unit uCheckASLR;
{************************************
* Coded by Agmcz                    *
* Date: 08-05-2018                  *
************************************}
interface
uses
 Windows;
function CheckASLRPEB(hProcess: THandle): Boolean;
implementation
type
 PProcessBasicInformation = ^TProcessBasicInformation;
 TProcessBasicInformation = record
   ExitStatus: LongInt;
   PebBaseAddress: Pointer;
   AffinityMask: Cardinal;
   BasePriority: LongInt;
   UniqueProcessId: Cardinal;
   InheritedFromUniqueProcessId: Cardinal;
 end;
type
 PProcessBasicInformation64 = ^TProcessBasicInformation64;
 TProcessBasicInformation64 = record
   ExitStatus: Cardinal;
   Pad1: Cardinal;
   PebBaseAddress: UInt64;
   AffinityMask: UInt64;
   BasePriority: Cardinal;
   Pad2: Cardinal;
   UniqueProcessId: UInt64;
   InheritedFromUniqueProcessId: UInt64;
 end;
type
 TNtQueryInformationProcess = function(ProcessHandle: THandle; ProcessInformationClass: DWORD {PROCESSINFOCLASS}; ProcessInformation: Pointer; ProcessInformationLength: ULONG; ReturnLength: Pointer): LongInt; stdcall;
 TNtReadVirtualMemory = function(ProcessHandle: THandle; BaseAddress: Pointer; Buffer: Pointer; BufferLength: ULONG; ReturnLength: PULONG): Longint; stdcall;
 TNtWow64ReadVirtualMemory64 = function(ProcessHandle: THandle; BaseAddress: UInt64; Buffer: Pointer; BufferLength: UInt64; ReturnLength: Pointer): LongInt; stdcall;
function Is64OS: LongBool;
asm
 XOR EAX, EAX
 MOV EAX, FS:[$C0]
end;
function ImageDynamicallyRelocated(BitField: Byte): Boolean;
asm
 CMP AL, 4
 JNE @Else
 SHR AL, 2
 JMP @EndIF
 @Else:
 SHR AL, 3
 @EndIF:
 AND AL, 1
end;
function CheckASLRPEB(hProcess: THandle): Boolean;
var
 PBI: TProcessBasicInformation;
 PBI64: TProcessBasicInformation64;
 BitField: Byte;
 hntdll: HMODULE;
 NtQueryInformationProcess: TNtQueryInformationProcess;
 NtReadVirtualMemory: TNtReadVirtualMemory;
 NtWow64QueryInformationProcess64: TNtQueryInformationProcess;
 NtWow64ReadVirtualMemory64: TNtWow64ReadVirtualMemory64;
begin
 Result := False;
 if (hProcess <> 0) and (hProcess <> INVALID_HANDLE_VALUE) then
 begin
   hntdll := LoadLibrary('ntdll.dll');
   if hntdll <> 0 then
   begin
     if Is64OS then
     begin
       @NtWow64QueryInformationProcess64 := GetProcAddress(hntdll, 'NtWow64QueryInformationProcess64');
       @NtWow64ReadVirtualMemory64 := GetProcAddress(hntdll, 'NtWow64ReadVirtualMemory64');
       if NtWow64QueryInformationProcess64(hProcess, 0{ProcessBasicInformation = 0}, @PBI64, SizeOf(TProcessBasicInformation64), 0) = 0 then
       begin
         if NtWow64ReadVirtualMemory64(hProcess, PBI64.PebBaseAddress + 3, @BitField{Peb.BitField}, SizeOf(Byte), 0) = 0 then
           Result := ImageDynamicallyRelocated(BitField);
       end;
     end
     else
     begin
       @NtQueryInformationProcess := GetProcAddress(hntdll, 'NtQueryInformationProcess');
       @NtReadVirtualMemory := GetProcAddress(hntdll, 'NtReadVirtualMemory');
       if NtQueryInformationProcess(hProcess, 0{ProcessBasicInformation = 0}, @PBI, SizeOf(TProcessBasicInformation), 0) = 0 then
       begin
         if NtReadVirtualMemory(hProcess, Pointer(DWORD(PBI.PebBaseAddress) + 3), @BitField{Peb.BitField}, SizeOf(Byte), nil) = 0 then
           Result := ImageDynamicallyRelocated(BitField);
       end;
     end;
     FreeLibrary(hntdll);
   end;
 end;
end;
end.  
    
    
    
    
        قوانين المنتدى | 
        إعلانات هامة | 
        صفحة المبتدئين | 
        كتاب الفريق الأول | 
        كتاب الفريق الثاني | 
        مجلة الفريق | 
        أسطوانتين للمبتدئين | 
        من نحن ؟ | 
        تبرع للموقع | 
        Donate
    
				
				
				
				
				
				
				
				
		
		
		تقييم الموضوع :
		
	يقوم بقرائة الموضوع:

 
 

 
