Tommi Prami 131 Posted December 7, 2022 (edited) Delphi help is little bit vague, and all other pages gives lot of stuff but not easy nuts and bolts. explanation. I have thought that if ASLR is on, windows will randomize the Memory start address of the process each time you run it, but I might be wildly wrong in my assumption., Asking because of this bug report: https://quality.embarcadero.com/browse/RSP-40130 -Tee- Edited December 7, 2022 by Tommi Prami Share this post Link to post
Stefan Glienke 2019 Posted December 7, 2022 https://security.stackexchange.com/questions/18556/how-do-aslr-and-dep-work 2 Share this post Link to post
Tommi Prami 131 Posted December 9, 2022 (edited) On 12/7/2022 at 5:53 PM, Stefan Glienke said: https://security.stackexchange.com/questions/18556/how-do-aslr-and-dep-work Did not get from that will it affect into the the Delphi Image base setting or not: Maybe I did not ask clearly enough. What I am actually asking is: I get (from bugreport above) that if ASLR is on, the address in Access Violation can't be checked from MAP file as is. Because there is not enough info to do that. So that if there is Access violation at Customer, they send the Address/Screenshot, that I could not get the actual error location from map-file, because it could not know the where ASLR has actually located the code, so I would need the ASLR offset or something like that also? And reading those ASLR articles did not help much, so I could be sure is my impression wrong or not. I googled how ASLR works and there was lot of low level descriptions, but not sure will it affect to AV and/or map-file investigation. -Tee- Edited December 9, 2022 by Tommi Prami Share this post Link to post
Fr0sT.Brutal 900 Posted December 9, 2022 Here https://quality.embarcadero.com/browse/RSP-40130 the following change is suggested to calculate SModuleAccessViolation = 'Access violation in module ''%s'' (+%s). %s of address %p'; Result := EAccessViolation.CreateFmt(sModuleAccessViolation, [ExtractFileName(ModName), IntToHex (IntPtr (P^.ExceptionAddress) - IntPtr (MemInfo.AllocationBase), 1), AccessOp, AccessAddress]) I have no D11 at hand and I couldn't find that MemInfo in docs. Share this post Link to post
Vandrovnik 215 Posted December 9, 2022 4 hours ago, Fr0sT.Brutal said: I have no D11 at hand and I couldn't find that MemInfo in docs. This is in Winapi.Windows.pas: type PMemoryBasicInformation = ^TMemoryBasicInformation; _MEMORY_BASIC_INFORMATION = record BaseAddress : Pointer; AllocationBase : Pointer; AllocationProtect : DWORD; RegionSize : SIZE_T; State : DWORD; Protect : DWORD; Type_9 : DWORD; end; {$EXTERNALSYM _MEMORY_BASIC_INFORMATION} TMemoryBasicInformation = _MEMORY_BASIC_INFORMATION; MEMORY_BASIC_INFORMATION = _MEMORY_BASIC_INFORMATION; MemInfo is just a local variable in System.SysUtils, function GetExceptionObject. 1 Share this post Link to post
Stefan Glienke 2019 Posted December 9, 2022 5 hours ago, Tommi Prami said: I get (from bugreport above) that if ASLR is on, the address in Access Violation can't be checked from MAP file as is. Because there is not enough info to do that. So that if there is Access violation at Customer, they send the Address/Screenshot, that I could not get the actual error location from map-file, because it could not know the where ASLR has actually located the code, so I would need the ASLR offset or something like that also? That's why you use things like madExcept or EurekaLog - even with ASLR enabled I get a proper call stack from an AV with madExcept. Share this post Link to post
Fr0sT.Brutal 900 Posted December 9, 2022 (edited) Hmm, I tried building a sample console app in XE2 with {$SETPEOPTFLAGS $140} or {$DYNAMICBASE ON} but didn't get any relocations on W7 and W8. How to experience ASLR without D11? Edited December 9, 2022 by Fr0sT.Brutal Share this post Link to post
Tommi Prami 131 Posted December 12, 2022 On 12/9/2022 at 2:10 PM, Stefan Glienke said: That's why you use things like madExcept or EurekaLog - even with ASLR enabled I get a proper call stack from an AV with madExcept. We use madExcept, but that is not the point. Point is will it effect to the AV-address or not? Share this post Link to post
Tommi Prami 131 Posted December 12, 2022 On 12/9/2022 at 2:21 PM, Fr0sT.Brutal said: Hmm, I tried building a sample console app in XE2 with {$SETPEOPTFLAGS $140} or {$DYNAMICBASE ON} but didn't get any relocations on W7 and W8. How to experience ASLR without D11? There are some limitations which Windows versions ASLR supported and which variant. High entropy one needed quite new version (Win10 if I recall) Share this post Link to post
Fr0sT.Brutal 900 Posted December 12, 2022 1 hour ago, Tommi Prami said: There are some limitations which Windows versions ASLR supported and which variant. High entropy one needed quite new version (Win10 if I recall) However the simple variant should be working with older versions 1 Share this post Link to post
FredS 138 Posted December 12, 2022 6 hours ago, Fr0sT.Brutal said: should be working with older versions This hasn't worked for at least 11 years: https://www.codenewsfast.com/cnf/articles Share this post Link to post
Tommi Prami 131 Posted December 13, 2022 (edited) 13 hours ago, FredS said: This hasn't worked for at least 11 years: https://www.codenewsfast.com/cnf/articles Seems to be active on our App: Edited December 13, 2022 by Tommi Prami Share this post Link to post
Fr0sT.Brutal 900 Posted December 13, 2022 16 hours ago, FredS said: This hasn't worked for at least 11 years: https://www.codenewsfast.com/cnf/articles That's weird. Isn't executable flag enough to support ASLR? Share this post Link to post
FredS 138 Posted December 13, 2022 13 hours ago, Tommi Prami said: Seems to be active on our App: I don't have 11.2, but the fact that madExcept needed an update to deal with ASLR tells me its finally working. Redux: https://blog.marcocantu.com/blog/rad111_pe_security.html Share this post Link to post
DelphiUdIT 188 Posted December 21, 2022 In Delphi 11.2 ASLR (and High Entropy too) may be used and is working. But when i tested it in a real running environment, there were some glitches (AV, memory leak, ....) that don't show up if I simply turn off ASLR. I've noticed that the use of 3rd party dlls (SDK or whatever) even if recent plays a role in this. All of course in a 64-bit environment. I didn't go into depth because I'm busy on several fronts, but in the near future I'd like to go into it further. For now I don't use ASLR and High Entropy. Bye Share this post Link to post
Stefan Glienke 2019 Posted December 22, 2022 (edited) If stuff blows up with ASLR under 64bit then this is almost certainly because some code is calculating addresses wrong or unintentionally using 32bit data types where 64bit is needed which did not blow up without ASLR because it never had values higher than maxint. Often this can be caused by incorrect Winapi usage such as this Edited December 22, 2022 by Stefan Glienke 2 Share this post Link to post
DelphiUdIT 188 Posted December 22, 2022 (edited) 13 hours ago, Stefan Glienke said: If stuff blows up with ASLR under 64bit then this is almost certainly because some code is calculating addresses wrong or unintentionally using 32bit data types where 64bit is needed which did not blow up without ASLR because it never had values higher than maxint. Often this can be caused by incorrect Winapi usage such as this This may be, but to enable 64 bit ASLR you must enable "HIGH ENTROPY". Enable only ASLR and disable HE should not produce pointer with 64 bit data ..... or i misunderstand ASLR ? With my test i try the two combination (ASLR or ASLR + HE) and i had some problems anyway. Edited December 22, 2022 by DelphiUdIT Share this post Link to post
Fr0sT.Brutal 900 Posted December 26, 2022 (edited) On 12/22/2022 at 8:06 PM, DelphiUdIT said: nable only ASLR and disable HE should not produce pointer with 64 bit data .... From what I've read about ASLR, addresses could be any even without additional options. And even without ASLR you can achieve 64-bit pointers by occupying all 4 Gb RAM (swap file should be disabled). Btw this is pretty good test for valid pointer operations, especially estimating huge heap of legacy 32-bit code with quite desperate pointer<=>number manipulations that was converted to 64-bit but probably never thoroughly tested Edited December 26, 2022 by Fr0sT.Brutal 1 Share this post Link to post