “Rebase” it says

The base address of a DLL is the preferred location in your application’s virtual memory address space where the loader attempts to place the DLL. It is generally specified at link time and used by the linker to write address pointers into the DLL binary . If a DLL cannot load at its preferred base address because the memory region required is already occupied, the loader relocates the DLL elsewhere in virtual memory, then updates all of the address pointers in the DLL to adjust them for the new base address

The bold bit sounds a bit like default ASLR, now I havent tried this yet with the rebasing template but I’m thinking if I make all my DLL’s the same lowest address allowed then they will be forced to relocate and this could be different every time a clarion exe is run.

Now the help doc’s also go on to say

It is best to base DLLs from the top of the address range down, instead of from the bottom up. Dynamic memory is allocated from the bottom up and if a DLL tries to load where dynamic memory has been allocated, it will be relocated, just as if a DLL was loaded at that address.

Windows ASLR settings by default (see Exploit Protection) has Bottom Up ASLR, so it sounds an awful lot like this has been around since for ever but its simply not been called ASLR until Win7.
There is a bit of ASLR history here: Turn on Mandatory ASLR in Windows Security - Microsoft Tech Community

It also sounds like an ASLR dynamic base effect can be had in older apps. I dont know when the rebasing template was introduced and when the IMAGE_BASE ########h appeared as an option in the EXPort files, but unofficial ASLR/dynamic base might go back quite a few versions, its certainly there in C6 but it might go back all the way to CW1.5 !?!

A properly based DLL can be demand loaded from disk, so it consumes no page file memory and can be shared.

This sounds like its referring to LoadLibrary which then introduces pitfalls, ie a DLL which can be shared, but if link loaded it will appear in the page file memory which is the virtual disk.
Provided you have the ram even with a spin disk, I’ve never seen the benefit of virtual memory so if you want to switch it off, this link has a few methods except the registry
Manage Virtual Memory Pagefile in Windows 10 | Tutorials (tenforums.com)
However the registry method here will probably still work on Win10, but I’ve not tried it yet.
Changing the Location of the Pagefile | Microsoft Docs

The key & multi string exist in win10 so this will probably work
Key Name: *HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management*
Value Name: PagingFiles
Type: REG_MULT_SZ
Data: C:\pagefile.sys 0 0

Obviously when the rebasing template was done in Clarion C6 times ie early 00’s, hardware and OS wasn’t as optimised and fast as it is now so but I do wonder if the rebasing craze made it easier to hack computers?

The flip side is, rebasing would make it very predictable, if done properly, to find the DLL’s loaded in memory to then do an attack, so I’m left thinking making all the DLL’s have the same low rebase address is the best option.

If I get time I’ll use the Massive Rebase tool to find out, unless someone else already knows?

One other attack vector is fast startup which is the hibernation file, again when the computer is off, if you have the Intel Management Engine in your cpu you could lift the pagefile.sys and hibernation file so it could pay to switch off the fast boot and disable hibernate options to eliminate the existence of hibernation file. Bitlocker encrypting the harddrive could help, but thats provided these files are also encrypted, some professionals suggest having them on their own partition without bitlocker encryption, but then these sys files become an attack vector which has been around since the dos days, also showing nothing much has changed! :roll_eyes:

IIRC it’s going to affect the DLLCharacteristics field in the PE optional header

If you build the same exe with different flags then DumpBin should be able to show the differences as you change compile settings.
There’s nothing special about the flags themselves, it’s just a GUI front end to the different fields in the PE file. You can rebase any DLL post-compile with an external utility, I was doing it years ago with C5

I see at the MS link you supplied its got
0x0040 This flag is reserved for future use.

and yet this link has it listed
IMAGE_OPTIONAL_HEADER32 (winnt.h) - Win32 apps | Microsoft Docs

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040

But even without this attribute, if you had a multi dll all with the same base address or no address the OS had to relocate them so its been going for in one form or another for years, but I havent done any test to see if there is a specific difference with dynamic base or not but if I find any I’ll post back. :grinning:

For a 3rd party DLL if the DLL has been Code Signed then Rebasing after that (EditBin.exe /Rebase or Rebase.exe) will cause the Digital Signature check to fail.

You have to remove the Publishers Code Signing (aka UnSign), then Rebase, then sign with your own Certificate, or leave unsigned.