Refactor how ASLR and implement rz_sys_execv using RzSubprocess

[wargio]

Your checklist for this pull request

• I've read the guidelines for contributing to this repository
• I made sure to follow the project's coding style
• I've documented or updated the documentation of every function and struct this PR changes. If not so I've explained why.
• I've added tests that prove my fix is effective or that my feature works (if possible)
• I've updated the rizin book with the relevant information (if needed)

Detailed description

Refactors the code and moves the code into the same function.

Adds support to windows via SetProcessMitigationPolicy but works only when ASLR is disable and we want to enable it.

Also now on linux we try to disable ASLR programmatically using the personality function instead of OS wide which works also when the user is not root.

These changes also implements non-native rz_sys_execv by using RzSubprocess.

Test plan

Unfortunately this cannot be tested easily in the regression suite.

• Build the following C code by gcc example.c

#include <stdio.h>

const char *test = "test";

int main() {
  printf("%p\n", (void*)test);
  return 0;
}

• Then create the following rz-run file noaslr.rz:

aslr=no
program=a.out

Then run rz-run noaslr.rz multiple times.

If the value output is the same then ASLR is correctly disabled.

Closing issues

Fix #4147

[wargio]

@gogo2464 if you want to try this on windows, it could be useful.

[wargio]

i'm currently testing this on windows.

[wargio]

So i have tested this extensively on windows and you cannot disable ASLR programmatically, only enable it.

[XVilka]

So i have tested this extensively on windows and you cannot disable ASLR programmatically, only enable it.

This makes perfect sense from the security PoV.

[XVilka]

These files are an absolute mess; thanks for making them a bit more readable. As for other platforms, maybe @arrowd and @devnexen could help us?

[XVilka]

It breaks one unit test on Windows:

 66/119 rizin:unit / run                                   FAIL             0.02s   (exit status 4294967295 or signal 4294967167 SIGinvalid)                 

[devnexen]

These files are an absolute mess; thanks for making them a bit more readable. As for other platforms, maybe @arrowd and @devnexen could help us?

it builds and has the same succesful unit tests than dev on haiku.

[gogo2464]

So i have tested this extensively on windows and you cannot disable ASLR programmatically, only enable it.

does -R aslr=no works now?

[arrowd]

Is rz_sys_aslr() intended to change a global system-wide ASLR setting?

[gogo2464]

Is rz_sys_aslr() intended to change a global system-wide ASLR setting?

only for the current process, check:

rizin/librz/util/sys.c

Line 762 in d86e8ae

HANDLE handle = GetCurrentProcess();

[wargio]

So i have tested this extensively on windows and you cannot disable ASLR programmatically, only enable it.

does -R aslr=no works now?

on windows no and never will.

		RZ_LOG_ERROR("On Windows, ASLR mitigation policies cannot be made less restrictive if they are already enabled.\n");
		RZ_LOG_ERROR("It is possible to disable ASLR by modifying the PE header and removing the following flags:\n");
		RZ_LOG_ERROR("- IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE\n");
		RZ_LOG_ERROR("- IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA.\n");
		RZ_LOG_ERROR("Or as Administrator from PowerShell by running: `Set-ProcessMitigation -Name file.exe -Disable ForceRelocateImages`\n");

[wargio]

Is rz_sys_aslr() intended to change a global system-wide ASLR setting?

it is supposed to be used for spawning processes with aslr or not.
that function will change in the future and will be only used in the debugger.

[arrowd]

Then the FreeBSD case is wrong. Changing sysctl is global and affects all processes that are started after the switch.

On FreeBSD it is possible to do elfctl -e +noaslr file to force an executable file to be started without ASLR. Pretty much, just like the Windows case.

[gogo2464]

So i have tested this extensively on windows and you cannot disable ASLR programmatically, only enable it.

does -R aslr=no works now?

on windows no and never will.

		RZ_LOG_ERROR("On Windows, ASLR mitigation policies cannot be made less restrictive if they are already enabled.\n");
		RZ_LOG_ERROR("It is possible to disable ASLR by modifying the PE header and removing the following flags:\n");
		RZ_LOG_ERROR("- IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE\n");
		RZ_LOG_ERROR("- IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA.\n");
		RZ_LOG_ERROR("Or as Administrator from PowerShell by running: `Set-ProcessMitigation -Name file.exe -Disable ForceRelocateImages`\n");

might we consider patching the PEB for disabling aslr?

[arrowd]

might we consider patching the PEB for disabling aslr?

I'd say it makes sense, because it follows all other plaforms except Linux and MacOS for which it is possible to set ASLR state on the program startup.

[devnexen]

Then the FreeBSD case is wrong. Changing sysctl is global and affects all processes that are started after the switch.

On FreeBSD it is possible to do elfctl -e +noaslr file to force an executable file to be started without ASLR. Pretty much, just like the Windows case.

or you can use the procctl api with PROC_ASLR_CTL.