How can I determine if Windows applies ASLR without rebooting?

Question

As far as I understand, ASLR ^{Address Space Layout Randomization} will only do random relocation per system start (per reboot).

Address Space Layout Randomization (ASLR)

ASLR moves executable images into random locations when a system boots, making it harder for exploit code to operate predictably. (...)

If this is the case, how can I then "test" or, rather, check that ASLR is happening for my C++ module or for a system module (say, kernel32.dll) without repeatedly restarting Windows and hoping the randomness kicks in?

Answer 1

This is what I would try:

Remember that a module's HMODULE handle is actually the base address of the module's image. You can use GetModuleHandle to obtain this value. If you compare that to the base address in the image's optional header values, we would expect those two values to be different when ASLR is turned on.

Keep in mind that this would only be a clear indicator of ASLR when GetModuleHandle is used on certain system DLLs; it would work for kernel32 because it is not a typical candidate for image relocation:

1. Microsoft system DLLs are all given unique recommended base addresses; and
2. It is one of the first DLLs mapped into the process address space.

Since kernel32 wouldn't typically be relocated, if ASLR was turned off it would be reasonable to expect it to be loaded at its recommended base address.

How do you obtain the recommended base address from the image headers? The easiest way is to use the DUMPBIN utility included with Visual C++. If you'd rather do it programatically, you will need to do some spelunking through the executable image's headers until you locate the IMAGE_OPTIONAL_HEADER structure's ImageBase field. For more information about PE headers, I'd recommend "An In-Depth Look into the Win32 Portable Executable File Format" by Matt Pietrek.