In the previous article we talk about ASLR and how to disable it. There was a way to disable ASLR for a single process using setarch command. Now we are going to understand how setarch command do that. Lets use strace command to trace all system calls of setarch command with and without -R option
There are a lot of differences, because of the ASLR: In the log there are a lot memory addresses and they will be different. Now lets disable it for all processes and then do above steps again to filter out memory differences.
Now we see that there is a system call named personality. It is difficult to understand from the man personality what this syscall actually do. So we can get a information from include file of personality syscall(in case of Ubuntu 10.10 it located at /usr/include/sys/personality.h). Here it is:
There is enum ADDR_NO_RANDOMIZE equal to 0x0040000 which passed in as an argument in personality in above difference logs. So we understand that we can disable the process's ASLR by calling personality syscall with ADDR_NO_RANDOMIZE argument. Lets modify the program from previous article and check is this works.
Enable ASLR by echo 2 | sudo tee /proc/sys/kernel/randomize_va_space. Run above code twice and when they wait for input, dump the memory maps (get pid from htop and then cat /proc/pid/maps) and compare them: it works, the maps are the same. You can also comment out the line containing personality and get different memory maps.
No comments:
Post a Comment