ASLR (Address space layout randomization)
ASLR also often referred to as DYNAMICBASE , modifies the header of an executable to indicate whether the application should be randomly rebased at load time by the OS.
ASLR is transparent to your application. With ASLR, the only difference is the OS will rebase the executable unconditionally, instead of doing it only when a base image conflict exists. ASLR is supported only on Windows Vista and later operating systems, it is ignored on older OS versions.
So its a security feature, ASLR was invented in the early 00’s but maybe the idea and practice has actually existed several decades before hand.
Address space layout randomization - Wikipedia
So ASLR has been around since 2005, the hack is basically scanning certain locations in memory to extract pertinent info like username & pwd, DB connection strings, web page URL’s to access secure websites, things like that.
MS introduces it in Vista.
Windows Vista - Wikipedia
Microsoft began work on Windows Vista, known at the time by its codename “Longhorn”, in May 2001, five months before the release of Windows XP. It was originally expected to ship in late 2003 as a minor step between Windows XP and “Blackcomb”, which was planned to be the company’s next major operating system release (which would eventually be released as Windows 7). Gradually, “Longhorn” assimilated many of the important new features and technologies slated for Blackcomb, resulting in the release date being pushed back several times in three years.
Vista reaches the public in
Windows Vista build 5824 (October 17, 2006) was supposed to be the RTM release, but a bug, which destroyed any system that was upgraded from Windows XP, prevented this, damaging development and lowering the chance that it would hit its January 2007 deadline.
Development of Windows Vista came to an end when Microsoft announced that it had been finalized on November 8, 2006, and was concluded by co-president of Windows development, Jim Allchin. The RTM’s build number had also jumped to 6000 to reflect Vista’s internal version number, NT 6.0. Jumping RTM build numbers is common practice among consumer-oriented Windows versions, like Windows 98 (build 1998), Windows 98 SE (build 2222), Windows Me (build 3000) or Windows XP (build 2600), as compared to the business-oriented versions like Windows 2000 (build 2195) or Server 2003 (build 3790). On November 16, 2006, Microsoft made the final build available to MSDN and Technet Plus subscribers. A business-oriented Enterprise edition was made available to volume license customers on November 30, 2006. Windows Vista was launched for general customer availability on January 30, 2007.
So in a way, ASLR from MS wasnt far behind Linux, which is encouraging, but someone already had the idea and a patch written by July 2001 in the Linux arena. I dont know how long the idea to scan memory has been around, but it probably goes back decades as this was the way to get info out of old computing devices, before permanent storage media started to appear.
But I’ve also noticed a copy of windows RAM memory gets written down to a hibernation file depending on what S2-4 its in. I would expect this hibernation.sys file to be encrypted, but how hard would it be to decrypt a hibernation file, especially if pertinent parts of the OS still load into memory in the same place, unaffected by any ASLR setting?
It also occurred to me, that the same technique used in ASLR could equally apply to runtime files used by IDE’s and languages like in Clarion, Delphi and WindDev.
Same principle applies, decrypt/understand the format of the runtime ie New Executable (NE), Portable Executable (PE) , maybe even using a shim.dll to harvest the parameters being passed between DLL procedures, and you can shed more light on the data being passed around between different DLL files, even windows API DLL’s.
How hard would it be to then extract pertinent info from these files, instead of using the ASLR route?
Sure some forms of hacking, require more expenditure than others, but when reading this claim from a major AV company Norton’s Developer Symantec that AV misses 55% of attacks, so they now need to concentrate on hacks, I wonder just how successful they have been considering this article is about 7years old today?
Antivirus software is dead, says security expert at Symantec | Malware | The Guardian
Antivirus software is dead, says security expert at Symantec
This article is more than 6 years old
Information chief at Norton developer says software in general misses 55% of attacks and its future lies in responding to hacks
So I wonder what other idea’s have existed for decades which we are yet to find out about that could affect computer security. I’ve always been fascinated by the learning process, what gets taught and what doesnt, leaving gaps in people’s knowledge which can then be exploited and profited from by being first to market and not getting caught so to speak.
I wonder if it would be possible to build a process, maybe a class or template, or both which could obfuscate pertinent data held in memory, like db connection strings by doing out of the ordinary things not expected because I dont have much faith in moving pertinent data held in memory using the ASLR method, it seems a bit crude to make an app load into a different part of the memory every time an instance is started imo.
Edit. Its also possible to achieve ASLR in any app since CW1.0 or CW1.5, but it might be a tad slower than the SV and MS options, depending on how its approached.