Windows DLL and EXE rebase
Posted by jpluimers on 2021/04/20
Some links on rebase for Windows DLLs and EXE files, including effects on .NET CLR.
- Rebasing – Wikipedia
- [WayBack] Massive Rebase: DLL Sharing and ASLR Investigation
- [WayBack] Rebasing Win32 DLLs | Dr Dobb’s
- [WayBack] memory – Purpose of Base Address? – Software Engineering Stack Exchange
- [WayBack] Difference between /DYNAMICBASE and /HIGHENTROPYVA is unclear · Issue #282 · MicrosoftDocs/cpp-docs · GitHub
- [WayBack] /DYNAMICBASE | Microsoft Docs
- [WayBack] Does ASLR relocate all DLLs by the same offset? | The Old New Thing. No.
- [WayBack] Rebasing DLLs on Windows (Sun Java System Application Server 9.1 Performance Tuning Guide)
- [WayBack] Why should I even bother to use DLL’s in my system? – Larry Osterman’s WebLog
- [WayBack] delphi – Should I change my Image Base? – Stack Overflow
- [WayBack] winapi – Delphi: Set ImageBase bigger than 32-bit (for 64-bit Windows application) – Stack Overflow
- [WayBack] $ImageBase Compiler Directive – Delphi in a Nutshell [Book]
- [WayBack] How important is it nowadays to ensure that all my DLLs have non-conflicting base addresses? | The Old New Thing: Not so much, since ASLR changes it anyway.
In the presence of ASLR, rebasing your DLLs has no effect because ASLR is going to ignore your base address anyway and relocate the DLL into a location of its pseudo-random choosing.
Mind you, even though rebasing has no effect, it doesn’t hurt either.
If you are on a system without ASLR (either because it predates ASLR, or because ASLR has been disabled for whatever reason), then rebasing will help, for the traditional reasons.
Mind you, systems without ASLR are really hard to find nowadays, so rebasing provides no benefit in the overwhelming majority of cases. But in that vanishingly small percentage of cases where you don’t have ASLR, then rebasing helps.
Conclusion: It doesn’t hurt to rebase, just in case, but understand that the payoff will be extremely rare. Build your DLL with
/DYNAMICBASEenabled (and with/HIGHENTROPYVAfor good measure) and let ASLR do the work of ensuring that no base address collision occurs. That will cover pretty much all of the real-world scenarios. If you happen to fall into one of the very rare cases where ASLR is not available, then your program will still work. It just may run a little slower due to the relocation penalty.
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply