Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Python script to check for PE files linked with /DYNAMICBASE, but are not actually ASLR compatible due to missing relocation table
'''checkaslr.py: Check for files that opt into ASLR with /DYNAMICBASE,
but do not have a relocation table to allow ASLR to function.
usage: checkaslr.py <dir>
ex: checkaslr.py "C:\Program Files\"
requires: pefile <https://github.com/erocarrera/pefile>, which should be
installable via: pip install pefile
'''
import sys
import os
from subprocess import Popen, PIPE, STDOUT
import pefile
IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040
IMAGE_FILE_RELOCS_STRIPPED = 0x0001
if __name__ == '__main__':
if len(sys.argv) < 2:
print('Please specify a directory to search')
sys.exit()
topdir = sys.argv[1]
badaslr = False
print('Crawling root directory: %s ...' % topdir)
if not os.path.exists(topdir):
print('path does not exist: %s', topdir)
exit()
print('The following files are linked with /DYNAMICBASE, but may not be compatible with ASLR:')
founddotnet = False
foundwibu = False
for dir in os.walk(topdir):
for file in dir[2]:
DYNAMICBASE = False
StrippedReloc = False
dotnet = False
wibu = False
imagebase = 0
try:
pe = pefile.PE(os.path.join(dir[0], file), fast_load=True)
pe.parse_data_directories([pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG']])
if pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR']].VirtualAddress != 0:
# .NET binary. These are relocated similarly to "Force ASLR", even without a relocation table
dotnet = True
if pe.sections[0].Name.decode('utf-8') == u'__wibu00':
wibu = True
if pe.FILE_HEADER.Characteristics & IMAGE_FILE_RELOCS_STRIPPED:
StrippedReloc = True
if pe.OPTIONAL_HEADER.DllCharacteristics & IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE:
DYNAMICBASE = True
if pe.OPTIONAL_HEADER.ImageBase:
imagebase = hex(pe.OPTIONAL_HEADER.ImageBase)
if DYNAMICBASE and StrippedReloc:
badaslr = True
if dotnet:
print('%s (.NET): %s' % (os.path.join(dir[0], file), imagebase))
founddotnet = True
else:
print('%s : %s' % (os.path.join(dir[0], file), imagebase))
#print(dir(pe.OPTIONAL_HEADER.ImageBase))
elif DYNAMICBASE and wibu:
print('%s (WIBU) : %s' % (os.path.join(dir[0], file), imagebase))
foundwibu = True
badaslr = True
except:
# Non-PE, bad permissions, etc...
continue
if not badaslr:
print('All /DYNAMICBASE files have a relocation table. Good.')
elif founddotnet:
print('NOTE: .NET executables will only be relocated on Windows 8 and newer platforms.')
if foundwibu:
print('NOTE: WIBU-protected executables may not be relocated. Please verify to confirm.')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.