Enumerating Executable Protections

Today, I asked myself a question I wanted to figure out: How can I enumerate protections such as ASLR and no-execute(NX) on a given executable? Having used Immunity Debugger and mona.py in the past, I knew it was possible to accomplish with that combination. However, what if I just want a quick and easy way to do it from Linux?

Racking my brain, I remembered a few weeks back that @DirectoryRanger had tweeted about NetSPI’s PowerShell module that does the same. NetSPI’s PowerShell module can be found here. Looking through their code, I found this section that enumerates protections in place for an executable fed to the tool:

Prior to this, I wasn’t exactly sure how to identify these protections so thanks to @NetSPI and their team for providing this module. Additionally, @egru provides a nice overview of the technical details as well as the usage of the tool in this post here. In this blog post, he also links to the MSDN page that describes each of these DllCharacteristics. The latest Microsoft documentation in regards to the DllCharacteristics field can be found here.

Armed with this information, I set out to find if there was a tool I could use on Linux to enumerate the same information. Taking to the Googles, I identified a Github repository that looked promising. Looking at the code in pefile.py, we can see that it, too, can enumerate the DllCharacteristics field in the optional header of a portable executable:

Legit. This appears to be exactly what I was looking for. To download and setup the tool, I executed the following commands:

git clone https://github.com/erocarrera/pefile.git
cd pefile/
python setup.py install

At this point, pefile was installed and setup for me. Running the tool, we can see that it expects a filename of the executable to be analyzed and that it supports an argument to examine exports of a PE, if we want:

/home/pefile# python pefile.py
pefile.py <filename>
pefile.py exports <filename>

To test the tool, I decided to examine the DllCharacteristics in PsExec.exe, from Windows Sysinternals, just as an example. Since a ton of information will be output to the terminal when you run the tool, ensure you output to a file unless you really want to scroll through all the output. Looking at the result from analysis on the given PE, we can see under the [IMAGE_OPTIONAL_HEADER] tag that pefile.py successfully enumerated the DllCharacteristics field of PsExec.exe:

If you wanted to, you can manually translate the DllCharacteristics flags by referencing the MSDN, linked above, but as we can see, pefile.py automatically does that for us at the bottom of the screenshot.

With the information provided by this useful tool, we now know more about the executable and what to expect if we are trying to develop an exploit for a vulnerability we’ve found in a program. To note, PsExec.exe was just used as an example for this post. As I mentioned previously, there are many different ways, on different platforms, to find this information but I was curious what could be used on Linux to answer my question. Also, thanks again for those mentioned in the post for their tools, blogs, and references that pointed me in the right direction. Happy hacking!