Finding non-ASLR or DEP modules

As the recent exploits for IE using the .NET 2.0 DLL demonstrate, sometimes a non-ASLR DLL to enable an exploit is just a LoadLibrary away. So if pvefindaddr won’t give you any ASLR-free DLL’s in memory, look for other DLL’s which the process will load, given the right input. Or from a system-hardening or development perspective, you may want to find all DLL’s and EXE’s that do not opt-in to either ASLR or DEP to target with EMET, for example. I’m not aware of a good tool that will do that for you now, so I grabbed some code from a previous project, and put together a very short utility that will check a file (or read a list of files from stdin) for the header flags for DYNAMIC_BASE and NX_COMPAT.

Example output looking at single file:
c:\temp>pefinder.exe "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe" -v
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe ASLR enabled DEP enabled

Example output with directory list (pefinder will skip files that are not in the PE format):
c:\temp>dir /b /w /s "C:\Program Files (x86)\Adobe\"* | pefinder.exe -
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\ccme_base.dll ASLR not enabled! DEP not enabled!
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\cryptocme2.dll ASLR not enabled! DEP not enabled!
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\icudt40.dll ASLR not enabled! DEP not enabled!
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\reader_sl.exe ASLR not enabled! DEP not enabled!

Now that’s interesting. So if you can get Adobe to load some RSA crypto functions or International Components for Unicode functions, you will have a target for ROP.

Example search of entire hard drive:
dir "C:\"*.exe /b /w /s | pefinder.exe -

I was astonished to find, on a generally updated windows 7 installation, close to 9000 executable files that did not opt-in to one of the exploit mitigations. Now that is either opportunity, or the recipe for a giant headache, depending on which side of the fence you are on.

Source (I’m warning you, the coding is a lousy hack job): http://scriptjunkie1.110mb.com/security/pefinder.cpp.txt
Compiled: http://scriptjunkie1.110mb.com/security/pefinder.zip

One usage note: if a process manually enables DEP, but the NX_COMPAT flag is not in the header, it will be displayed as DEP not enabled, but that won’t really be true.

Advertisements

, , , , , , ,

  1. #1 by xpclient on 20 April 2012 - 1314

    Should this work on DLLs too like shell extensions and IE BHOs?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: