egru
commented
6 years ago Thanks for noticing that. I added a check and pushed it to the master branch 21d122f02b584d92fa665960c178f5be1277ccc8
Closed wdormann closed 6 years ago
egru
commented
6 years ago Thanks for noticing that. I added a check and pushed it to the master branch 21d122f02b584d92fa665960c178f5be1277ccc8
wdormann
commented
6 years ago For the record, it appears that .NET executables are relocated on Windows 8 and newer even without a relocations table. So the check appears to get a little messier. I've updated https://gist.github.com/wdormann/dcdba9840701c879115f9aa5c1ef86dc to reflect this.
egru
commented
6 years ago Interesting. I'll take a look at it a bit more and add the checks in.
egru
commented
6 years ago I added checks for .NET and if the current Windows environment is 8 or greater.
Get-PESecurity indicates that EXE files use the ASLR mitigation solely upon the presence of it being linked with the /DYNAMICBASE flag. However, this is not enough for an EXE file to be randomized. If an EXE has its relocation table stripped, then it will not be randomized by windows.
In the case of vlc.exe, this tool indicates that it is ASLR compatible:
But the executable has its relocation table stripped, so it cannot be randomized using Windows ASLR: