AD2001: LoadImagesAboveFourGigabyteAddress¶
Summary¶
| Property | Value |
|---|---|
| ID | AD2001 |
| Name | LoadImagesAboveFourGigabyteAddress |
| Category | Security |
| Severity | Error |
| Applies to | PE (Windows) - 64-bit binaries |
Description¶
64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security.
When a 64-bit binary has a preferred base address below 4GB, Windows enables an ASLR compatibility mode that significantly reduces the entropy of address randomization. This makes it easier for attackers to predict memory locations and exploit memory corruption vulnerabilities.
How It Works¶
The rule examines the ImageBase field in the PE optional header. For 64-bit binaries, this value should be greater than 0x100000000 (4GB).
Why This Matters¶
Address Space Layout Randomization (ASLR) is one of the most important exploit mitigations in modern operating systems. Its effectiveness is directly proportional to the amount of entropy (randomness) in memory addresses. When 64-bit binaries have a preferred base address below 4GB, Windows enables a compatibility mode that dramatically reduces ASLR effectiveness.
The Technical Details¶
The 64-bit address space on x86-64 allows for vastly more randomization than 32-bit systems:
| Configuration | Entropy Bits | Possible Locations | Brute-force Difficulty |
|---|---|---|---|
| Below 4GB (compat mode) | ~16 bits | ~65,000 | Feasible in minutes |
| Above 4GB (high entropy) | ~32+ bits | ~4 billion | Effectively impossible |
Why the Compatibility Mode Exists¶
Some legacy code truncates pointers to 32 bits or uses signed 32-bit comparisons on addresses. When a binary's preferred base is below 4GB, Windows assumes it might have such compatibility issues and limits randomization to addresses below 4GB, preserving only the lower 32 bits of significance.
Security Impact¶
-
Brute-force Attacks: With only 16 bits of entropy, an attacker can crash a service repeatedly until they guess the correct address. At 1000 attempts per second, this takes about a minute on average.
-
Information Disclosure Amplification: Even small information leaks become much more valuable. A partial pointer leak might narrow down the address completely.
-
Cross-process Attacks: In scenarios like browser exploitation, the reduced entropy makes heap spraying and other techniques far more reliable.
Performance Considerations¶
There is no performance penalty for using base addresses above 4GB. The only impact is on legacy code that incorrectly handles 64-bit addresses.
Historical Context¶
This compatibility mode was introduced in Windows Vista when 64-bit Windows was new and many applications hadn't been updated to handle full 64-bit addresses. Modern 64-bit code should have no such limitations.
Resolution¶
For Visual Studio / MSVC¶
Set the preferred base address above 4GB using the /BASE linker option:
Or in project properties:
1. Open Project Properties
2. Navigate to Linker → Advanced
3. Set "Base Address" to a value above 0x100000000
For CMake¶
if(CMAKE_SIZEOF_VOID_P EQUAL 8)
set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} /BASE:0x140000000")
endif()
When to Suppress¶
This rule can be suppressed in the following scenarios:
- Legacy compatibility: When the binary must interact with 32-bit components that expect pointers to fit in 32 bits
- Memory-mapped files: When using memory mapping that requires specific address ranges
- Custom loaders: When using custom loading mechanisms that require specific addresses
Caveats¶
- This rule only applies to 64-bit PE binaries
- 32-bit binaries are not affected (they cannot address above 4GB)
- DLLs marked as ASLR-compatible typically don't need explicit base addresses