PE Sec Info – A Simple Tool to Manipulate ASLR and DEP Flags

Recently I was interested in exploring the PE headers and writing simple programs to manipulate different headers. There are thousands of applications and code to be found on this topic. I started by exploring this Windows structure called “LOADED_IMAGE”.

https://docs.microsoft.com/en-us/windows/desktop/api/dbghelp/ns-dbghelp-_loaded_image

I fired up WinDBG and had a close a look how these look like with mapped memory addresses.



The ‘MappedAddress’ member is our pointer to the PE file. If I check the headers, I can see all the information about the PE.

The ‘FileHeader’ member which is a pointer to ‘PIMAGE_NT_HEADERS32’ or ‘PIMAGE_NT_HEADERS64’ contains all the necessary information of the PE. As you can see I was able to locate the member ‘DllCharacteristics’.

While I was exploring these structures using the debugger I got really interested in programming tiny tools. I wanted to learn this using MASM which was challenging.

For example, let’s say I want to disable DEP from the target PE. I could write a simple function as follows.

So I wrote a tiny application using MASM to view these security flags from the PE and to enable and disable ASlR, DEP flags.

Sample test run

Download: https://github.com/OsandaMalith/PESecInfo/releases

Click on the below gif to look in action of disabling DEP in a vulnerable application.

This is another example where a binary which is compiled with DynamicBase, and this is how the base address looks like, randomized.

After disabling ASLR using this tool, the Windows loader will load from the value at the “ImageBase” member which is 0x00400000 in this case.

The flags are checked by the Windows loader so by manipulating them, we can disable these security features from the target EXE or DLL. I wrote this little tool in MASM to learn the language. This is totally random 🙂

Advertisements

Leave a Reply