Say, if I have a process ID PID, is there a WinAPI to find out if ASLR is enabled/disabled for that specific process?
Asked
Active
Viewed 7,587 times
3
c00000fd
- 20,994
- 29
- 177
- 400
-
2aslr is not per process but per every pe file. – RbMm Nov 03 '17 at 23:10
-
@RbMm: Oh, so it's per module then. OK, so how do I find that out? Or, do I need to manually examine the PE header. I was hoping to avoid it. – c00000fd Nov 03 '17 at 23:13
-
1if you interesting only in *exe* file - you can call `SECTION_IMAGE_INFORMATION sii;ZwQueryInformationProcess(hProcess, ProcessImageInformation, &sii, sizeof(sii), 0);` and check for `sii.ImageDynamicallyRelocated;` this will be work how minimum from win7. may be vista(not check here) - http://processhacker.sourceforge.net/doc/ntmmapi_8h_source.html#l00186 – RbMm Nov 03 '17 at 23:43
1 Answers
6
ASLR enabled not per process but for only those executable which have IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE in IMAGE_OPTIONAL_HEADER.DllCharacteristics member. and of course must have relocs.
for check, are exe file (from which process created) dynamically relocated - we can use NtQueryInformationProcess with ProcessImageInformation - it return SECTION_IMAGE_INFORMATION for exe file. process can be opened with PROCESS_QUERY_LIMITED_INFORMATION (this is enough. and this let us open even protected processes). the ImageDynamicallyRelocated bit is say - are ASLR applied for image.
ULONG CheckASLR(ULONG dwProcessId, BOOLEAN& bASLR)
{
if (HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, dwProcessId))
{
SECTION_IMAGE_INFORMATION sii;
NTSTATUS status = NtQueryInformationProcess(hProcess, ProcessImageInformation, &sii, sizeof(sii), 0);
CloseHandle(hProcess);
if (0 <= status)
{
bASLR = sii.ImageDynamicallyRelocated;
return NOERROR;
}
return RtlNtStatusToDosError(status);
}
return GetLastError();
}
if we want query this not only for exe file but for specific module, need first get path of this module (can use GetMappedFileName ), open file, create section for it and query this section for SectionImageInformation. on exit we again got SECTION_IMAGE_INFORMATION
NTSTATUS CheckASLR(HANDLE hProcess, PVOID hmod, BOOLEAN& bASLR)
{
static volatile UCHAR guz = 0;
PVOID stack = alloca(guz);
SIZE_T cb = 0, rcb = MAX_PATH*sizeof(WCHAR);
union {
PVOID buf;
PUNICODE_STRING ObjectName;
};
NTSTATUS status;
do
{
if (cb < rcb)
{
cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
}
if (0 <= (status = NtQueryVirtualMemory(hProcess, hmod, MemoryMappedFilenameInformation, buf, cb, &rcb)))
{
HANDLE hFile, hSection;
IO_STATUS_BLOCK iosb;
OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, ObjectName };
status = NtOpenFile(&hFile, FILE_GENERIC_READ, &oa, &iosb, FILE_SHARE_VALID_FLAGS, FILE_SYNCHRONOUS_IO_NONALERT);
if (0 <= status)
{
status = NtCreateSection(&hSection, SECTION_QUERY, 0, 0, PAGE_READONLY, SEC_IMAGE, hFile);
NtClose(hFile);
if (0 <= status)
{
SECTION_IMAGE_INFORMATION sii;
status = ZwQuerySection(hSection, SectionImageInformation, &sii, sizeof(sii), 0);
NtClose(hSection);
if (0 <= status)
{
bASLR = sii.ImageDynamicallyRelocated;
}
}
}
break;
}
} while (status == STATUS_BUFFER_OVERFLOW );
return status;
}
RbMm
- 31,280
- 3
- 35
- 56
-
Hey, appreciate the code sample! Let me run a couple of checks and I'll get back to you. – c00000fd Nov 04 '17 at 00:46
-
As a side note, I'm curious, you said that it will even work with a "protected process" -- I keep running into that terminology when I scan processes with [ProcExp](https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer). What is a `protected process` and how can I tell it apart from a non-protected process? (I mean with a WinAPI.) – c00000fd Nov 04 '17 at 00:48
-
1@c00000fd i mean system protected processes. [`IsProtectedProcess`](https://msdn.microsoft.com/en-us/library/windows/desktop/mt809132(v=vs.85).aspx). however only `CheckASLR(ULONG dwProcessId, BOOLEAN& bASLR)` of course will be work for protected processes. for `NTSTATUS CheckASLR(HANDLE hProcess, PVOID hmod, BOOLEAN& bASLR)` we need `PROCESS_VM_OPERATION` access - so you not open so simply protected process – RbMm Nov 04 '17 at 00:53
-
@c00000fd - [The Evolution of Protected Processes](http://www.alex-ionescu.com/?p=97) – RbMm Nov 04 '17 at 00:55
-
Oh, OK. I see. You meant the first method. Otherwise I wasn't sure how it would work for reading its VM. But, hey, still pretty good code. Thanks for the info on protected processes. – c00000fd Nov 04 '17 at 00:56
-
@c00000fd - some utilites show protected processes - https://prnt.sc/h5zl5c. the first code snippet (for exe check only) will be worked for system protected processes too, but you need have debug priviledge enabled – RbMm Nov 04 '17 at 01:01
-
Thanks for your help again. Before I mark it, can you answer these: 1) Why are you checking return value from `NtQueryInformationProcess` to be `>=` 0 instead of `==` 0, like Microsoft do in their sample code? and 2) What software did you make [this screenshot](https://prnt.sc/h5zl5c) with? – c00000fd Nov 15 '17 at 06:13
-
@c00000fd - `>= 0` for `NTSTATUS` this is ok (no error) status. `NT_SUCCESS(Status)` if want. about software - this is one of my personal utilities. – RbMm Nov 15 '17 at 08:19
-
and I don't know what example you mean. if [this](https://msdn.microsoft.com/en-us/library/windows/desktop/mt809132%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396) - here used `if (NT_SUCCESS(status))` - so `0 <= status`. some function documented return another `>0` status like `STATUS_TIMEOUT`, `STATUS_USER_APC`, etc. but not this api – RbMm Nov 15 '17 at 08:24
-
-
@RbMm Is it possible to check the same way for CFG ? (on latest win 10) – Mecanik Dec 16 '19 at 17:09