Abstract: ASLR is an important protection mechanism against vulnerability attack. Crash-resistance attack is a main method to bypass ASLR, which can search for sensitive information in memory repeatedly utilizing crash-resistance mechanism. However, the current search algorithm of crash-resistance attack takes a long time to find useful information which results in less practical. In order to enhance the practicability of attack, a novel method is proposed which combines crash-resistance and memory range statistics to bypass ASLR. This method analyzes crash-resistance attack deeply by using software reverse engineering to find out internal implementation of crash-resistance mechanism in operating systems and browser software. It analyzes space layout in a process memory, counts up the average proportion of system DLLs distribution in different ranges, and selects the range of maximum probability to search DLLs and to locate key base address in order to bypass ASLR. The test results show that the proposed method greatly reduces the average time consumption and the maximum time consumption compared with the existing methods.

Key words: crash-resistance mechanism, exception handling, bypassing ASLR, vulnerability attack

摘要： ASLR是防御漏洞攻击的重要保护机制，而容错攻击是绕过ASLR的主要方法之一，即利用容错机制重复尝试搜索内存中的敏感信息。针对目前容错攻击的搜索算法耗时长导致实用性不强的问题，提出了一种结合容错攻击和内存区域统计的ASLR绕过方法。通过软件逆向深入分析容错攻击的原理，包括操作系统和浏览器等软件的容错机制内部实现和容错攻击实现方法；分析进程内存空间分布，统计不同区域的系统DLL分布的平均比例，选定最大概率内存区域搜索DLL并定位关键基址，从而绕过ASLR保护，实验结果证明该方法相对现有方法极大缩短了平均耗时和最大耗时，提高了容错攻击的实用性；探讨了容错攻击更多的应用前景。

关键词: 容错机制, 异常处理, ASLR绕过, 漏洞攻击