Process Hacker and Windows discussion

 
petert
Member
Posts: 4
Joined: 07 Jan 2016 06:05
OS: Win 8.1 64 Bit

ASLR

07 Jan 2016 06:13

Hello,

I noticed that Delphi programs (such as setups created with InnoSetup) can have ASLR enabled, but will show as having it disabled in Process Hacker.

In the main window, if you activate the ASLR column, it will show it as present for that Delphi program (IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE is set in the PE image). But if you look at the properties of the same process, it shows ASLR: Disabled.

I found out that this information in the property window is obtained through GetProcessMitigationPolicy(), which indeed returns 0 for this process.

What to do to the PE image to make it set the proper mitigation policies when the process is created? It seems VC++ does something magical that Delphi is missing, but what?

Thanks,
Peter
Last edited by petert on 07 Jan 2016 06:50, edited 1 time in total.
 
User avatar
dmex
Admin
Posts: 1640
Joined: 17 Jan 2011 05:43

Re: ASLR

07 Jan 2016 06:44

petert wrote:
if you activate the ASLR column, it will show it as present for that Delphi program (IMAGE_FILE_LARGE_ADDRESS_AWARE is set in the PE image).

What to do to the PE image to make it set the proper mitigation policies when the process is created? It seems VC++ does something magical that Delphi is missing, but what?
IMAGE_FILE_LARGE_ADDRESS_AWARE is unrelated to ASLR ;)
 
petert
Member
Posts: 4
Joined: 07 Jan 2016 06:05
OS: Win 8.1 64 Bit

Re: ASLR

07 Jan 2016 06:52

I really meant to say IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE not IMAGE_FILE_LARGE_ADDRESS_AWARE, it was a copy and paste error. But the actual Delphi exe has the dynamic base flag as is confirmed by the ASLR entry in ProcessHacker ASLR column.

But as mentioned the properties window for that process shows ASLR: Disabled.

If VC++ doesn't do anything magical, what shouldn't you do to disable it?

I could post a minimal Delphi exe if that helps.
 
User avatar
dmex
Admin
Posts: 1640
Joined: 17 Jan 2011 05:43

Re: ASLR

07 Jan 2016 07:23

petert wrote:
I could post a minimal Delphi exe if that helps.
Might help... You will need to zip it before attaching an exe ;)
 
petert
Member
Posts: 4
Joined: 07 Jan 2016 06:05
OS: Win 8.1 64 Bit

Re: ASLR

07 Jan 2016 17:51

I found out that it is related to Delphi's way of delay loading imported functions from DLLs. Remove the delay loaded functions, and it works. Now I need to figure out what's wrong with the delay loading code.
 
petert
Member
Posts: 4
Joined: 07 Jan 2016 06:05
OS: Win 8.1 64 Bit

Re: ASLR

07 Jan 2016 19:29

ASLRDeactivatedPuzzle.zip
Two console programs that are almost identical. The one with the bug has a delay load of the function IsProcessDPIAware() and the bug free has no delay loads.
(31.97 KiB) Downloaded 168 times
I guess it has something to do with the IAT (import address table) or delay loading data directories in the PE file, but so far I haven't found out what the Windows loader expects to see, and why it doesn't like what it sees.

Somehow it must assume that it cannot relocate part of the executable or import. It must be something about the PE file structure/meta data, since no code at all gets executed before the PE file is loaded and mapped to memory (tested this in a debugger).

Maybe someone else can see what the issue is?