Q: How can I check the effect of the Windows Address Space Layout Randomization (ASLR) feature on a Windows system?

Jan De Clercq

April 27, 2011

1 Min Read
ITPro Today logo in a gray background | ITPro Today

A: ASLR is a new security feature that Microsoft introduced in Windows Vista that makes it harder for malware to use a system DLL’s services by randomizing the DLLs’ memory locations in system memory.

You can easily observe the effect of ASLR by using the SysInternals Process Explorer tool, which you can download from this URL: http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx. (At the time of writing the latest Process Explorer version was 14.1.)

To see ASLR's effects, start Process Explorer and ensure that you've selected both the Show Lower Pane and the Lower Pane View/DLLs options in the View menu. Then select the explorer.exe process in the upper pane and check the base address of the ntdll.dll in the base column in the lower pane. (If you don’t see the Base column you can add it by using the View / Select Columns… menu option—it can be added from the DLL tab by selecting the Base Address box.) Write down the base address and then reboot your system. On a Windows XP system, you'll notice that the base address for ntdll.dll remains identical after a system reboot (XP doesn't support ASLR). On a Windows Vista or Windows 7 system, you'll notice the base address will be different after a system reboot (both Vista and Windows 7 support ASLR), as shown here.



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like