search

NetSPI / PESecurity

PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode.
https://blog.netspi.com/verifying-aslr-dep-and-safeseh-with-powershell/
MIT License
614 stars 152 forks source link

ASLR High Entropy #6

Closed Speciesx closed 2 years ago

Speciesx commented 8 years ago

It would be nice if ASLR High Entropy would be also tested.

egru commented 8 years ago

I'll see what I can do.

jbkempf commented 4 years ago

That would be nice, indeed.

savchenko commented 4 years ago

@jbkempf , I believe this was implemented long time ago:

Get-PESecurity -File .\vlc.exe

ARCH             : AMD64
DotNET           : False
ASLR             : True
DEP              : True
Authenticode     : True
StrongNaming     : N/A
SafeSEH          : N/A
ControlFlowGuard : False
HighentropyVA    : True

Thanks for your work on VLC!

jbkempf commented 4 years ago

@jbkempf , I believe this was implemented long time ago:

I'm an idiot, I tested after commenting. Sorry...

Thanks for your work on VLC!

Thanks. I need to look at CFG, now.

savchenko commented 4 years ago

@jbkempf , looks you are building for Windows with GCC/MinGW. While there is CFI for clang, I am not aware of any gcc alternative(s).

On the slightly relevant note, you might consider -fstack-protector-strong and -fstack-clash-protection.

jbkempf commented 4 years ago

@jbkempf , looks you are building for Windows with GCC/MinGW. While there is CFI for clang, I am not aware of any gcc alternative(s). I will have a look at that. But how will this project detect it?

On the slightly relevant note, you might consider -fstack-protector-strong and -fstack-clash-protection.

https://github.com/videolan/vlc/blob/master/configure.ac#L1236 does it already.

Do you think we should do fstack-clash-protection too ?

savchenko commented 4 years ago

@jbkempf , if memory serves me well teams of Fedora / Ubuntu enable it for userland by default, so... I don't immediately see why not, at least for a Beta.

Also, reading through the GCC instrumentation options, there is -fcf-protection which looks suspiciously similar to CFI and /GUARD:CF.

Further search returned an interesting discussion at HN which can be summarised as following:

    -D_FORTIFY_SOURCE=2         glibc hardening
    -Wp,-D_GLIBCXX_ASSERTIONS   glibc++ hardening
    -fstack-protector-strong    stack smash protection
    -fstack-clash-protection    stack clash protection
    -fPIE -pie                  better ASLR protection
    -Wl,-z,noexecstack          don't allow code on stack
    -Wl,-z,relro                ELF hardening
    -Wl,-z,now                  ELF hardening
    -fcf-protection=full        ROP protection
jbkempf commented 4 years ago

@jbkempf , if memory serves me well teams of Fedora / Ubuntu enable it for userland by default, so... I don't immediately see why not, at least for a Beta.

Also, reading through the GCC instrumentation options, there is -fcf-protection which looks suspiciously similar to CFI and /GUARD:CF.

Further search returned an interesting discussion at HN which can be summarised as following:

    -D_FORTIFY_SOURCE=2         glibc hardening
    -Wp,-D_GLIBCXX_ASSERTIONS   glibc++ hardening
    -fstack-protector-strong    stack smash protection
    -fstack-clash-protection    stack clash protection
    -fPIE -pie                  better ASLR protection
    -Wl,-z,noexecstack          don't allow code on stack
    -Wl,-z,relro                ELF hardening
    -Wl,-z,now                  ELF hardening
    -fcf-protection=full        ROP protection

Most of those don't apply to Windows, tbh :D