Results 1 to 4 of 4
  1. #1
    nullptr_t's Avatar
    Join Date
    Mar 2016
    Gender
    male
    Posts
    124
    Reputation
    10
    Thanks
    256

    Post C/C++ Disable Address Space Layout Randomization (ASLR) & DEP of Another Program

    What is ASLR? ASLR (Address Space Layout Randomization) is a feature within common executable formats, such as PE & ELF.
    ASLR is a technique that rearranges some of the most important parts of a process' memory, such as the base address, stack & heap
    of the program for security, thus making it impossible to exploit the program with known addresses.

    What is DEP? DEP (Data Execution Prevention) is a technique used to 'mark' regions of process' memory as not executable, so that an
    attempt to execute machinecode within these regions of memory, will rise an exception and stop the execution of the program.

    This code will cripple both of these security measures, making it easier to exploit the target program (not having to use pattern scanning or having to calculate the actual address from pointers, e.g).


    Code:
    #include <Windows.h>
    #include <ImageHlp.h>
    #include <iostream>
    
    using namespace std;
    
    #pragma comment(lib, "ImageHlp.lib")
    
    bool Flag(LPCSTR path, bool ASLR, bool DEP)
    {
    	LOADED_IMAGE PE;
    	if (MapAndLoad(path, 0, &PE, 0, 0))
    	{
    		if (ASLR) // Enable address space layout randomization
    			PE.FileHeader->OptionalHeader.DllCharacteristics = IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE;
    		else // Disable address space layout randomization
    			PE.FileHeader->OptionalHeader.DllCharacteristics = NULL;
    
    		if (DEP) // Enable data execution prevention
    			PE.FileHeader->OptionalHeader.DllCharacteristics = IMAGE_DLLCHARACTERISTICS_NX_COMPAT;
    		else // Disable data execution prevention
    			PE.FileHeader->OptionalHeader.DllCharacteristics = NULL;
    		UnMapAndLoad(&PE);
    		return true;
    	}
    	return false;
    }
    
    int main()
    {
    	Flag("test.exe", false, false);
    }

    Zer0Mem0ry

    C/C++ Programmer, Youtuber, software enthusiast & hobbyist.

    Donate: (bitcoin): 1JhSKGgRQmir8rRF4Sm5CP4fDDofKFAypd

    Youtube: https://www.youtube.com/channel/UCDk...ariJF2Dn2j5WKA
    Skype: virtual_coder

  2. #2
    WasserEsser's Avatar
    Join Date
    Jul 2015
    Gender
    male
    Posts
    735
    Reputation
    174
    Thanks
    677
    My Mood
    Busy
    This is so wrong. First of all you should learn about bitwise operations since IMAGE_OPTIONAL_HEADER->DllCharacteristics is a collection of bit flags.

    Run down a test case. Pass the function a true for ASLR and a false for DEP. You'll set DllCharacteristics to IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE and right after set DllCharacteristics to 0. Where is your IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE now? You just reset everything to 0.
    Last edited by WasserEsser; 08-29-2016 at 12:33 PM.

  3. #3
          ( ° ͜ʖ͡°)╭∩╮
    Former Staff
    MarkHC's Avatar
    Join Date
    Nov 2011
    Gender
    male
    Location
    127.0.0.1
    Posts
    2,750
    Reputation
    66
    Thanks
    14,529
    My Mood
    Angelic
    Changing the PE (which is what you are doing) doesnt do anything. If you dont believe me run NtQueryInformationProcess with ProcessExecuteFlags class.

    If you really want to disable DEP/ASLR you need to change the values on _KPROCESS::Flags (offset 0x1BF on Win10).

    Here's some (kernel) code that ACTUALLY disables DEP:

    Code:
    NTSTATUS SetProcessDEP(
        __in PSET_DEP_STATE Params
    )
    {
        if(!Params) return STATUS_INVALID_PARAMETER;
    
        NTSTATUS    status;
        PEPROCESS   process = NULL;
    
        status = PsLookupProcessByProcessId((HANDLE)Params->In.ProcessId, &process);
    
        if(NT_SUCCESS(status)) {
            PKEXECUTE_OPTIONS executeOptions = (PKEXECUTE_OPTIONS)((PUCHAR)process + 0x1bf);
            //
            // DisableData Execution Prevention
            //
            if(!Params->In.Enabled) {
                executeOptions->ExecuteOptions = 0;
    
                executeOptions->Flags.ExecuteDisable = 1;
                executeOptions->Flags.ImageDispatchEnable = 1;
                executeOptions->Flags.ExecuteDispatchEnable = 1;
            } 
            //
            // Enable Data Execution Prevention
            //
            else {
                executeOptions->ExecuteOptions = 0;
    
                executeOptions->Flags.ExecuteEnable = 1;
                executeOptions->Flags.Permanent = 1;
            }
        } else {
            PERROR("PsLookupProcessByProcessId", status);
        }
        if(process != NULL)
            ObDereferenceObject(process);
        return status;
    }
    From usermode, you can call NtSetInformationProcess with ProcessExecuteFlags to change those flags
    Last edited by MarkHC; 08-29-2016 at 01:35 PM.


    CoD Minion from 09/19/2012 to 01/10/2013

  4. #4
    nullptr_t's Avatar
    Join Date
    Mar 2016
    Gender
    male
    Posts
    124
    Reputation
    10
    Thanks
    256
    Quote Originally Posted by WasserEsser View Post
    This is so wrong. First of all you should learn about bitwise operations since IMAGE_OPTIONAL_HEADER->DllCharacteristics is a collection of bit flags.

    Run down a test case. Pass the function a true for ASLR and a false for DEP. You'll set DllCharacteristics to IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE and right after set DllCharacteristics to 0. Where is your IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE now? You just reset everything to 0.
    Woops, both were written for individual programs, and I just carelessly merged them. This can be fixed with a simple bitwise operation tho.
    For the enabling part: |=
    For the disabling part: &= ~

    That should fix it

    - - - Updated - - -

    Quote Originally Posted by MarkHC View Post
    Changing the PE (which is what you are doing) doesnt do anything. If you dont believe me run NtQueryInformationProcess with ProcessExecuteFlags class.

    If you really want to disable DEP/ASLR you need to change the values on _KPROCESS::Flags (offset 0x1BF on Win10).

    Here's some (kernel) code that ACTUALLY disables DEP:

    Code:
    NTSTATUS SetProcessDEP(
        __in PSET_DEP_STATE Params
    )
    {
        if(!Params) return STATUS_INVALID_PARAMETER;
    
        NTSTATUS    status;
        PEPROCESS   process = NULL;
    
        status = PsLookupProcessByProcessId((HANDLE)Params->In.ProcessId, &process);
    
        if(NT_SUCCESS(status)) {
            PKEXECUTE_OPTIONS executeOptions = (PKEXECUTE_OPTIONS)((PUCHAR)process + 0x1bf);
            //
            // DisableData Execution Prevention
            //
            if(!Params->In.Enabled) {
                executeOptions->ExecuteOptions = 0;
    
                executeOptions->Flags.ExecuteDisable = 1;
                executeOptions->Flags.ImageDispatchEnable = 1;
                executeOptions->Flags.ExecuteDispatchEnable = 1;
            } 
            //
            // Enable Data Execution Prevention
            //
            else {
                executeOptions->ExecuteOptions = 0;
    
                executeOptions->Flags.ExecuteEnable = 1;
                executeOptions->Flags.Permanent = 1;
            }
        } else {
            PERROR("PsLookupProcessByProcessId", status);
        }
        if(process != NULL)
            ObDereferenceObject(process);
        return status;
    }
    From usermode, you can call NtSetInformationProcess with ProcessExecuteFlags to change those flags
    Not sure about DEP, but that totally cripples ASLR on the latest Win10:


    Last edited by nullptr_t; 08-30-2016 at 08:10 AM.

    Zer0Mem0ry

    C/C++ Programmer, Youtuber, software enthusiast & hobbyist.

    Donate: (bitcoin): 1JhSKGgRQmir8rRF4Sm5CP4fDDofKFAypd

    Youtube: https://www.youtube.com/channel/UCDk...ariJF2Dn2j5WKA
    Skype: virtual_coder

Similar Threads

  1. [Solved] "Vac is disabled" Mid game, Random times, On launch
    By OncePhoenix in forum Counter-Strike 2 Help
    Replies: 0
    Last Post: 08-16-2015, 10:24 PM
  2. [INFO]Random Patch 8/27. Addresses have been changed.
    By CodeDemon in forum Combat Arms Hack Coding / Programming / Source Code
    Replies: 6
    Last Post: 08-27-2010, 02:55 AM
  3. Random Shit
    By Dave84311 in forum General
    Replies: 15
    Last Post: 09-22-2007, 06:58 PM
  4. Direct Memory Access (DMA) to Static Memory Addresses
    By Dave84311 in forum Game Hacking Tutorials
    Replies: 0
    Last Post: 12-31-2005, 08:18 PM
  5. Space Cowboy Online
    By wardo1926 in forum General Gaming
    Replies: 3
    Last Post: 12-30-2005, 10:15 AM