none
To rebase or not to rebase DLL

    Question

  • Hello,

    I would like to know what is the recommended practice about manual DLL rebasing.

    I found previous MSDN magazine article online (from 2006) that listed the benefits of forcing the rebase DLLs to avoid the automatic OS rebasing since all DLL compiled under VC++ start with the same base address. Some test were performed under Windows 2003 WTS and there were some improvements with the memory consumption (the application was 10mb smaller for each session for a grand total of 100mb for all session combine).

    Now reading more recent articles, i found that Vista and above have introduced the Randomized Base Address (ASLR) feature for security purposes. From my understanding, this will load the DLL in random base address to prevent code injection attack.

    Does that mean that DLL rebasing is no longer considered best practices?

    Will i loose the memory saving i have gained with the manual rebasing of my DLL?

    By default all VC++ project seems to have the ASLR feature activated by default.
    Does it mean that any base address i have set in my DLL will be ignore?

    Thank you in advance
    Thursday, March 18, 2010 1:58 PM

Answers

  • Hi UrquanMaster,

    Address space layout randomization (ASLR) is a computer security technique which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space.

    The benefits of using the ASLR under a OS is that we load system code into different locations in memory. This helps defeat a well-understood attack called “return-to-libc”. For details, please refer to:

    Address Space Layout Randomization in Windows Vista

    As far as I know, ASLR is a more aggressive algorithm, ASLR mitigates certain malware exploits by randomly relocating modules within a process. You can consider it's best practice to enable ASLR in Visual C++ project. If you want to circumvent ASLR randomization in Vista, the compiler modules could be built with /dynamicbase:no back in Visual Studio 2008. See following link for more information:

    Visual C++ Precompiled Headers and ASLR

    If I misunderstood you, or you have any comments, please let me know.

    Best Regards,

    Nancy

     


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by Nancy Shao Friday, March 26, 2010 2:52 AM
    Thursday, March 25, 2010 6:56 AM
  • That definitely was best practice before Windows Vista.

    I am not sure about your memory savings, but all of your DLLs will now get rebased automatically with Vista and greater, unless you disable image randomization.  Even the System DLLs, like kernel32.dll and user32.dll have a different base address everytime the OS is restarted.
    • Marked as answer by Nancy Shao Friday, March 26, 2010 2:52 AM
    Thursday, March 18, 2010 2:20 PM
  • I would like to know what is the recommended practice about manual DLL rebasing.

    You should still choose a non-default base address for your DLLs, especially if they can run on pre-Vista OSes.

    Will i loose the memory saving i have gained with the manual rebasing of my DLL?

    No. Memory usage with ASLR is approximately the same as what you can achieve with careful manual rebasing. Manual rebasing however is very fragile because installing 3rd party software or OS/application updates can easily introduce address conflicts. ASLR on the other hand automatically positions DLLs to avoid conflicts.

    Does it mean that any base address i have set in my DLL will be ignore?

    Most of the time, yes.

    • Marked as answer by Nancy Shao Monday, March 29, 2010 2:09 AM
    Sunday, March 28, 2010 5:37 AM

All replies

  • That definitely was best practice before Windows Vista.

    I am not sure about your memory savings, but all of your DLLs will now get rebased automatically with Vista and greater, unless you disable image randomization.  Even the System DLLs, like kernel32.dll and user32.dll have a different base address everytime the OS is restarted.
    • Marked as answer by Nancy Shao Friday, March 26, 2010 2:52 AM
    Thursday, March 18, 2010 2:20 PM
  • Hello,

    Aside from security (which is less of a concern in my case), is there any benefits of using the ASLR (performance or memory wise) under a capable OS?

    Since by default all VC++ project are ASLR enabled, am i right to assume that it is now considered a VC++ best practices by Microsoft?

    Thank you
    Thursday, March 18, 2010 3:13 PM
  • Hi UrquanMaster,

    Address space layout randomization (ASLR) is a computer security technique which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space.

    The benefits of using the ASLR under a OS is that we load system code into different locations in memory. This helps defeat a well-understood attack called “return-to-libc”. For details, please refer to:

    Address Space Layout Randomization in Windows Vista

    As far as I know, ASLR is a more aggressive algorithm, ASLR mitigates certain malware exploits by randomly relocating modules within a process. You can consider it's best practice to enable ASLR in Visual C++ project. If you want to circumvent ASLR randomization in Vista, the compiler modules could be built with /dynamicbase:no back in Visual Studio 2008. See following link for more information:

    Visual C++ Precompiled Headers and ASLR

    If I misunderstood you, or you have any comments, please let me know.

    Best Regards,

    Nancy

     


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by Nancy Shao Friday, March 26, 2010 2:52 AM
    Thursday, March 25, 2010 6:56 AM
  • I would like to know what is the recommended practice about manual DLL rebasing.

    You should still choose a non-default base address for your DLLs, especially if they can run on pre-Vista OSes.

    Will i loose the memory saving i have gained with the manual rebasing of my DLL?

    No. Memory usage with ASLR is approximately the same as what you can achieve with careful manual rebasing. Manual rebasing however is very fragile because installing 3rd party software or OS/application updates can easily introduce address conflicts. ASLR on the other hand automatically positions DLLs to avoid conflicts.

    Does it mean that any base address i have set in my DLL will be ignore?

    Most of the time, yes.

    • Marked as answer by Nancy Shao Monday, March 29, 2010 2:09 AM
    Sunday, March 28, 2010 5:37 AM