Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
A simple script to check PE files for exploit mitigations (/DYNAMICBASE, /NXCOMPAT, /HIGHENTROPYVA) and anomalies
import argparse
import logging
import pefile
import sys
from prettytable import PrettyTable
# Author: David Cannings @edeca
# Date: September 2018
# Checks a PE file for DEP, ASLR, high entropy ASLR and ASLR
# anomalies (/DYNAMICBASE set with relocations stripped).
# Requirements:
# $ pip install pefile PTable
def _test_opt_header(pe, flag):
Test a specific flag in the optional header and return True/False.
header = pe.OPTIONAL_HEADER.DllCharacteristics
return (header & pefile.DLL_CHARACTERISTICS[flag]) > 0
def check(fn):"Checking file {}".format(fn))
pe = pefile.PE(fn, fast_load=True)
except pefile.PEFormatError:
logging.error("Couldn't load this file as a Portable Executable")
except OSError:
logging.error("Couldn't load the specifed file, does it exist?")
res = {}
res['aslr'] = _test_opt_header(pe, 'IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE')
res['aslr64'] = _test_opt_header(
res['dep'] = _test_opt_header(pe, 'IMAGE_DLLCHARACTERISTICS_NX_COMPAT')
res['aslr_anomaly'] = False
if res['aslr'] and pe.FILE_HEADER.Characteristics & pefile.IMAGE_CHARACTERISTICS['IMAGE_FILE_RELOCS_STRIPPED']:
logging.warning("/DYNAMICBASE is enabled but relocations are stripped")
res['aslr_anomaly'] = True
return res
def main():
parser = argparse.ArgumentParser()
parser.add_argument("file", help="portable executable file to process")
args = parser.parse_args()
res = check(args.file)
flags = {'aslr': '/DYNAMICBASE', 'dep': '/NXCOMPAT',
'aslr64': '/HIGHENTROPYVA', 'aslr_anomaly': 'Anomalies?'}
out = PrettyTable()
out.field_names = ["Feature", "Enabled"]
for name, flag in flags.iteritems():
out.add_row([flag, res[name]])
if __name__ == "__main__":
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment