تقييم الموضوع :
  • 7 أصوات - بمعدل 3
  • 1
  • 2
  • 3
  • 4
  • 5
Check ASLR from Remote PEB
#1
unit uCheckASLR;

{************************************
* Coded by Agmcz                    *
* Date: 08-05-2018                  *
************************************}

interface

uses
 Windows;

function CheckASLRPEB(hProcess: THandle): Boolean;

implementation

type
 PProcessBasicInformation = ^TProcessBasicInformation;
 TProcessBasicInformation = record
   ExitStatus: LongInt;
   PebBaseAddress: Pointer;
   AffinityMask: Cardinal;
   BasePriority: LongInt;
   UniqueProcessId: Cardinal;
   InheritedFromUniqueProcessId: Cardinal;
 end;

type
 PProcessBasicInformation64 = ^TProcessBasicInformation64;
 TProcessBasicInformation64 = record
   ExitStatus: Cardinal;
   Pad1: Cardinal;
   PebBaseAddress: UInt64;
   AffinityMask: UInt64;
   BasePriority: Cardinal;
   Pad2: Cardinal;
   UniqueProcessId: UInt64;
   InheritedFromUniqueProcessId: UInt64;
 end;

type
 TNtQueryInformationProcess = function(ProcessHandle: THandle; ProcessInformationClass: DWORD {PROCESSINFOCLASS}; ProcessInformation: Pointer; ProcessInformationLength: ULONG; ReturnLength: Pointer): LongInt; stdcall;
 TNtReadVirtualMemory = function(ProcessHandle: THandle; BaseAddress: Pointer; Buffer: Pointer; BufferLength: ULONG; ReturnLength: PULONG): Longint; stdcall;
 TNtWow64ReadVirtualMemory64 = function(ProcessHandle: THandle; BaseAddress: UInt64; Buffer: Pointer; BufferLength: UInt64; ReturnLength: Pointer): LongInt; stdcall;

function Is64OS: LongBool;
asm
 XOR EAX, EAX
 MOV EAX, FS:[$C0]
end;

function ImageDynamicallyRelocated(BitField: Byte): Boolean;
asm
 CMP AL, 4
 JNE @Else
 SHR AL, 2
 JMP @EndIF
 @Else:
 SHR AL, 3
 @EndIF:
 AND AL, 1
end;

function CheckASLRPEB(hProcess: THandle): Boolean;
var
 PBI: TProcessBasicInformation;
 PBI64: TProcessBasicInformation64;
 BitField: Byte;
 hntdll: HMODULE;
 NtQueryInformationProcess: TNtQueryInformationProcess;
 NtReadVirtualMemory: TNtReadVirtualMemory;
 NtWow64QueryInformationProcess64: TNtQueryInformationProcess;
 NtWow64ReadVirtualMemory64: TNtWow64ReadVirtualMemory64;
begin
 Result := False;
 if (hProcess <> 0) and (hProcess <> INVALID_HANDLE_VALUE) then
 begin
   hntdll := LoadLibrary('ntdll.dll');
   if hntdll <> 0 then
   begin
     if Is64OS then
     begin
       @NtWow64QueryInformationProcess64 := GetProcAddress(hntdll, 'NtWow64QueryInformationProcess64');
       @NtWow64ReadVirtualMemory64 := GetProcAddress(hntdll, 'NtWow64ReadVirtualMemory64');
       if NtWow64QueryInformationProcess64(hProcess, 0{ProcessBasicInformation = 0}, @PBI64, SizeOf(TProcessBasicInformation64), 0) = 0 then
       begin
         if NtWow64ReadVirtualMemory64(hProcess, PBI64.PebBaseAddress + 3, @BitField{Peb.BitField}, SizeOf(Byte), 0) = 0 then
           Result := ImageDynamicallyRelocated(BitField);
       end;
     end
     else
     begin
       @NtQueryInformationProcess := GetProcAddress(hntdll, 'NtQueryInformationProcess');
       @NtReadVirtualMemory := GetProcAddress(hntdll, 'NtReadVirtualMemory');
       if NtQueryInformationProcess(hProcess, 0{ProcessBasicInformation = 0}, @PBI, SizeOf(TProcessBasicInformation), 0) = 0 then
       begin
         if NtReadVirtualMemory(hProcess, Pointer(DWORD(PBI.PebBaseAddress) + 3), @BitField{Peb.BitField}, SizeOf(Byte), nil) = 0 then
           Result := ImageDynamicallyRelocated(BitField);
       end;
     end;
     FreeLibrary(hntdll);
   end;
 end;
end;

end.  


الملفات المرفقة
.rar   ASLR Checker(bin).rar (الحجم : 158.77 KB / التحميلات : 34)
.rar   ASLR Checker(src).rar (الحجم : 2.39 KB / التحميلات : 27)
أعضاء أعجبوا بهذه المشاركة : AT4RE , M!X0R


التنقل السريع :


يقوم بقرائة الموضوع: بالاضافة الى ( 2 ) ضيف كريم