Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Python script to check for PE files linked with /DYNAMICBASE, but are not actually ASLR compatible due to missing relocation table
'''checkaslrfiles.py: Check for files that opt into ASLR with /DYNAMICBASE,
but do not have a relocation table to allow ASLR to function.
usage: checkaslrfiles.py <dir>
ex: checkaslr.py "C:\Program Files\"
requires: pefile <https://github.com/erocarrera/pefile>, which should be
installable via: pip install pefile
'''
import sys
import os
from subprocess import Popen, PIPE, STDOUT
import pefile
IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040
IMAGE_FILE_RELOCS_STRIPPED = 0x0001
if __name__ == '__main__':
if len(sys.argv) < 2:
print('Please specify a directory to search')
sys.exit()
topdir = sys.argv[1]
badaslr = False
print('Crawling root directory: %s ...' % topdir)
if not os.path.exists(topdir):
print('path does not exist: %s', topdir)
exit()
print('The following files are linked with /DYNAMICBASE, but may not be compatible with ASLR:')
founddotnet = False
foundwibu = False
for dir in os.walk(topdir):
for file in dir[2]:
DYNAMICBASE = False
StrippedReloc = False
dotnet = False
wibu = False
imagebase = 0
try:
pe = pefile.PE(os.path.join(dir[0], file), fast_load=True)
pe.parse_data_directories([pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG']])
if pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR']].VirtualAddress != 0:
# .NET binary. These are relocated similarly to "Force ASLR", even without a relocation table
dotnet = True
if pe.sections[0].Name.decode('utf-8') == u'__wibu00':
wibu = True
if pe.FILE_HEADER.Characteristics & IMAGE_FILE_RELOCS_STRIPPED:
StrippedReloc = True
if pe.OPTIONAL_HEADER.DllCharacteristics & IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE:
DYNAMICBASE = True
if pe.OPTIONAL_HEADER.ImageBase:
imagebase = hex(pe.OPTIONAL_HEADER.ImageBase)
if DYNAMICBASE and StrippedReloc:
badaslr = True
if dotnet:
print('%s (.NET): %s' % (os.path.join(dir[0], file), imagebase))
founddotnet = True
else:
print('%s : %s' % (os.path.join(dir[0], file), imagebase))
#print(dir(pe.OPTIONAL_HEADER.ImageBase))
elif DYNAMICBASE and wibu:
print('%s (WIBU) : %s' % (os.path.join(dir[0], file), imagebase))
foundwibu = True
badaslr = True
except:
# Non-PE, bad permissions, etc...
continue
if not badaslr:
print('All /DYNAMICBASE files have a relocation table. Good.')
elif founddotnet:
print('NOTE: .NET executables will only be relocated on Windows 8 and newer platforms.')
if foundwibu:
print('NOTE: WIBU-protected executables may not be relocated. Please verify to confirm.')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment