-
-
[转帖]ASLR保护启用了吗?
-
2012-6-27 16:09
-
问题:程序装载器如何知道一个可执行文件是否启用了ASLR(Address Space Layout Randomization)保护?
许多人知道aslr保护可以使得可执行文件的载入基址随机变化,但是程序载入器怎么知道可执行文件的ASLR保护有没有打开呢?虽然这个问题回答起来很简单,但是我确信这种判断方法也就是本帖的主题是很少能找到文字出处的。
在PEHeader->IMAGE_OPTIONAL_HEADER结构体中有个DLLCharacteristics字段,这在程序载入器载入可执行文件时用处很大。该字段定义中有关于ASLR开启的描述,当然你还会发现有关DEP开启的定义。
原帖作者写了个rb脚本,我测试了一下可用。
脚本使用说明,先装个rubyinstaller-1.9.3-p194.exe,即可进行测试。
脚本核心代码如图:
实现功能:从NT头偏移0x5E处取出2个字节就是该特征值了。我测试的程序a.exe是个计算器,你可以看看是不是0x8000?
使用效果图:
附上其他定义:
typedef struct _IMAGE_OPTIONAL_HEADER {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics; //关键字段
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
DllCharacteristics
0x0001 Reserved.
0x0002 Reserved.
0x0004 Reserved.
0x0008 Reserved.
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE ////////// aslr
0x0040 The DLL can be relocated at load time.
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
0x0080 Code integrity checks are forced. If you set this flag and a section contains only
uninitialized data, set the PointerToRawData member of IMAGE_SECTION_HEADER for that section to zero;
otherwise, the image will fail to load because the digital signature cannot be verified.
IMAGE_DLLCHARACTERISTICS_NX_COMPAT /////////////dep
0x0100 The image is compatible with data execution prevention (DEP).
IMAGE_DLLCHARACTERISTICS_NO_ISOLATION
0x0200 The image is isolation aware, but should not be isolated.
IMAGE_DLLCHARACTERISTICS_NO_SEH /////////////seh
0x0400 The image does not use structured exception handling (SEH).
No handlers can be called in this image.
IMAGE_DLLCHARACTERISTICS_NO_BIND
0x0800 Do not bind the image.
0x1000 Reserved.
IMAGE_DLLCHARACTERISTICS_WDM_DRIVER
0x2000 A WDM driver.
0x4000 Reserved.
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
0x8000 The image is terminal server aware.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
