Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-09-2018, 03:04
Agmcz Agmcz is offline
Friend
 
Join Date: Mar 2018
Posts: 16
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 15
Thanks Rcvd at 61 Times in 13 Posts
Agmcz Reputation: 4
[Delphi] Check if ASLR is enabled

Check if ASLR is enabled.
Code:
{************************************
* Coded by Agmcz                    *
* Hints by naquadria                *
* Date: 2018-01-07                  *
************************************}

unit uCheckASLR;

interface

uses
  Windows;

function CheckASLR(const FileName: string): Boolean;

implementation

const
  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = $0040;
  IMAGE_DIRECTORY_ENTRY_BASERELOC = 5;

function CheckASLR(const FileName: string): Boolean;
var
  hFile: THandle;
  hMapping: DWORD;
  pMap: Pointer;
  dwSize: DWORD;
  IDH: PImageDosHeader;
  INH: PImageNtHeaders;
  ISH: PImageSectionHeader;
  n: Word;
  dwRelocAddr, dwRelocSize: DWORD;
begin
  Result := False;
  hFile := CreateFile(PChar(FileName), GENERIC_READ, FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING, 0, 0);
  if hFile <> INVALID_HANDLE_VALUE then
  begin
    dwSize := GetFileSize(hFile, nil);
    hMapping := CreateFileMapping(hFile, nil, PAGE_READONLY, 0, dwSize, nil);
    if hMapping <> 0 then
    begin
      pMap := MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);
      if pMap <> nil then
      begin
        IDH := PImageDosHeader(pMap);
        if IDH.e_magic = IMAGE_DOS_SIGNATURE then
        begin
          INH := PImageNtHeaders(DWORD(pMap) + LongWord(IDH._lfanew));
          if INH.Signature = IMAGE_NT_SIGNATURE then
          begin
            if (INH.OptionalHeader.DllCharacteristics and IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) = IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE then
            begin
              ISH := PImageSectionHeader(DWORD(pMap) + LongWord(IDH._lfanew) + SizeOf(DWORD) + SizeOf(INH.FileHeader) + INH.FileHeader.SizeOfOptionalHeader);
              dwRelocAddr := INH.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;
              dwRelocSize := INH.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
              if (dwRelocAddr <> 0) and (dwRelocSize <> 0) then
              begin
                for n := 0 to INH.FileHeader.NumberOfSections - 1 do
                begin
                  if ISH.VirtualAddress = dwRelocAddr then
                  begin
                    if (ISH.Misc.VirtualSize <> 0) and  (ISH.PointerToRawData <> 0) and (ISH.SizeOfRawData <> 0) then
                      Result := True;
                    Break;
                  end;
                  Inc(ISH);
                end;
              end;
            end;
          end;
        end;
        UnmapViewOfFile(pMap);
      end;
      CloseHandle(hMapping);
    end;
    CloseHandle(hFile);
  end;
end;

end.
Attached Files
File Type: rar ASLR Checker.rar (2.1 KB, 18 views)
Reply With Quote
The Following 8 Users Say Thank You to Agmcz For This Useful Post:
allan (04-26-2018), dosprog (04-08-2018), h4sh3m (03-10-2018), Insid3Code (03-09-2018), niculaita (03-12-2018), ontryit (03-11-2018), tonyweb (03-10-2018), virus (03-13-2018)
  #2  
Old 03-11-2018, 17:18
ontryit ontryit is offline
Friend
 
Join Date: Nov 2011
Posts: 172
Rept. Given: 127
Rept. Rcvd 17 Times in 14 Posts
Thanks Given: 411
Thanks Rcvd at 70 Times in 43 Posts
ontryit Reputation: 17
Can post the attachment outside of this board? Thx
Reply With Quote
  #3  
Old 03-11-2018, 20:42
NoneForce NoneForce is offline
Lo*eXeTools*rd
 
Join Date: Mar 2002
Posts: 461
Rept. Given: 235
Rept. Rcvd 140 Times in 79 Posts
Thanks Given: 241
Thanks Rcvd at 53 Times in 28 Posts
NoneForce Reputation: 100-199 NoneForce Reputation: 100-199
Hi,

Code:
https://nofile.io/f/YtbJBoKEcTt/ASLR+Checker.rar
Reply With Quote
The Following 3 Users Say Thank You to NoneForce For This Useful Post:
Agmcz (03-13-2018), niculaita (03-12-2018), ontryit (03-12-2018)
  #4  
Old 04-08-2018, 02:07
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 17 Times in 16 Posts
Thanks Given: 33
Thanks Rcvd at 146 Times in 74 Posts
dosprog Reputation: 17
Why not simply check the bit "Relocations Stripped" at PE characteristics, as does the PE_ASLR.HEM HIEW32 plugin?

Last edited by dosprog; 04-08-2018 at 02:19.
Reply With Quote
  #5  
Old 04-08-2018, 02:31
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 324
Rept. Given: 0
Rept. Rcvd 276 Times in 98 Posts
Thanks Given: 0
Thanks Rcvd at 308 Times in 95 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
Because that's just plain wrong, the two flags don't exclude each other.
Reply With Quote
  #6  
Old 04-08-2018, 02:51
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 17 Times in 16 Posts
Thanks Given: 33
Thanks Rcvd at 146 Times in 74 Posts
dosprog Reputation: 17
But when DLLCHARACTERISTICS.RelocationsStrippedBit=1 all others ignored. Agree?

..however you are right, if the file is processed by the plugin PE_ASLR.HEM with this bit set to 1, then additional checks will be required after clear it.



Last edited by dosprog; 04-08-2018 at 03:21.
Reply With Quote
  #7  
Old 04-08-2018, 04:11
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 324
Rept. Given: 0
Rept. Rcvd 276 Times in 98 Posts
Thanks Given: 0
Thanks Rcvd at 308 Times in 95 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
Microsoft didn't implement two linker options for fun, these are two individual flags doing different things and can be enabled or disabled independently from each other.

So if you want to know if a file is ASLR enabled, then you check the flag telling you if a file is ASLR enabled and not the flag telling you if a file has relocations.

(I'm aware the code posted here does check for a relocation table, but relocations are no requirement for ASLR)
Reply With Quote
  #8  
Old 04-08-2018, 09:00
Agmcz Agmcz is offline
Friend
 
Join Date: Mar 2018
Posts: 16
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 15
Thanks Rcvd at 61 Times in 13 Posts
Agmcz Reputation: 4
you must check bit "IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE" in PE.OPTIONAL_HEADER.DllCharacteristics member.
Reply With Quote
  #9  
Old 04-08-2018, 09:11
Agmcz Agmcz is offline
Friend
 
Join Date: Mar 2018
Posts: 16
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 15
Thanks Rcvd at 61 Times in 13 Posts
Agmcz Reputation: 4
more...
check if ASLR is enabled from process
Code:
unit uCheckASLR;

// Original C++ Source: https://stackoverflow.com/questions/47105480/how-to-check-if-aslr-is-enabled-for-a-process
// Converted to Delphi by Agmcz 28-12-2017 2:25:32

interface

uses
  Windows;

function CheckASLR(dwProcessId: ULONG; out bASLR: Boolean): ULONG;

implementation

const
  PROCESS_QUERY_LIMITED_INFORMATION = $1000;

type
 TSectionImageInformation  = record
    TransferAddress: Pointer;
    ZeroBits: ULONG;
    MaximumStackSize: ULONG;
    CommittedStackSize: ULONG;
    SubSystemType: ULONG;
    MinorSubsystemVersion: Word;
    MajorSubsystemVersion: Word;
    GpValue: ULONG;
    ImageCharacteristics: Word;
    DllCharacteristics: Word;
    Machine: Word;
    ImageContainsCode: Boolean;
    ImageFlags: Byte;
    LoaderFlags: ULONG;
    ImageFileSize: ULONG;
    CheckSum: ULONG;
  end;

  PROCESSINFOCLASS = (
    ProcessBasicInformation,
    ProcessQuotaLimits,
    ProcessIoCounters,
    ProcessVmCounters,
    ProcessTimes,
    ProcessBasePriority,
    ProcessRaisePriority,
    ProcessDebugPort,
    ProcessExceptionPort,
    ProcessAccessToken,
    ProcessLdtInformation,
    ProcessLdtSize,
    ProcessDefaultHardErrorMode,
    ProcessIoPortHandlers,
    ProcessPooledUsageAndLimits,
    ProcessWorkingSetWatch,
    ProcessUserModeIOPL,
    ProcessEnableAlignmentFaultFixup,
    ProcessPriorityClass,
    ProcessWx86Information,
    ProcessHandleCount,
    ProcessAffinityMask,
    ProcessPriorityBoost,
    ProcessDeviceMap,
    ProcessSessionInformation,
    ProcessForegroundInformation,
    ProcessWow64Information,
    ProcessImageFileName,
    ProcessLUIDDeviceMapsEnabled,
    ProcessBreakOnTermination,
    ProcessDebugObjectHandle,
    ProcessDebugFlags,
    ProcessHandleTracing,
    ProcessIoPriority,
    ProcessExecuteFlags,
    ProcessResourceManagement,
    ProcessCookie,
    ProcessImageInformation,
    MaxProcessInfoClass);

type
  NTSTATUS = LongWord;

function NtQueryInformationProcess(ProcessHandle: THandle; ProcessInformationClass: PROCESSINFOCLASS; ProcessInformation: Pointer; ProcessInformationLength: ULONG; ReturnLength: PULONG ): LongInt; stdcall; external 'ntdll.dll';
function RtlNtStatusToDosError(Status: NTSTATUS): Integer; stdcall; external 'ntdll.dll';

function CheckASLR(dwProcessId: ULONG; out bASLR: Boolean): ULONG;
var
 hProcess: THandle;
 sii: TSectionImageInformation;
 status: NTSTATUS;
begin
  hProcess := OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, False, dwProcessId);
  if (hProcess <> 0) and (hProcess <> INVALID_HANDLE_VALUE) then
  begin
    status := NtQueryInformationProcess(hProcess, ProcessImageInformation, @sii, SizeOf(sii), 0);
    CloseHandle(hProcess);
    if 0 <= status then
    begin
      bASLR := Boolean(sii.ImageFlags);
      Result := NOERROR;
      Exit;
    end;
    Result := RtlNtStatusToDosError(status);
    Exit;
  end;
  Result := GetLastError;
end;

end.
Attached Files
File Type: zip uCheckASLR.zip (1.3 KB, 6 views)
Reply With Quote
The Following 3 Users Say Thank You to Agmcz For This Useful Post:
dj-siba (04-08-2018), ontryit (04-08-2018), tonyweb (04-26-2018)
  #10  
Old 04-08-2018, 10:19
evlncrn8 evlncrn8 is offline
VIP
 
Join Date: Sep 2005
Posts: 179
Rept. Given: 36
Rept. Rcvd 54 Times in 24 Posts
Thanks Given: 49
Thanks Rcvd at 117 Times in 69 Posts
evlncrn8 Reputation: 54
theres a bug in the code above..

bASLR := Boolean(sii.ImageFlags);

right there..

ImageFlags is a set of bitflags, to test for the aslr portion you need to and it and check the result, so you need to check bit 2, you're just blindly assuming that any non zero value for the whole thing means alsr is enabled.. this is wrong

-----

UINT8 ImageFlags; // 0x0023 / 0x0033; 0x0001 / 0x0001 Bytes
struct // 7 / 7 elements; 0x0001 / 0x0001 Bytes
{
UINT8 ComPlusNativeReady : 1; // 0x0023 / 0x0033; Bit: 0
UINT8 ComPlusILOnly : 1; // 0x0023 / 0x0033; Bit: 1
UINT8 ImageDynamicallyRelocated : 1; // 0x0023 / 0x0033; Bit: 2
UINT8 ImageMappedFlat : 1; // 0x0023 / 0x0033; Bit: 3
UINT8 BaseBelow4gb : 1; // 0x0023 / 0x0033; Bit: 4
UINT8 ComPlusPrefer32bit : 1; // 0x0023 / 0x0033; Bit: 5
UINT8 Reserved : 2; // 0x0023 / 0x0033; Bits: 6 - 7
};
Reply With Quote
The Following 4 Users Say Thank You to evlncrn8 For This Useful Post:
Agmcz (04-08-2018), ontryit (04-27-2018), Stingered (04-08-2018), tonyweb (04-26-2018)
  #11  
Old 04-08-2018, 18:03
Agmcz Agmcz is offline
Friend
 
Join Date: Mar 2018
Posts: 16
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 15
Thanks Rcvd at 61 Times in 13 Posts
Agmcz Reputation: 4
Okay
now it works correctly.
Code:
unit uCheckASLR;

// Original C++ Source: https://stackoverflow.com/questions/47105480/how-to-check-if-aslr-is-enabled-for-a-process
// Ported to Delphi by Agmcz 28-12-2017 2:25:32
// Fix 04-08-2018 10:56:25

interface

uses
  Windows;

function CheckASLR(dwProcessId: LongWord; out bASLR: Boolean): LongWord;

implementation

const
  PROCESS_QUERY_LIMITED_INFORMATION = $1000;

type
 TSectionImageInformation  = record
    TransferAddress: Pointer;
    ZeroBits: LongWord;
    MaximumStackSize: LongWord;
    CommittedStackSize: LongWord;
    SubSystemType: LongWord;
    MinorSubsystemVersion: Word;
    MajorSubsystemVersion: Word;
    GpValue: LongWord;
    ImageCharacteristics: Word;
    DllCharacteristics: Word;
    Machine: Word;
    ImageContainsCode: Boolean;
    ImageFlags: Byte;
    LoaderFlags: LongWord;
    ImageFileSize: LongWord;
    CheckSum: LongWord;
  end;

  PROCESSINFOCLASS = (
    ProcessBasicInformation,
    ProcessQuotaLimits,
    ProcessIoCounters,
    ProcessVmCounters,
    ProcessTimes,
    ProcessBasePriority,
    ProcessRaisePriority,
    ProcessDebugPort,
    ProcessExceptionPort,
    ProcessAccessToken,
    ProcessLdtInformation,
    ProcessLdtSize,
    ProcessDefaultHardErrorMode,
    ProcessIoPortHandlers,
    ProcessPooledUsageAndLimits,
    ProcessWorkingSetWatch,
    ProcessUserModeIOPL,
    ProcessEnableAlignmentFaultFixup,
    ProcessPriorityClass,
    ProcessWx86Information,
    ProcessHandleCount,
    ProcessAffinityMask,
    ProcessPriorityBoost,
    ProcessDeviceMap,
    ProcessSessionInformation,
    ProcessForegroundInformation,
    ProcessWow64Information,
    ProcessImageFileName,
    ProcessLUIDDeviceMapsEnabled,
    ProcessBreakOnTermination,
    ProcessDebugObjectHandle,
    ProcessDebugFlags,
    ProcessHandleTracing,
    ProcessIoPriority,
    ProcessExecuteFlags,
    ProcessResourceManagement,
    ProcessCookie,
    ProcessImageInformation,
    MaxProcessInfoClass);

type
  NTSTATUS = LongWord;

function NtQueryInformationProcess(ProcessHandle: THandle; ProcessInformationClass: PROCESSINFOCLASS; ProcessInformation: Pointer; ProcessInformationLength: ULONG; ReturnLength: PULONG ): LongInt; stdcall; external 'ntdll.dll';
function RtlNtStatusToDosError(Status: NTSTATUS): Integer; stdcall; external 'ntdll.dll';

function ImageDynamicallyRelocated(sii: TSectionImageInformation): Boolean;
begin
  Result := (sii.ImageFlags and (1 shl 2)) = 1;
end;

function CheckASLR(dwProcessId: LongWord; out bASLR: Boolean): LongWord;
var
 hProcess: THandle;
 sii: TSectionImageInformation;
 status: NTSTATUS;
begin
  hProcess := OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, False, dwProcessId);
  if (hProcess <> 0) and (hProcess <> INVALID_HANDLE_VALUE) then
  begin
    status := NtQueryInformationProcess(hProcess, ProcessImageInformation, @sii, SizeOf(sii), 0);
    CloseHandle(hProcess);
    if 0 <= status then
    begin
      bASLR := ImageDynamicallyRelocated(sii);
      Result := NOERROR;
      Exit;
    end;
    Result := RtlNtStatusToDosError(status);
    Exit;
  end;
  Result := GetLastError;
end;

end.
Attached Files
File Type: rar Fix_uCheckASLR.rar (1.3 KB, 13 views)
Reply With Quote
The Following User Gave Reputation+1 to Agmcz For This Useful Post:
Insid3Code (04-10-2018)
The Following 4 Users Say Thank You to Agmcz For This Useful Post:
allan (04-26-2018), niculaita (04-09-2018), ontryit (04-08-2018), tonyweb (04-26-2018)
  #12  
Old 04-26-2018, 03:37
allan allan is offline
Guest
 
Join Date: Nov 2017
Posts: 3
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 7
Thanks Rcvd at 0 Times in 0 Posts
allan Reputation: 0
What is the version of Delphi that you guys are using?
Reply With Quote
  #13  
Old 05-01-2018, 09:45
Agmcz Agmcz is offline
Friend
 
Join Date: Mar 2018
Posts: 16
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 15
Thanks Rcvd at 61 Times in 13 Posts
Agmcz Reputation: 4
Fix func ImageDynamicallyRelocated
Code:
unit uCheckASLR;

// Original C++ Source: https://stackoverflow.com/questions/47105480/how-to-check-if-aslr-is-enabled-for-a-process
// Ported to Delphi by Agmcz 28-12-2017 2:25:32
// Fix 08-04-2018 10:56:25
// Fix2 01-05-2018 2:28:15

interface

uses
  Windows;

function CheckASLR(dwProcessId: LongWord; out bASLR: Boolean): LongWord;

implementation

const
  PROCESS_QUERY_LIMITED_INFORMATION = $1000;

type
 TSectionImageInformation  = record
    TransferAddress: Pointer;
    ZeroBits: LongWord;
    MaximumStackSize: LongWord;
    CommittedStackSize: LongWord;
    SubSystemType: LongWord;
    MinorSubsystemVersion: Word;
    MajorSubsystemVersion: Word;
    GpValue: LongWord;
    ImageCharacteristics: Word;
    DllCharacteristics: Word;
    Machine: Word;
    ImageContainsCode: Boolean;
    ImageFlags: Byte;
    LoaderFlags: LongWord;
    ImageFileSize: LongWord;
    CheckSum: LongWord;
  end;

  PROCESSINFOCLASS = (
    ProcessBasicInformation,
    ProcessQuotaLimits,
    ProcessIoCounters,
    ProcessVmCounters,
    ProcessTimes,
    ProcessBasePriority,
    ProcessRaisePriority,
    ProcessDebugPort,
    ProcessExceptionPort,
    ProcessAccessToken,
    ProcessLdtInformation,
    ProcessLdtSize,
    ProcessDefaultHardErrorMode,
    ProcessIoPortHandlers,
    ProcessPooledUsageAndLimits,
    ProcessWorkingSetWatch,
    ProcessUserModeIOPL,
    ProcessEnableAlignmentFaultFixup,
    ProcessPriorityClass,
    ProcessWx86Information,
    ProcessHandleCount,
    ProcessAffinityMask,
    ProcessPriorityBoost,
    ProcessDeviceMap,
    ProcessSessionInformation,
    ProcessForegroundInformation,
    ProcessWow64Information,
    ProcessImageFileName,
    ProcessLUIDDeviceMapsEnabled,
    ProcessBreakOnTermination,
    ProcessDebugObjectHandle,
    ProcessDebugFlags,
    ProcessHandleTracing,
    ProcessIoPriority,
    ProcessExecuteFlags,
    ProcessTlsInformation,
    ProcessCookie,
    ProcessImageInformation,
    ProcessCycleTime,
    ProcessPagePriority,
    ProcessInstrumentationCallback,
    ProcessThreadStackAllocation,
    ProcessWorkingSetWatchEx,
    ProcessImageFileNameWin32,
    ProcessImageFileMapping,
    ProcessAffinityUpdateMode,
    ProcessMemoryAllocationMode,
    ProcessGroupInformation,
    ProcessTokenVirtualizationEnabled,
    ProcessConsoleHostProcess,
    ProcessWindowInformation,
    MaxProcessInfoClass);

type
  NTSTATUS = LongWord;

function NtQueryInformationProcess(ProcessHandle: THandle; ProcessInformationClass: PROCESSINFOCLASS; ProcessInformation: Pointer; ProcessInformationLength: ULONG; ReturnLength: PULONG ): LongInt; stdcall; external 'ntdll.dll';
function RtlNtStatusToDosError(Status: NTSTATUS): Integer; stdcall; external 'ntdll.dll';

function ImageDynamicallyRelocated(sii: TSectionImageInformation): Boolean;
asm
  MOVZX EAX, BYTE PTR SS:[sii.ImageFlags]
  SHR AL, 2
  AND EAX, 1
end;

function CheckASLR(dwProcessId: LongWord; out bASLR: Boolean): LongWord;
var
 hProcess: THandle;
 sii: TSectionImageInformation;
 status: NTSTATUS;
begin
  hProcess := OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, False, dwProcessId);
  if (hProcess <> 0) and (hProcess <> INVALID_HANDLE_VALUE) then
  begin
    status := NtQueryInformationProcess(hProcess, ProcessImageInformation, @sii, SizeOf(sii), 0);
    CloseHandle(hProcess);
    if 0 <= status then
    begin
      bASLR := ImageDynamicallyRelocated(sii);
      Result := NOERROR;
      Exit;
    end;
    Result := RtlNtStatusToDosError(status);
    Exit;
  end;
  Result := GetLastError;
end;

end.
Attached Files
File Type: rar Fix2_uCheckASLR.rar (1.4 KB, 5 views)
Reply With Quote
The Following 3 Users Say Thank You to Agmcz For This Useful Post:
Insid3Code (05-02-2018), niculaita (05-01-2018), ontryit (05-02-2018)
  #14  
Old 05-01-2018, 09:49
Agmcz Agmcz is offline
Friend
 
Join Date: Mar 2018
Posts: 16
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 15
Thanks Rcvd at 61 Times in 13 Posts
Agmcz Reputation: 4
Quote:
Originally Posted by allan View Post
What is the version of Delphi that you guys are using?
You can use delphi7 or a newer version.
Reply With Quote
The Following 3 Users Say Thank You to Agmcz For This Useful Post:
allan (05-08-2018), niculaita (05-01-2018), ontryit (05-02-2018)
  #15  
Old 05-01-2018, 22:26
Agmcz Agmcz is offline
Friend
 
Join Date: Mar 2018
Posts: 16
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 15
Thanks Rcvd at 61 Times in 13 Posts
Agmcz Reputation: 4
Check ASLR from Remote PEB

More..
Check ASLR from Remote PEB
Code:
unit uCheckASLR;

{************************************
* Coded by Agmcz                    *
* Date: 01-05-2018                  *
************************************}

interface

uses
  Windows;

function CheckASLRPEB32(hProcess: THandle): Boolean;

implementation

type
  PProcessBasicInformation = ^TProcessBasicInformation;
  TProcessBasicInformation = record
    ExitStatus: LongInt;
    PebBaseAddress: Pointer;
    AffinityMask: Cardinal;
    BasePriority: LongInt;
    UniqueProcessId: Cardinal;
    InheritedFromUniqueProcessId: Cardinal;
  end;

function NtQueryInformationProcess(ProcessHandle: THandle; ProcessInformationClass: DWORD {PROCESSINFOCLASS}; ProcessInformation: Pointer; ProcessInformationLength: ULONG; ReturnLength: PULONG): LongInt; stdcall; external 'ntdll.dll';
function NtReadVirtualMemory(ProcessHandle: THandle; BaseAddress: Pointer; Buffer: Pointer; BufferLength: ULONG; ReturnLength: PULONG): Longint; stdcall; external 'ntdll.dll';

function ImageDynamicallyRelocated(BitField: Byte): Boolean;
asm
  SHR AL, 2
  AND AL, 1
end;

function CheckASLRPEB32(hProcess: THandle): Boolean;
var
  PBI: TProcessBasicInformation;
  BitField: Byte;
begin
  Result := False;
  if (hProcess <> 0) and (hProcess <> INVALID_HANDLE_VALUE) then
  begin
    if NtQueryInformationProcess(hProcess, 0{ProcessBasicInformation = 0}, @PBI, SizeOf(TProcessBasicInformation), 0) = 0 then
    begin
      if NtReadVirtualMemory(hProcess, Pointer(DWORD(PBI.PebBaseAddress) + 3), @BitField{Peb.BitField}, SizeOf(Byte), 0) = 0 then
        Result := ImageDynamicallyRelocated(BitField);
    end;
  end;
end;

end.
Attached Files
File Type: rar uCheckASLR.rar (745 Bytes, 6 views)
Reply With Quote
The Following 2 Users Say Thank You to Agmcz For This Useful Post:
Insid3Code (05-02-2018), ontryit (05-02-2018)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


Similar Threads
Thread Thread Starter Forum Replies Last Post
[Delphi] Loader shows how to patch PE protected with ASLR Sn!per X Source Code 1 11-28-2015 00:33
Help Me - CRC Check and FileSize Check byvs General Discussion 11 07-31-2003 13:32


All times are GMT +8. The time now is 07:32.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )