Q: How can I check the effect of the Windows Address Space Layout Randomization (ASLR) feature on a Windows system?
April 27, 2011
A: ASLR is a new security feature that Microsoft introduced in Windows Vista that makes it harder for malware to use a system DLL’s services by randomizing the DLLs’ memory locations in system memory.
You can easily observe the effect of ASLR by using the SysInternals Process Explorer tool, which you can download from this URL: http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx. (At the time of writing the latest Process Explorer version was 14.1.)
To see ASLR's effects, start Process Explorer and ensure that you've selected both the Show Lower Pane and the Lower Pane View/DLLs options in the View menu. Then select the explorer.exe process in the upper pane and check the base address of the ntdll.dll in the base column in the lower pane. (If you don’t see the Base column you can add it by using the View / Select Columns… menu option—it can be added from the DLL tab by selecting the Base Address box.) Write down the base address and then reboot your system. On a Windows XP system, you'll notice that the base address for ntdll.dll remains identical after a system reboot (XP doesn't support ASLR). On a Windows Vista or Windows 7 system, you'll notice the base address will be different after a system reboot (both Vista and Windows 7 support ASLR), as shown here.
About the Author
You May Also Like