More..
Check ASLR from Remote PEB
Code:
unit uCheckASLR;
{************************************
* Coded by Agmcz *
* Date: 01-05-2018 *
************************************}
interface
uses
Windows;
function CheckASLRPEB32(hProcess: THandle): Boolean;
implementation
type
PProcessBasicInformation = ^TProcessBasicInformation;
TProcessBasicInformation = record
ExitStatus: LongInt;
PebBaseAddress: Pointer;
AffinityMask: Cardinal;
BasePriority: LongInt;
UniqueProcessId: Cardinal;
InheritedFromUniqueProcessId: Cardinal;
end;
function NtQueryInformationProcess(ProcessHandle: THandle; ProcessInformationClass: DWORD {PROCESSINFOCLASS}; ProcessInformation: Pointer; ProcessInformationLength: ULONG; ReturnLength: PULONG): LongInt; stdcall; external 'ntdll.dll';
function NtReadVirtualMemory(ProcessHandle: THandle; BaseAddress: Pointer; Buffer: Pointer; BufferLength: ULONG; ReturnLength: PULONG): Longint; stdcall; external 'ntdll.dll';
function ImageDynamicallyRelocated(BitField: Byte): Boolean;
asm
SHR AL, 2
AND AL, 1
end;
function CheckASLRPEB32(hProcess: THandle): Boolean;
var
PBI: TProcessBasicInformation;
BitField: Byte;
begin
Result := False;
if (hProcess <> 0) and (hProcess <> INVALID_HANDLE_VALUE) then
begin
if NtQueryInformationProcess(hProcess, 0{ProcessBasicInformation = 0}, @PBI, SizeOf(TProcessBasicInformation), 0) = 0 then
begin
if NtReadVirtualMemory(hProcess, Pointer(DWORD(PBI.PebBaseAddress) + 3), @BitField{Peb.BitField}, SizeOf(Byte), 0) = 0 then
Result := ImageDynamicallyRelocated(BitField);
end;
end;
end;
end.