Compile totalcmd with /DYNAMICBASE /guard:cf

[arko]

Given how lucrative Total Commander looks as the target for an exploitation, perhaps it makes sense to release the binary with ASLR enabled? CFG would be great as well.

To help against those pesky ROP gadgets and such...

Image: https://i.imgur.com/3Tev8yG.png

[Hacker]

I don't really think that's an option with Delphi 2. Perhaps with Lazarus?

Roman

[arko]

Embarcadero's website embarrassingly returns 504 all over, but quick Google search suggests that in case of Delphi, `{$DYNAMICBASE ON}` should be enough.

[Hacker]

arko,
Are you sure that's valid for Delphi 2 from 1996?

Roman

[Dalai]

Not even Delphi XE8 (from 2015) seems to support this directive (at least I couldn't find it). You'd need to do it a different way:

Code: Select all

{$SETPEOPTFLAGS $40}

See also https://community.embarcadero.com/blogs/entry/delphi-2007-supports-aslr-and-nx-33777. But that directive isn't supported in ancient Delphi versions either. Conclusion: Not possible for TC 32-bit. No idea about Lazarus' capabilities in this regard though.

Regards
Dalai

[arko]

arko,
Are you sure that's valid for Delphi 2 from 1996?

Ok... Any insights as to how Total Commander is being built nowadays? I was thinking of reasonably recent Delphi 10.3.X in 2020.
This is probably the question for mr. Ghisler himself.

But that directive isn't supported in ancient Delphi versions either. Conclusion: Not possible for TC 32-bit. No idea about Lazarus' capabilities in this regard though.

Lazarus?.. This brings us to the question above (please see my response to the user `Hacker`)


re. ASLR for 32bit app: https://security.stackexchange.com/a/50995

[Usher]

2arko
We know what compilers are in use. It's been explained many times, there's no need to ask again and again.

[arko]

2arko
We know what compilers are in use. It's been explained many times, there's no need to ask again and again.

Yep, checking the binary before asking the question is certainly the right idea...

Code: Select all

totalcmd.exe
Free Pascal 2.5.1 03.12.2011 x86_64
Lazarus 0.9.31

[Hacker]

arko,
Delphi 2 for 32-bit version, Lazarus for 64-bit version.

Roman

[ghisler(Author)]

The {$SETPEOPTFLAGS $40} probably means that it's just a flag in the PE header which needs to be set. Is this correct? I'm already patching the EXE after compilation to add a checksum, so it would be easy to add.

[arko]

The {$SETPEOPTFLAGS $40} probably means that it's just a flag in the PE header which needs to be set. Is this correct? I'm already patching the EXE after compilation to add a checksum, so it would be easy to add.

No, not quite. In the current PE layout .reloc is missing, here is an Image: https://i.imgur.com/UcXKf8H.png

Please take a look at this article: https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html

[Dalai]

No, not quite. In the current PE layout .reloc is missing [...]

This only applies to totalcmd64.exe, not totalcmd.exe.

Regards
Dalai

[arko]

The {$SETPEOPTFLAGS $40} probably means that it's just a flag in the PE header which needs to be set. Is this correct? I'm already patching the EXE after compilation to add a checksum, so it would be easy to add.

No, not quite. In the current PE layout .reloc is missing, here is an Image: https://i.imgur.com/UcXKf8H.png

Please take a look at this article: https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html

The {$SETPEOPTFLAGS $40} probably means that it's just a flag in the PE header which needs to be set. Is this correct? I'm already patching the EXE after compilation to add a checksum, so it would be easy to add.

Christian,
Could you please check the topic: https://forum.lazarus.freepascal.org/index.php/topic,49328.0.html ? Perhaps this one would do:

Code: Select all

    const
      // these are the names used in the Windows headers
      IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = $0040;
      IMAGE_DLLCHARACTERISTICS_NX_COMPAT = $0100;
     
      // the directive does not support constant calculations :'(
      IMAGE_DLLCHARACTERISTICS_FLAGS = IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE or IMAGE_DLLCHARACTERISTICS_NX_COMPAT;
     
    // set this in the main program file
    {$SetPEOptFlags IMAGE_DLLCHARACTERISTICS_FLAGS}

Happy to beta-test the build (fingers crossed it will actually compile )

[ghisler(Author)]

I found the option to add the relocation section.
However, I get an error about an invalid compiler directive when adding $SetPEOptFlags. I will have to patch it.

[arko]

I found the option to add the relocation section.
However, I get an error about an invalid compiler directive when adding $SetPEOptFlags. I will have to patch it.

Good news Would you be able to share your experience at Lazarus forum once the issue is resolved? Above-mentioned thread might do.