Today’s Little Program parses a module to determine whether or not it was built with the following flags: <\/p>\n
\/LARGEADDRESSAWARE<\/code><\/a> \n\/DYNAMICBASE<\/code><\/a>, also known as Address Space Layout Randomization (ASLR) \n\/HIGHENTROPYVA<\/code><\/a>, or 64-bit ASLR, which I like to call ASLRR (the extra R is for extra random) \n\/NXCOMPAT<\/code><\/a>, also known as Data Execution Prevention (DEP) \n\/GS<\/code><\/a>, which turns on certain runtime buffer overrun checks. <\/ul>\nRemember, Little Programs do little error checking. In particular, this Little Program does no range checking, so a malformed binary can result in wild pointers. <\/p>\n
\n#include <windows.h>\n#include <imagehlp.h>\n#include <stdio.h> \/\/ horrors! mixing stdio and C++!\n#include <stddef.h>\n\nclass MappedImage\n{\npublic:\n bool MapImage(const char* fileName);\n void ProcessResults();\n ~MappedImage();\n\nprivate:\n WORD GetCharacteristics();\n\n template<typename T>\n WORD GetDllCharacteristics();\n\n template<typename T>\n bool HasSecurityCookie();\n\nprivate:\n HANDLE file_ = INVALID_HANDLE_VALUE;\n HANDLE mapping_ = nullptr;\n void *imageBase_ = nullptr;\n IMAGE_NT_HEADERS* headers_ = nullptr;\n int bitness_ = 0;\n};\n\nbool MappedImage::MapImage(const char* fileName)\n{\n file_ = CreateFile(fileName, GENERIC_READ,\n FILE_SHARE_READ,\n NULL,\n OPEN_EXISTING,\n 0,\n NULL);\n if (file_ == INVALID_HANDLE_VALUE) return false;\n\n mapping_ = CreateFileMapping(file_, NULL, PAGE_READONLY,\n 0, 0, NULL);\n if (!mapping_) return false;\n\n imageBase_ = MapViewOfFile(mapping_, FILE_MAP_READ, 0, 0, 0);\n if (!imageBase_) return false;\n\n headers_ = ImageNtHeader(imageBase_);\n if (!headers_) return false;\n if (headers_->Signature != IMAGE_NT_SIGNATURE) return false;\n\n switch (headers_->OptionalHeader.Magic) {\n case IMAGE_NT_OPTIONAL_HDR32_MAGIC: bitness_ = 32; break;\n case IMAGE_NT_OPTIONAL_HDR64_MAGIC: bitness_ = 64; break;\n default: return false;\n }\n\n return true;\n}\n\nMappedImage::~MappedImage()\n{\n if (imageBase_) UnmapViewOfFile(imageBase_);\n if (mapping_) CloseHandle(mapping_);\n if (file_ != INVALID_HANDLE_VALUE) CloseHandle(file_);\n}\n\nWORD MappedImage::GetCharacteristics()\n{\n return headers_->FileHeader.Characteristics;\n}\n\ntemplate<typename T>\nWORD MappedImage::GetDllCharacteristics()\n{\n return reinterpret_cast<T*>(headers_)->\n OptionalHeader.DllCharacteristics;\n}\n\ntemplate<typename T>\nbool MappedImage::HasSecurityCookie()\n{\n ULONG size;\n T *data = static_cast<T*>(ImageDirectoryEntryToDataEx(\n imageBase_, TRUE, IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG,\n &size, NULL));\n if (!data) return false;\n ULONG minSize = offsetof(T, SecurityCookie) +\n sizeof(data->SecurityCookie);\n if (size < minSize) return false;\n if (data->Size < minSize) return false;\n return data->SecurityCookie != 0;\n}\n\nvoid MappedImage::ProcessResults()\n{\n printf(\"%d-bit binary\\n\", bitness_);\n auto Characteristics = GetCharacteristics();\n printf(\"Large address aware: %s\\n\",\n (Characteristics & IMAGE_FILE_LARGE_ADDRESS_AWARE)\n ? \"Yes\" : \"No\");\n\n auto DllCharacteristics = bitness_ == 32\n ? GetDllCharacteristics<IMAGE_NT_HEADERS32>()\n : GetDllCharacteristics<IMAGE_NT_HEADERS64>();\n\n printf(\"ASLR: %s\\n\",\n (DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)\n ? \"Yes\" : \"No\");\n printf(\"ASLR^2: %s\\n\",\n (DllCharacteristics & IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA)\n ? \"Yes\" : \"No\");\n printf(\"DEP: %s\\n\",\n (DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NX_COMPAT)\n ? \"Yes\" : \"No\");\n printf(\"TS Aware: %s\\n\",\n (DllCharacteristics & IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE)\n ? \"Yes\" : \"No\");\n\n bool hasSecurityCookie =\n bitness_ == 32 ? HasSecurityCookie<IMAGE_LOAD_CONFIG_DIRECTORY32>()\n : HasSecurityCookie<IMAGE_LOAD_CONFIG_DIRECTORY64>();\n printf(\"\/GS: %s\\n\", hasSecurityCookie\n ? \"Yes\" : \"No\");\n}\n\nint __cdecl main(int argc, char**argv)\n{\n MappedImage mappedImage;\n if (mappedImage.MapImage(argv[1])) {\n mappedImage.ProcessResults();\n }\n return 0;\n}\n<\/pre>\nLet’s see what happened. <\/p>\n
First we use the MapImage<\/code> method to load the binary and map it into memory. While we’re at it, we sniff at the headers to determine whether it is a 32-bit or 64-bit binary. <\/p>\nThe GetCharacteristics<\/code> method merely extracts the Characteristics<\/code> from the FileHeader<\/code>. This is easy because the FileHeader<\/code> is the same for 32-bit and 64-bit binaries. <\/p>\nThe GetDllCharacteristics<\/code> method has two versions depending on the image bitness. In both cases, it extracts the DllCharacteristics<\/code> field, but the location of the field depends on the structure. <\/p>\nThe HasSecurityCookie<\/code> method also has two versions depending on the image bitness. The minimum size necessary to get OS-assisted stack overflow protection is the size that encompasses the SecurityCookie<\/code> member, and in order to get that extra protection, the member needs to be nonzero. <\/p>\nWhat is OS-assisted stack overflow protection? <\/p>\n