ED 303: Windows Stack Protection III: Limitations of ASLR (15 pts) ED 303：Windows Stack Protection III：ASLR的限制（15分）

What You Need你需要什么

A Windows 2016 Server machine, real or virtual. Windows 2016 Server机器，真实或虚拟。 You cannot use Windows Server 2008.您无法使用Windows Server 2008。
You need to Visual C++ Build Tools installed, which you did in the previous project .您需要安装Visual C ++ Build Tools，这是您在上一个项目中所做的。

Purpose目的

Examine ASLR on Windows in more detail.更详细地检查Windows上的ASLR。

Here's what Microsoft says about ASLR randomness:以下是微软关于ASLR随机性的说法：

It seems like there's a 1 in 256 chance of guessing correctly for many EXE files!对于许多EXE文件来说，似乎有一个256的机会正确猜测！

Task 1: Observing ASLR on Windows任务1：在Windows上观察ASLR

ASLR (Address Space Layout Randomization) prevents many buffer overflow exploits by making the location of the stack difficult to predict. ASLR（地址空间布局随机化）通过使堆栈的位置难以预测来防止许多缓冲区溢出漏洞。

Launching a Developer Command Prompt启动开发人员命令提示符

You must already have Visual C++ Build Tools installed.您必须已安装Visual C ++生成工具。

Click the Start button, scroll to the V secton, expand " Visual Studion 2017 ", and click " Developer Command Prompt for VS 2017 ", as shown below.单击开始按钮，滚动到V secton，展开“ Visual Studion 2017 ”，然后单击“ VS 2017的开发人员命令提示符 ”，如下所示。

Making the esp3 Program in C++用C ++编写esp3程序

In the Developer Command Prompt window, execute these commands:在Developer Command Prompt窗口中，执行以下命令：

mkdir c:\127a mkdir c：\ 127a
cd c:\127a cd c：\ 127a
notepad esp3.cpp记事本esp3.cpp

A box pops up, asking "Do you want to create a new file?".弹出一个框，询问“你想创建一个新文件吗？”。 Click Yes .单击是。

Enter this code, as shown below:输入此代码，如下所示：

#include <iostream> #include <iostream>  
using namespace std; using namespace std;  

void main() { void main（）{
	int data = 0; int data = 0;   
	__asm { __asm {
	    mov data, esp mov数据，尤其是
	} }
   cout << hex << data << endl; cout << hex << data << endl;
} }

In Notepad, click File , Save .在记事本中，单击“ 文件” ，“ 保存” 。

Compiling the Program Normally正常编制程序

In the Developer Command Prompt window, execute these commands:在Developer Command Prompt窗口中，执行以下命令：

cl /EHsc esp3.cpp cl / EHsc esp3.cpp
esp3.exe esp3.exe
esp3.exe esp3.exe

The ESP value changes each time the program runs, as shown below.每次程序运行时ESP值都会改变，如下所示。 This happens because ASLR is activated by default in Windows.发生这种情况是因为Windows中默认激活了ASLR。

Compiling the Program Without ASLR在没有ASLR的情况下编译程序

In the Developer Command Prompt window, execute these commands:在Developer Command Prompt窗口中，执行以下命令：

copy esp3.cpp esp4.cpp复制esp3.cpp esp4.cpp
cl /EHsc /c esp4.cpp cl / EHsc / c esp4.cpp
link /DYNAMICBASE:NO esp4.obj link / DYNAMICBASE：没有esp4.obj
esp4.exe esp4.exe
esp4.exe esp4.exe

The ESP value remains the same each time the program runs, as shown below, because ASLR is turned off for this application.每次程序运行时ESP值都保持不变，如下所示，因为此应用程序的ASLR已关闭。

Task 2: Testing the Randomness of ASLR任务2：测试ASLR的随机性

We'll make a simple Python script to see how many possible values ESP has when using ASLR.我们将创建一个简单的Python脚本，以查看ESP在使用ASLR时可能具有的值。

In the Developer Command Prompt window, execute these commands:在Developer Command Prompt窗口中，执行以下命令：

cd c:\127a cd c：\ 127a
notepad test.py记事本test.py

A box pops up, asking "Do you want to create a new file?".弹出一个框，询问“你想创建一个新文件吗？”。 Click Yes .单击是。

Enter this code, as shown below.输入此代码，如下所示。 It will run the esp3.exe program 5 times and print out the results.它将运行esp3.exe程序5次并打印出结果。

import os进口口
for i in range(5): for i in range（5）：
  os.system("esp3.exe")使用os.system（ “esp3.exe”）

In Notepad, click File , Save .在记事本中，单击“ 文件” ，“ 保存” 。

Running the Program运行程序

In the Developer Command Prompt window, execute this commands:在Developer Command Prompt窗口中，执行以下命令：

c:\python27\python test.py c：\ python27 \ python test.py

The results are all different, as shown below.结果都不同，如下所示。

Running the Program 10000 Times运行程序10000次

In the Developer Command Prompt window, execute this command:在Developer Command Prompt窗口中，执行以下命令：

notepad test.py记事本test.py

Change the "5" to "10000", as shown below.将“5”更改为“10000”，如下所示。

In Notepad, click File , Save .在记事本中，单击“ 文件” ，“ 保存” 。

Running the Program运行程序

In the Developer Command Prompt window, execute this command:在Developer Command Prompt窗口中，执行以下命令：

c:\python27\python test.py > 10k.txt c：\ python27 \ python test.py> 10k.txt

It will take a few minutes to run.运行需要几分钟。 There are no visible results, because they all go into the "10k.txt" file, as shown below.没有可见的结果，因为它们都进入“10k.txt”文件，如下所示。

How Random Are They?他们有多随机？

In the Developer Command Prompt window, execute this command:在Developer Command Prompt窗口中，执行以下命令：

notepad 10k.txt记事本10k.txt

The numbers appear random, as shown below, but how random are they?数字看似随机，如下所示，但它们有多随机？

Removing Duplicates删除重复项

We'll use a simple Python script to remove duplicate values.我们将使用一个简单的Python脚本来删除重复的值。

In the Developer Command Prompt window, execute this command:在Developer Command Prompt窗口中，执行以下命令：

notepad clean.py记事本clean.py

A box pops up, asking "Do you want to create a new file?".弹出一个框，询问“你想创建一个新文件吗？”。 Click Yes .单击是。

Enter this code, as shown below.输入此代码，如下所示。 It will run the esp3.exe program 5 times and print out the results.它将运行esp3.exe程序5次并打印出结果。

with open('10k.txt') as f:打开（'10k.txt'）作为f：
   lines = f.read().splitlines() lines = f.read（）。splitlines（）
n = len(lines) n = len（行）
u = len(set(lines)) u = len（set（lines））
print n, "values, but only ", u, "unique"打印n，“值，但只有”，u，“unique”

In Notepad, click File , Save .在记事本中，单击“ 文件” ，“ 保存” 。

Running the Program运行程序

In the Developer Command Prompt window, execute this commands:在Developer Command Prompt窗口中，执行以下命令：

c:\python27\python clean.py c：\ python27 \ python clean.py

The result shows that only abouot 70% of the numbers were unique, as shown below.结果表明，只有70％的数字是唯一的，如下所示。 That's more than the 256 I expected from the Microsoft literature, but still not a very large number.这超过了我对微软文献所预期的256个，但仍然不是一个非常大的数字。

Task 3: Viewing Memory Sections任务3：查看内存部分

Running esp3.exe in Immunity在Immunity中运行esp3.exe

Launch Immunity.发起免疫。

From the Immunity menu bar, click File , Open .从Immunity菜单栏中，单击File ， Open 。 Navigate to C:\127\esp3.exe and double-click it.导航到C：\ 127 \ esp3.exe并双击它。

Immunity loads the program.免疫加载程序。

From the Immunity menu bar, click Debug , Run .从Immunity菜单栏中，单击Debug ， Run 。

Click Debug , Run again.单击Debug ，再次运行。

From the Immunity menu bar, click View , Memory .从Immunity菜单栏中，单击View ， Memory 。

Notice the Address of these items, as shown below:注意这些项目的地址，如下所示：

esp3 PE header is at 400000 esp3 PE头为400000
esp3 .text is at 401000 esp3 .text是401000
esp3 .rdata is at 425000 esp3 .rdata是425000
esp3 .text is at 435000 esp3 .text是435000
"stack of thread..." is at 7EF000 in the image below (your address will be different) “堆栈线程......”位于下图中的7EF000 （您的地址会有所不同）
"data block of thread..." is at 3E7000 in the image below (your address will be different) “数据块的线程......”位于下图中的3E7000 （您的地址会有所不同）

Reloading esp3.exe in Immunity在免疫中重新加载esp3.exe

From the Immunity menu bar, click Debug , Restart .从Immunity菜单栏中，单击Debug ， Restart 。

From the Immunity menu bar, click Debug , Run .从Immunity菜单栏中，单击Debug ， Run 。

Click Debug , Run again.单击Debug ，再次运行。

From the Immunity menu bar, click View , Memory .从Immunity菜单栏中，单击View ， Memory 。

Notice that the "stack of thread..." address changes, and so does the "data block of thread..." address, but the other items are always at the same address, as shown below.请注意，“堆栈的线程...”地址会发生变化，“线程数据块...”地址也会发生变化，但其他项目始终位于同一地址，如下所示。

Viewing Memory Sections from C++从C ++查看内存部分

In the Developer Command Prompt window, execute these commands:在Developer Command Prompt窗口中，执行以下命令：

cd c:\127a cd c：\ 127a
notepad mem.cpp记事本mem.cpp

A box pops up, asking "Do you want to create a new file?".弹出一个框，询问“你想创建一个新文件吗？”。 Click Yes .单击是。

Enter this code, as shown below.输入此代码，如下所示。

#include <cstdio> #include <cstdio>  
#include <cstdlib> #include <cstdlib>  
#include <iostream> #include <iostream>  
using namespace std; using namespace std;  

int d; int d; /* in .data section */ / * in .data section * /

void main() void main（）
{ {
    int i=1, j; int i = 1，j;
    int * p; int * p; /* pointer */ / *指针* /

    char buf[5]; char buf [5]; /* Activate stack cookie protection */ / *激活堆栈cookie保护* /
    strcpy(buf, "HERE"); strcpy（buf，“HERE”）; /* To help find code in IDA */ / *帮助在IDA中找到代码* /	

    __asm {mov edx, LABEL __asm {mov edx，LABEL
          mov d, edx mov d，edx
          LABEL: NOP};标签：NOP}; /* in .text */ / * in .text * /

    char * heapbuf; char * heapbuf;
    heapbuf = (char*) malloc(1); heapbuf =（char *）malloc（1）; /* on heap */ / *在堆上* /

    printf("Address in .text: %08x\n", d); printf（“.text：％08x \ n”中的地址，d）;
    printf("Address in .data: %08p\n", (void *) &d); printf（“.data中的地址：％08p \ n”，（void *）＆d）;
    printf("Address in .heap: %08p\n", (void *) heapbuf); printf（“.heap：％08p \ n”中的地址，（void *）heapbuf）;
    printf("Address in stack: %08p\n", (void *) &i); printf（“堆栈中的地址：％08p \ n”，（void *）＆i）;

    printf("\nStack:\n");的printf（ “\ nStack：\ n”）;
    p = &i; p =＆i;
    for (j=0; j<9; j++) { for（j = 0; j <9; j ++）{
        printf("%d %08p %08x\n", j, (void *) p, *p); printf（“％d％08p％08x \ n”，j，（void *）p，* p）;
        p++;的p ++;
    } }
    __asm int 3 __asm int 3
} }

In Notepad, click File , Save .在记事本中，单击“ 文件” ，“ 保存” 。

Compiling the Program with All Protections使用所有保护编译程序

In the Developer Command Prompt window, execute these commands.在“开发人员命令提示符”窗口中，执行这些命令。 This compiles the program with ASLR enabled, and with stack cookies.这将编译启用了ASLR的程序，以及堆栈cookie。

cl /EHsc mem.cpp cl / EHsc mem.cpp
mem.exe MEM.EXE

The program runs, showing memory information, as shown below, and then crashes when it hits the "INT 3".程序运行，显示内存信息，如下所示，然后在命中“INT 3”时崩溃。

Viewing Memory Usage for mem.exe in Immunity在Immunity中查看mem.exe的内存使用情况

Launch Immunity.发起免疫。

From the Immunity menu bar, click File , Open .从Immunity菜单栏中，单击File ， Open 。 Navigate to C:\127a\mem.exe and double-click it.导航到C：\ 127a \ mem.exe并双击它。

Immunity loads the program.免疫加载程序。

From the Immunity menu bar, click Debug , Run .从Immunity菜单栏中，单击Debug ， Run 。

Click Debug , Run again.单击Debug ，再次运行。

From the Immunity menu bar, click View , Memory .从Immunity菜单栏中，单击View ， Memory 。

Press Alt + Tar to make the Command Prompt running "mem.exe" visible, as shown below.按Alt + Tar使命令提示符运行“mem.exe”可见，如下所示。

Notice these items:注意这些项目：

The "Address in .text" value is in the .text memory segment shown by Immunity “.text中的地址”值位于Immunity显示的.text内存段中
The "Address in .data" value is in the .data memory segment shown by Immunity “.data中的地址”值位于Immunity显示的.data内存段中
The "Address in .stack" value is in the memory segment labelled "stack of main thread" by Immunity “Address in .stack”值位于Immunity的标记为“主线程堆栈”的内存段中
The "Address in .heap" value is in a memory segment shown by Immunity, but with no label “.heap中的地址”值位于Immunity显示的内存段中，但没有标签

Viewing the Stack查看堆栈

From the Immunity menu bar, click View , CPU .从Immunity菜单栏中，单击View ， CPU 。

Press Alt + Tar to make the Command Prompt running "mem.exe" visible, as shown below.按Alt + Tar使命令提示符运行“mem.exe”可见，如下所示。

Notice these items, referred to by the item number that count from 0 to 8 in the Command Prompt window:请注意这些项目，在“命令提示符”窗口中由项目编号引用，从0到8计数：

Item 3 in the stack frame is 00000002 in the Command Prompt window, but 00000009 in Immunity.堆栈帧中的项目3在命令提示符窗口中为00000002 ，但在Immunity中为00000009 。 This is the integer variable "i", which counted through the items in the stack.这是整数变量“i”，它计算堆栈中的项目。 When it printed itself, it was 2, and when the loop was complete, it had the value 9.当它自己打印时，它是2，当循环完成时，它的值为9。
Item 4 in the stack frame is HERE -- the local string named "buf".堆栈框架中的第4项是HERE - 名为“buf”的本地字符串。 It also uses item 5 to store the null byte that terminates the string.它还使用第5项来存储终止字符串的空字节。
Item 6 in the stack frame is the stack cookie , which has a random value.堆栈帧中的第6项是堆栈cookie ，它具有随机值。 It is highlighted in the image below.它在下图中突出显示。
Item 7 in the stack frame is the saved EBP , used to restore the stack frame of the calling function.堆栈帧中的第7项是保存的EBP ，用于恢复调用函数的堆栈帧。
Item 8 in the stack frame is the return pointer , which will be placed into the stack when the function ends.堆栈帧中的第8项是返回指针 ，当函数结束时，它将被放入堆栈中。

Close Immunity.关闭免疫力。

Removing the INT 3删除INT 3

In the Notepad window, delete this line from the mem.cpp code, as shown below.在记事本窗口中，从mem.cpp代码中删除此行，如下所示。

    __asm int 3 __asm int 3

Click File , Save to save the file.单击文件，保存以保存文件。

In the Developer Command Prompt window, execute this command to compile the program again, with ASLR enabled, and with stack cookies.在Developer Command Prompt窗口中，执行此命令以再次编译程序，启用ASLR，并使用堆栈cookie。

cl /EHsc mem.cpp cl / EHsc mem.cpp

Animating the Display动画显示

In the Developer Command Prompt window, execute this command line:在Developer Command Prompt窗口中，执行以下命令行：

cls && mem cls && mem

By pressing Up-Arrow and then Enter, you can repeat the command several times to see what values change.按向上箭头键然后按Enter键，您可以多次重复该命令以查看更改的值。

You should see the values outlined in yellow in the image below changing, while the other values stay the same.您应该会看到下图中黄色轮廓的值发生变化，而其他值保持不变。

Note these items:请注意以下事项：

The stack and heap sections move because of ASLR由于ASLR，堆栈和堆部分会移动
The .text and .data sections never move--this is why Return-Oriented Programming attacks defeat ASLR .text和.data部分永远不会移动 - 这就是面向返回的编程攻击击败ASLR的原因
Items 1 and 2 on the stack are variables, one on the heap and one on the stack, so they move along with the stack and heap changes.堆栈上的第1项和第2项是变量，一个在堆上，另一个在堆栈上，因此它们随堆栈和堆的变化一起移动。
Item 6 on the stack changes randomly, because it's the stack cookie .堆栈中的第6项随机更改，因为它是堆栈cookie 。
Item 7 on the stack changes, but that's because it's the saved EBP so it has to move along with the stack.堆栈上的第7项发生了变化，但那是因为它是保存的EBP所以它必须随堆栈一起移动。
Item 8 in the stack frame is the return pointer , which points to an address in the .text section, and never changes.堆栈帧中的第8项是返回指针 ，它指向.text部分中的地址，并且永远不会更改。

Compiling the Program with No Protections编译没有保护的程序

copy mem.cpp mem0.cpp复制mem.cpp mem0.cpp
cl /EHsc /c /GS- mem0.cpp cl / EHsc / c / GS- mem0.cpp
link /DYNAMICBASE:NO mem0.obj link / DYNAMICBASE：没有mem0.obj
mem0.exe mem0.exe

The program runs, showing memory information, as shown below.程序运行，显示内存信息，如下所示。

Notice that the .text section is near the classical value of 400000, which we've seen before.请注意，.text部分接近我们之前看到的经典值400000。

Animating the Display动画显示

In the Developer Command Prompt window, execute this command line:在Developer Command Prompt窗口中，执行以下命令行：

cls && mem0 cls && mem0

By pressing Up-Arrow and then Enter, you can repeat the command several times to see what values change.按向上箭头键然后按Enter键，您可以多次重复该命令以查看更改的值。

You should see the values outlined in yellow in the image below changing, while the other values stay the same.您应该会看到下图中黄色轮廓的值发生变化，而其他值保持不变。

Note these items:请注意以下事项：

The .text , .data , and stack sections never move .text ， .data和堆栈部分永远不会移动
The heap moves 堆移动
Items 1 and 2 on the stack are variables, one on the heap and one on the stack, so item 1 moves along with the heap, and item 2 does not change堆栈上的项目1和2是变量，一个在堆上，一个在堆栈上，因此项目1与堆一起移动，项目2不会更改
Item 4 is the saved EBP .第4项是保存的EBP 。
Item 5 is the return pointer .第5项是返回指针 。
The string "HERE" is stored above this list on the stack, and is not visible.字符串“HERE”存储在堆栈上的此列表上方，并且不可见。
Items 6, 7, and 8 are in the calling function's stack frame.项目6,7和8位于调用函数的堆栈帧中。

ED 303.1 Item 6 (15 pts) ED 303.1第6项（15分）

Find the value of item 6 on the stack, covered by a green box in the image above.在堆栈中找到第6项的值，由上图中的绿色框覆盖。 That's the flag.那是旗帜。

References参考

Disable Program Has Stopped Working Error Dialog in Windows 在Windows中禁用程序已停止工作错误对话框
Software defense: mitigating common exploitation techniques 软件防御：减轻常见的开发技术

Posted: 11-9-18发表时间：11-9-18
Typo in C code: i -> j 12-11-18 C代码错字：i - > j 12-11-18