def check_aslr():
# first check for a potentially rebased user32.dll
from ctypes import windll
from ctypes import wintypes
check_dlls = ["user32.dll", "kernel32.dll", "ntdll.dll"]
offsets = []
is_aslr = False
windll.kernel32.GetModuleHandleW.restype = wintypes.HMODULE
windll.kernel32.GetModuleHandleW.argtypes = [wintypes.LPCWSTR]
windll.kernel32.GetModuleFileNameW.restype = wintypes.DWORD
windll.kernel32.GetModuleFileNameW.argtypes = [wintypes.HANDLE, wintypes.LPWSTR, wintypes.DWORD]
for dll_name in check_dlls:
h_module_base = windll.kernel32.GetModuleHandleW(dll_name)
# next get the module's file path
module_path = wintypes.create_unicode_buffer(255)
windll.kernel32.GetModuleFileNameW(h_module_base, module_path, 255)
# then the ImageBase from python.exe file
pe = pefile.PE(module_path.value)
pe_header_base_addr = pe.OPTIONAL_HEADER.ImageBase
offsets.append(pe_header_base_addr - h_module_base)
for dll_name, offset in zip(check_dlls, offsets):
LOG.debug("Memory vs. File ImageBase offset (%s): 0x%x", dll_name, offset)
is_aslr |= offset != 0
return is_aslr
评论列表
文章目录
