Didier Stevens

Sunday 17 October 2010

setdllcharacteristics

Filed under: My Software,Windows 7,Windows Vista — Didier Stevens @ 20:39

The PE-file format specifies flags to enable DEP and ASLR. You can set these flags with a hex-editor or a PE-file editor.

Because I need to set DEP and ASLR flags in a script, I wrote a C-program to read, set or clear these flags (together with another flag to check AuthentiCode signatures, more about this later).

It’s a standard C program, you can compile it under *nix too.

The option handling is simple, you can’t combine flags into one option string. For example, to set DEP and ASLR, you issue the following command:

setdllcharacteristics +n +d program.exe

This will not work:

setdllcharacteristics +nd program.exe

Don’t forget that by changing these flags on signed executables, the signature is not valid anymore. But that shouldn’t be a problem to run the program.

Later, I’ll post tools to force DEP (and maybe ASLR) without changing the PE file.

And I also updated the PE-file format template for the 010 editor to support these 3 flags.

Download:

setdllcharacteristics_v0_0_0_1.zip (https)

MD5: F96358BF90AA4D8C6B32968B2068BFCB

SHA256: 5A9D3815F317C7C0FF7737F271CE0C60BE2CB0F4168C5EA5AD8CEF84AD718577

20 Comments »

  1. One should take care, because modifying the executable invalidates its digital signature if such a signature is present.

    Best regards,
    Cd-MaN

    Comment by Cd-MaN — Monday 18 October 2010 @ 18:18

  2. On older 32 bit OS with DEP disabled by default, NX_COMPAT in the PE header doesn’t turn DEP on for the process. Try SetProcessDEPPolicy.

    Comment by anonymous — Tuesday 19 October 2010 @ 6:40

  3. @Cd-MaN Yep, like I wrote, it impacts the digital signature. However, most programs will run fine with an invalid digital signature. Windows doesn’t care, unless a special flag is set which I’ll blog about later.

    Comment by Didier Stevens — Tuesday 19 October 2010 @ 16:52

  4. @anonymous I’m using SetProcessDEPPolicy in my dll SetPermanentDEP, to be featured in an upcoming blogpost.
    And if you’re refering to XP SP2, then it’s not that DEP is disabled, but limited to the system and other Microsoft programs.

    Comment by Didier Stevens — Tuesday 19 October 2010 @ 16:54

  5. Hi Didier, how can I set the flags you talk about using a hex editor or pe editor? I’ve downloaded Stued PE but I don’t know how to set DEP and ASLR flags.

    Comment by demonfly — Wednesday 20 October 2010 @ 10:52

  6. @demonfly I tested Stud PE, but looks like it doesn’t support editing dllcharacteristics. But you can do it with 010 Editor and EXETemplate2.

    Comment by Didier Stevens — Wednesday 20 October 2010 @ 19:40

  7. @Didier Thank you very much, I would like to use a free tool rather than 010 Editor, but I try that editor.

    Comment by demonfly — Thursday 21 October 2010 @ 10:53

  8. […] […]

    Pingback by [Release] Disable ASLR in World of Warcraft (patch) — Monday 1 November 2010 @ 4:57

  9. Guys use CFF Explorer from http://www.ntcore.com for greater understanding..
    Read microsoft’s PE COFF specification document.
    Rgds,
    palaniyappan

    Comment by palaniyappan — Friday 12 November 2010 @ 5:36

  10. I use CFF Explorer occasionaly

    Comment by Didier Stevens — Friday 12 November 2010 @ 11:23

  11. […] discovered the flag FORCE_INTEGRITY last year when I released my tool setdllcharacteristics. This flag will force a check of the executable’s digital signature (on Windows Vista and […]

    Pingback by Using DLLCHARACTERISTICS’ FORCE_INTEGRITY Flag « Didier Stevens — Thursday 27 October 2011 @ 17:46

  12. I was hoping this tool would be able to quickly dump the flags for individual files or subdirectories of files. Any recommendations to dump out the flags for many files easily?

    Comment by Chad — Tuesday 25 September 2012 @ 17:39

  13. @Chad I suggest you create a .BAT file to do this. User dir /s /b *.exe to list the exe files you want to check.

    Comment by Didier Stevens — Saturday 29 September 2012 @ 17:37

  14. Hopefully I missed something easy, but the tool does not dump out what the flags currently are when I run it without changing any flags. Should it?

    Comment by Chad — Saturday 29 September 2012 @ 21:58

  15. Update (user error?) – Thanks for a great tool! I’m not sure why but initially the tool did not dump anything about an EXE; it just exited. After a reboot, it is now working as expected.

    Comment by Chad — Tuesday 2 October 2012 @ 18:33

  16. @Chad No worries.

    Comment by Didier Stevens — Tuesday 2 October 2012 @ 19:28

  17. […] fixer if you want a real clean dump. This can be handy here "setdllcharacteristics": setdllcharacteristics | Didier Stevens Copy "eso.exe" to say "_eso.exe" and run this like: setdllcharacteristics -n -d […]

    Pingback by Unpack eso.live.1.0.0.709717 — Sunday 13 April 2014 @ 2:11

  18. […] Minasi (http://www.minasi.com/apps/)11. Setdllcharacteristics (https://blog.didierstevens.com/2010/10/17/setdllcharacteristics/)Ingeniería inversa1. Olly Dbg (Programa: http://www.ollydbg.de/download.htm)2. Radare (Programa: […]

    Pingback by Recopilación de herramientas de seguridad informática | Seguridad Informatica — Thursday 17 July 2014 @ 22:58

  20. […] It means relocations are not working, and ASLR is causing this error. You can disable ASLR using setdllcharacteristics Or using CFF Explorer. For CFF Explorer, go to Optional Header -> DllCharacteristics -> click […]

    Pingback by Flare-On7 Challenge 2: Garbage – Irshad's Blog — Friday 27 November 2020 @ 3:38


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.