PE Sec Info – A Simple Tool to Manipulate ASLR and DEP Flags

Recently I was interested in exploring the PE headers and writing simple programs to manipulate different headers. There are thousands of applications and code to be found on this topic. I started by exploring this Windows structure called “LOADED_IMAGE”.

typedef struct _LOADED_IMAGE {
  PSTR                  ModuleName;
  HANDLE                hFile;
  PUCHAR                MappedAddress;
#if ...
  PIMAGE_NT_HEADERS64   FileHeader;
  PIMAGE_NT_HEADERS32   FileHeader;
  ULONG                 NumberOfSections;
  ULONG                 Characteristics;
  BOOLEAN               fSystemImage;
  BOOLEAN               fDOSImage;
  BOOLEAN               fReadOnly;
  UCHAR                 Version;
  LIST_ENTRY            Links;
  ULONG                 SizeOfImage;

I fired up WinDBG and had a close a look how these look like with mapped memory addresses.

The ‘MappedAddress’ member is our pointer to the PE file. If I check the headers, I can see all the information about the PE.

The ‘FileHeader’ member which is a pointer to ‘PIMAGE_NT_HEADERS32’ or ‘PIMAGE_NT_HEADERS64’ contains all the necessary information of the PE. As you can see I was able to locate the member ‘DllCharacteristics’.

While I was exploring these structures using the debugger I got really interested in programming tiny tools. I wanted to learn this using MASM which was challenging.

For example, let’s say I want to disable DEP from the target PE. I could write a simple function as follows.

disableDep proc PE:LOADED_IMAGE
 xor edx, edx
 xor eax, eax
 mov ebx, PE.FileHeader
 not eax
 and dword ptr [ebx].IMAGE_NT_HEADERS32.OptionalHeader.DllCharacteristics, eax
disableDep EndP

So I wrote a tiny application using MASM to view these security flags from the PE and to enable and disable ASlR, DEP flags.

Sample test run


Click on the below gif to look in action of disabling DEP in a vulnerable application.

This is another example where a binary which is compiled with DynamicBase, and this is how the base address looks like, randomized.

After disabling ASLR using this tool, the Windows loader will load from the value at the “ImageBase” member which is 0x00400000 in this case.

The flags are checked by the Windows loader so by manipulating them, we can disable these security features from the target EXE or DLL. I wrote this little tool in MASM to learn the language. This is totally random 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.