unit uCheckASLR;
{************************************
* Coded by Agmcz *
* Date: 08-05-2018 *
************************************}
interface
uses
Windows;
function CheckASLRPEB(hProcess: THandle): Boolean;
implementation
type
PProcessBasicInformation = ^TProcessBasicInformation;
TProcessBasicInformation = record
ExitStatus: LongInt;
PebBaseAddress: Pointer;
AffinityMask: Cardinal;
BasePriority: LongInt;
UniqueProcessId: Cardinal;
InheritedFromUniqueProcessId: Cardinal;
end;
type
PProcessBasicInformation64 = ^TProcessBasicInformation64;
TProcessBasicInformation64 = record
ExitStatus: Cardinal;
Pad1: Cardinal;
PebBaseAddress: UInt64;
AffinityMask: UInt64;
BasePriority: Cardinal;
Pad2: Cardinal;
UniqueProcessId: UInt64;
InheritedFromUniqueProcessId: UInt64;
end;
type
TNtQueryInformationProcess = function(ProcessHandle: THandle; ProcessInformationClass: DWORD {PROCESSINFOCLASS}; ProcessInformation: Pointer; ProcessInformationLength: ULONG; ReturnLength: Pointer): LongInt; stdcall;
TNtReadVirtualMemory = function(ProcessHandle: THandle; BaseAddress: Pointer; Buffer: Pointer; BufferLength: ULONG; ReturnLength: PULONG): Longint; stdcall;
TNtWow64ReadVirtualMemory64 = function(ProcessHandle: THandle; BaseAddress: UInt64; Buffer: Pointer; BufferLength: UInt64; ReturnLength: Pointer): LongInt; stdcall;
function Is64OS: LongBool;
asm
XOR EAX, EAX
MOV EAX, FS:[$C0]
end;
function ImageDynamicallyRelocated(BitField: Byte): Boolean;
asm
CMP AL, 4
JNE @Else
SHR AL, 2
JMP @EndIF
@Else:
SHR AL, 3
@EndIF:
AND AL, 1
end;
function CheckASLRPEB(hProcess: THandle): Boolean;
var
PBI: TProcessBasicInformation;
PBI64: TProcessBasicInformation64;
BitField: Byte;
hntdll: HMODULE;
NtQueryInformationProcess: TNtQueryInformationProcess;
NtReadVirtualMemory: TNtReadVirtualMemory;
NtWow64QueryInformationProcess64: TNtQueryInformationProcess;
NtWow64ReadVirtualMemory64: TNtWow64ReadVirtualMemory64;
begin
Result := False;
if (hProcess <> 0) and (hProcess <> INVALID_HANDLE_VALUE) then
begin
hntdll := LoadLibrary('ntdll.dll');
if hntdll <> 0 then
begin
if Is64OS then
begin
@NtWow64QueryInformationProcess64 := GetProcAddress(hntdll, 'NtWow64QueryInformationProcess64');
@NtWow64ReadVirtualMemory64 := GetProcAddress(hntdll, 'NtWow64ReadVirtualMemory64');
if NtWow64QueryInformationProcess64(hProcess, 0{ProcessBasicInformation = 0}, @PBI64, SizeOf(TProcessBasicInformation64), 0) = 0 then
begin
if NtWow64ReadVirtualMemory64(hProcess, PBI64.PebBaseAddress + 3, @BitField{Peb.BitField}, SizeOf(Byte), 0) = 0 then
Result := ImageDynamicallyRelocated(BitField);
end;
end
else
begin
@NtQueryInformationProcess := GetProcAddress(hntdll, 'NtQueryInformationProcess');
@NtReadVirtualMemory := GetProcAddress(hntdll, 'NtReadVirtualMemory');
if NtQueryInformationProcess(hProcess, 0{ProcessBasicInformation = 0}, @PBI, SizeOf(TProcessBasicInformation), 0) = 0 then
begin
if NtReadVirtualMemory(hProcess, Pointer(DWORD(PBI.PebBaseAddress) + 3), @BitField{Peb.BitField}, SizeOf(Byte), nil) = 0 then
Result := ImageDynamicallyRelocated(BitField);
end;
end;
FreeLibrary(hntdll);
end;
end;
end;
end.
قوانين المنتدى |
إعلانات هامة |
صفحة المبتدئين |
كتاب الفريق الأول |
كتاب الفريق الثاني |
مجلة الفريق |
أسطوانتين للمبتدئين |
إصدارات الفريق |
من نحن ؟ |
تبرع للموقع
الفريق العربي للهندسة العكسية
›
منتديات البرمجة - Programming Forums
›
البرمجة بلغة باسكال و الدلفي - Pascal & Delphi
Check ASLR from Remote PEB
Check ASLR from Remote PEB
تقييم الموضوع :
يقوم بقرائة الموضوع: بالاضافة الى ( 2 ) ضيف كريم