ducphanduyagentp/checkaslr.py

## checkaslr.py
'''checkaslr.py: Check for files that opt into ASLR with /DYNAMICBASE,
but do not have a relocation table to allow ASLR to function.

usage: checkaslr.py <dir>
ex: checkaslr.py "C:\Program Files\"

requires: pefile <https://github.com/erocarrera/pefile>, which should be
installable via: pip install pefile
'''

import sys
import os
from subprocess import Popen, PIPE, STDOUT
import pefile

IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040
IMAGE_FILE_RELOCS_STRIPPED = 0x0001

if __name__ == '__main__':
    if len(sys.argv) < 2:
        print('Please specify a directory to search')
        sys.exit()
    topdir = sys.argv[1]
    badaslr = False

    print('Crawling root directory: %s ...' % topdir)

    if not os.path.exists(topdir):
        print('path does not exist: %s', topdir)
        exit()

    print('The following files are linked with /DYNAMICBASE, but may not be compatible with ASLR:')

    founddotnet = False
    foundwibu = False

    for dir in os.walk(topdir):
        for file in dir[2]:
            DYNAMICBASE = False
            StrippedReloc = False
            dotnet = False
            wibu = False
            imagebase = 0
            try:
                pe =  pefile.PE(os.path.join(dir[0], file), fast_load=True)
                pe.parse_data_directories([pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG']])
                if pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR']].VirtualAddress != 0:
                    # .NET binary. These are relocated similarly to "Force ASLR", even without a relocation table
                    dotnet = True
                if pe.sections[0].Name.decode('utf-8') == u'__wibu00':
                    wibu = True
                if pe.FILE_HEADER.Characteristics & IMAGE_FILE_RELOCS_STRIPPED:
                    StrippedReloc = True
                if pe.OPTIONAL_HEADER.DllCharacteristics & IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE:
                    DYNAMICBASE = True
                if pe.OPTIONAL_HEADER.ImageBase:
                    imagebase = hex(pe.OPTIONAL_HEADER.ImageBase)
                if DYNAMICBASE and StrippedReloc:
                    badaslr = True
                    if dotnet:
                        print('%s (.NET): %s' % (os.path.join(dir[0], file), imagebase))
                        founddotnet = True
                    else:
                        print('%s : %s' % (os.path.join(dir[0], file), imagebase))
                        #print(dir(pe.OPTIONAL_HEADER.ImageBase))
                elif DYNAMICBASE and wibu:
                    print('%s (WIBU) : %s' % (os.path.join(dir[0], file), imagebase))
                    foundwibu = True
                    badaslr = True
            except:
                # Non-PE, bad permissions, etc...
                continue
    if not badaslr:
        print('All /DYNAMICBASE files have a relocation table. Good.')
    elif founddotnet:
        print('NOTE: .NET executables will only be relocated on Windows 8 and newer platforms.')
    if foundwibu:
        print('NOTE: WIBU-protected executables may not be relocated. Please verify to confirm.')
	'''checkaslr.py: Check for files that opt into ASLR with /DYNAMICBASE,
	but do not have a relocation table to allow ASLR to function.

	usage: checkaslr.py <dir>
	ex: checkaslr.py "C:\Program Files\"

	requires: pefile <https://github.com/erocarrera/pefile>, which should be
	installable via: pip install pefile
	'''

	import sys
	import os
	from subprocess import Popen, PIPE, STDOUT
	import pefile

	IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040
	IMAGE_FILE_RELOCS_STRIPPED = 0x0001

	if __name__ == '__main__':
	if len(sys.argv) < 2:
	print('Please specify a directory to search')
	sys.exit()
	topdir = sys.argv[1]
	badaslr = False

	print('Crawling root directory: %s ...' % topdir)

	if not os.path.exists(topdir):
	print('path does not exist: %s', topdir)
	exit()

	print('The following files are linked with /DYNAMICBASE, but may not be compatible with ASLR:')

	founddotnet = False
	foundwibu = False

	for dir in os.walk(topdir):
	for file in dir[2]:
	DYNAMICBASE = False
	StrippedReloc = False
	dotnet = False
	wibu = False
	imagebase = 0
	try:
	pe = pefile.PE(os.path.join(dir[0], file), fast_load=True)
	pe.parse_data_directories([pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG']])
	if pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR']].VirtualAddress != 0:
	# .NET binary. These are relocated similarly to "Force ASLR", even without a relocation table
	dotnet = True
	if pe.sections[0].Name.decode('utf-8') == u'__wibu00':
	wibu = True
	if pe.FILE_HEADER.Characteristics & IMAGE_FILE_RELOCS_STRIPPED:
	StrippedReloc = True
	if pe.OPTIONAL_HEADER.DllCharacteristics & IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE:
	DYNAMICBASE = True
	if pe.OPTIONAL_HEADER.ImageBase:
	imagebase = hex(pe.OPTIONAL_HEADER.ImageBase)
	if DYNAMICBASE and StrippedReloc:
	badaslr = True
	if dotnet:
	print('%s (.NET): %s' % (os.path.join(dir[0], file), imagebase))
	founddotnet = True
	else:
	print('%s : %s' % (os.path.join(dir[0], file), imagebase))
	#print(dir(pe.OPTIONAL_HEADER.ImageBase))
	elif DYNAMICBASE and wibu:
	print('%s (WIBU) : %s' % (os.path.join(dir[0], file), imagebase))
	foundwibu = True
	badaslr = True
	except:
	# Non-PE, bad permissions, etc...
	continue
	if not badaslr:
	print('All /DYNAMICBASE files have a relocation table. Good.')
	elif founddotnet:
	print('NOTE: .NET executables will only be relocated on Windows 8 and newer platforms.')
	if foundwibu:
	print('NOTE: WIBU-protected executables may not be relocated. Please verify to confirm.')