How to disable ASLR (Random DLL/EXE memory load location) in Windows 7?

Discussion in 'Windows 7' started by kocoman, Apr 25, 2009.

  1. kocoman

    kocoman MDL Senior Member

    May 16, 2007
    328
    4
    10
    Is there any program that can patch the "dll characteristics" of IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE in the pe header? the website you mention only says 'hex' patching but does not say WHERE.. I tried the 18E address in the screenshots there but no change. Also it only says how to ENABLE it, but I want it DISABLED. I don't care about virus/exploits/protection. I just need ollydbg to work properly when loading DLL and my Tmpgenc DVD Author 4 (Right now I have to revert to DVD Author 3)

    Also I found out the term is called ASLR, it can be disabled in Vista, but I tried to disable it in Windows 7 with this

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
    "MoveImages"=dword:00000000


    ASLR
    Vista's ASLR randomizes the location of images (PE files mapped into memory), heaps,
    stacks, the PEB and TEBs. Image positioning randomization is designed to place images
    at a random location in the virtual address space of each process. Vista's ASLR has
    the capability to randomly position both executables and DLLs. There is a system-wide
    configuration parameter that determines the behaviour of Vista's image randomization.
    This parameter can be set in the registry key
    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages
    which by default does not exist. This key has three possible settings:
    If the value is set to 0, never randomize image bases in memory, always honor the base
    address specified in the PE header.
    If set to -1, randomize all relocatable images regardless of whether they have the
    IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE flag or not.
    If set to any other value, randomize only images that have relocation information and are
    explicitly marked as compatible with ASLR by setting the
    IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE (0x40) flag in DllCharacteristics field
    the PE header. This is the default behaviour.

    I tried to the file in ollydbg, and when it loads the DLL, the offsets are different, thats why I know ASLR is still enabled.
    (I am using Windows 7 Beta)

    Also, what are the SortServer2003Compat.dll (XP SP3), and SortWindows6Compat.dll (Vista SP2) that is prevent my DLL from being seen when loaded under ollydbg with Compatibility mode?

    Many cracked/patched apps will crash because of this, unless someone can disable ASLR somehow in Windows 7.

    So no one here uses Windows 7 as their cracking system?
     
  2. Sandro

    Sandro MDL Novice

    Jan 3, 2008
    35
    0
    0
    I sould you try vistamanager v2.08 version
     
  3. HSChronic

    HSChronic MDL Expert

    Aug 25, 2007
    1,213
    55
    60
    this is probably beyond the scope of a lot of people's knowledge around here. You might want to try the MSDN forums as this seems more related to that.
     
  4. kocoman

    kocoman MDL Senior Member

    May 16, 2007
    328
    4
    10
    If I ask this question in MSDN, will I get banned? because its more like a hacking/reversing/illegal question...
     
  5. EddieZ

    EddieZ MDL Novice

    May 4, 2009
    11
    0
    0
    Probably, yes :)
     
  6. PrEzi

    PrEzi MDL Addicted

    Aug 23, 2007
    534
    3
    30
    I don't agree - they will probably just tell you that this kind of information is confidential etc. or the worst thing you could get is a warning.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...