Recently I was interested in exploring the PE headers and writing simple programs to manipulate different headers. There are thousands of applications and code to be found on this topic. I started by exploring this Windows structure called “LOADED_IMAGE”.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
typedef struct _LOADED_IMAGE { PSTR ModuleName; HANDLE hFile; PUCHAR MappedAddress; #if ... PIMAGE_NT_HEADERS64 FileHeader; #else PIMAGE_NT_HEADERS32 FileHeader; #endif PIMAGE_SECTION_HEADER LastRvaSection; ULONG NumberOfSections; PIMAGE_SECTION_HEADER Sections; ULONG Characteristics; BOOLEAN fSystemImage; BOOLEAN fDOSImage; BOOLEAN fReadOnly; UCHAR Version; LIST_ENTRY Links; ULONG SizeOfImage; } LOADED_IMAGE, *PLOADED_IMAGE; |
https://docs.microsoft.com/en-us/windows/desktop/api/dbghelp/ns-dbghelp-_loaded_image
I fired up WinDBG and had a close a look how these look like with mapped memory addresses.
The ‘MappedAddress’ member is our pointer to the PE file. If I check the headers, I can see all the information about the PE.
The ‘FileHeader’ member which is a pointer to ‘PIMAGE_NT_HEADERS32’ or ‘PIMAGE_NT_HEADERS64’ contains all the necessary information of the PE. As you can see I was able to locate the member ‘DllCharacteristics’.
While I was exploring these structures using the debugger I got really interested in programming tiny tools. I wanted to learn this using MASM which was challenging.
For example, let’s say I want to disable DEP from the target PE. I could write a simple function as follows.
1 2 3 4 5 6 7 8 9 |
disableDep proc PE:LOADED_IMAGE xor edx, edx xor eax, eax mov ebx, PE.FileHeader mov eax, IMAGE_DLLCHARACTERISTICS_NX_COMPAT not eax and dword ptr [ebx].IMAGE_NT_HEADERS32.OptionalHeader.DllCharacteristics, eax ret disableDep EndP |
So I wrote a tiny application using MASM to view these security flags from the PE and to enable and disable ASlR, DEP flags.
Sample test run
Download: https://github.com/OsandaMalith/PESecInfo/releases
Click on the below gif to look in action of disabling DEP in a vulnerable application.
This is another example where a binary which is compiled with DynamicBase, and this is how the base address looks like, randomized.
After disabling ASLR using this tool, the Windows loader will load from the value at the “ImageBase” member which is 0x00400000 in this case.
The flags are checked by the Windows loader so by manipulating them, we can disable these security features from the target EXE or DLL. I wrote this little tool in MASM to learn the language. This is totally random 🙂