Check if ASLR is enabled

[Agmcz]

Original C++ Source:

https://stackoverflow.com/questions/4710...-a-process

Check ASLR from file 2

PHP كود :

unit uCheckASLR; 


PHP كود :

interface

uses
  Windows;

type
  NTSTATUS = ULONG;
  SIZE_T = Cardinal;
  PVOID = Pointer;
  PLARGE_INTEGER = ^LARGE_INTEGER;
  HANDLE = THANDLE;

function CheckASLR(const FileName: WideString; out bASLR: Boolean): NTSTATUS;

implementation

const
  FILE_READ_DATA            = $0001; // file & pipe
  FILE_READ_EA              = $0008; // file & directory
  FILE_READ_ATTRIBUTES      = $0080; // all
  FILE_GENERIC_READ    = STANDARD_RIGHTS_READ or FILE_READ_DATA or
    FILE_READ_ATTRIBUTES or FILE_READ_EA or SYNCHRONIZE;

  FILE_SHARE_VALID_FLAGS = $00000007;
  FILE_SYNCHRONOUS_IO_NONALERT     = $00000020;

  OBJ_CASE_INSENSITIVE = $00000040;

type
  _SECTION_INFORMATION_CLASS = (
    SectionBasicInformation,
    SectionImageInformation);
  SECTION_INFORMATION_CLASS = _SECTION_INFORMATION_CLASS;
  TSectionInformationClass = SECTION_INFORMATION_CLASS;

 TSectionImageInformation  = record
    TransferAddress: Pointer;
    ZeroBits: LongWord;
    MaximumStackSize: LongWord;
    CommittedStackSize: LongWord;
    SubSystemType: LongWord;
    MinorSubsystemVersion: Word;
    MajorSubsystemVersion: Word;
    GpValue: LongWord;
    ImageCharacteristics: Word;
    DllCharacteristics: Word;
    Machine: Word;
    ImageContainsCode: Boolean;
    ImageFlags: Byte;
    LoaderFlags: LongWord;
    ImageFileSize: LongWord;
    CheckSum: LongWord;
  end;

  TIoStatusBlock = packed record
    Status      : NTSTATUS;
    Information : ULONG;
  end;
  IO_STATUS_BLOCK = TIoStatusBlock;
  P_IO_STATUS_BLOCK = ^TIoStatusBlock;

  TUnicodeString = packed record
    Length: WORD;
    MaximumLength: WORD;
    Buffer: PWideChar;
  end;
  PUnicodeString = ^TUnicodeString;
  TUNICODE_STRING = TUnicodeString;
  UNICODE_STRING = TUnicodeString;
  PUNICODE_STRING = PUnicodeString;

  POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;
  OBJECT_ATTRIBUTES = packed record
    Length: ULONG;
    RootDirectory: THandle;
    ObjectName: PUNICODE_STRING;
    Attributes: ULONG;
    SecurityDescriptor: PVOID;        // Points to type SECURITY_DESCRIPTOR
    SecurityQualityOfService: PVOID;  // Points to type SECURITY_QUALITY_OF_SERVICE
  end;

function NtOpenFile(FileHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES; IoStatusBlock: P_IO_STATUS_BLOCK; ShareAccess: ULONG; OpenOptions: ULONG): LongInt; stdcall; external  'ntdll.dll';
function NtCreateSection(SectionHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES; SectionSize: PLARGE_INTEGER; Protect: ULONG; Attributes: ULONG; FileHandle: THandle): LongInt; stdcall; external  'ntdll.dll';
function NtClose(Handle : THandle): LongInt; stdcall; external  'ntdll.dll';
function ZwQuerySection(SectionHandle : THandle; SectionInformationClass : SECTION_INFORMATION_CLASS; SectionInformation: PVOID; SectionInformationLength: ULONG; ResultLength: PULONG): LongInt; stdcall; external  'ntdll.dll';
procedure RtlInitUnicodeString(DestinationString: PUNICODE_STRING; SourceString: PWideChar); stdcall; external 'ntdll.dll';

procedure InitializeObjectAttributes(p: POBJECT_ATTRIBUTES; n: PUNICODE_STRING;
  a: ULONG; r: HANDLE; s: PVOID{PSECURITY_DESCRIPTOR});
begin
  p^.Length := SizeOf(OBJECT_ATTRIBUTES);
  p^.RootDirectory := r;
  p^.Attributes := a;
  p^.ObjectName := n;
  p^.SecurityDescriptor := s;
  p^.SecurityQualityOfService := nil;
end;

function ImageDynamicallyRelocated(sii: TSectionImageInformation): Boolean;
asm
  MOVZX EAX, BYTE PTR SS:[sii.ImageFlags]
  SHR AL, 2
  AND EAX, 1
end;

function CheckASLR(const FileName: WideString; out bASLR: Boolean): NTSTATUS;
var
  status: NTSTATUS;
  hFile, hSection: THandle;
  iosb: IO_STATUS_BLOCK;
  oa: OBJECT_ATTRIBUTES;
  us: TUnicodeString;
  sii: TSectionImageInformation;
begin
  RtlInitUnicodeString(@us, PWideChar('\??\' + FileName));
  InitializeObjectAttributes(@oa, @us, OBJ_CASE_INSENSITIVE, 0, nil);
  status := NtOpenFile(@hFile, FILE_GENERIC_READ, @oa, @iosb, FILE_SHARE_VALID_FLAGS, FILE_SYNCHRONOUS_IO_NONALERT);
  if 0 <= status then
  begin
    status := NtCreateSection(@hSection, SECTION_QUERY, 0, 0, PAGE_READONLY, SEC_IMAGE, hFile);
    NtClose(hFile);
    if 0 <= status then
    begin
      status := ZwQuerySection(hSection, SectionImageInformation, @sii, sizeof(sii), 0);
      NtClose(hSection);
      if 0 <= status then
      begin
        bASLR := ImageDynamicallyRelocated(sii);
      end;
    end;
  end;
  Result := status;
end;

end.