Skip to main content

Check DllCharacteristics values with Windbg

·2 mins
OffensiveSecurity ExploitDev
Table of Contents

Below the steps to find if the module has any mitigation enabled such as SafeSEH, ASLR or NXCompat. If DllCharacteristics is set to 0, that means no mitigations is enabled.

Find module base address #

0:001> lm m PowerManagementCtrl
Browse full module list
start    end        module name
02240000 02269000   PowerManagementCtrl   (deferred)

We need to find the IMAGE DOS HEADER #

0:001> dt ntdll!_IMAGE_DOS_HEADER 02240000
   +0x000 e_magic          : 0x5a4d
   +0x002 e_cblp           : 0x90
   +0x004 e_cp             : 3
   +0x006 e_crlc           : 0
   +0x008 e_cparhdr        : 4
   +0x00a e_minalloc       : 0
   +0x00c e_maxalloc       : 0xffff
   +0x00e e_ss             : 0
   +0x010 e_sp             : 0xb8
   +0x012 e_csum           : 0
   +0x014 e_ip             : 0
   +0x016 e_cs             : 0
   +0x018 e_lfarlc         : 0x40
   +0x01a e_ovno           : 0
   +0x01c e_res            : [4] 0
   +0x024 e_oemid          : 0
   +0x026 e_oeminfo        : 0
   +0x028 e_res2           : [10] 0
   +0x03c e_lfanew         : 0n232

Now the e_ifanew is at offset 0x03c and contains the offset to our PE Header at 0n232. We need to convert to hexadecimal 0n232 to hex value, you can run ?0n232

Convert PE Header to hexadecimal #

0:001> ?0n232
Evaluate expression: 232 = 000000e8

Dump IMAGE NT HEADER #

Now we need to dump the IMAGE NT HEADER at offset 0xe0

0:001> dt ntdll!_IMAGE_NT_HEADERS 02240000 + 0xe8
   +0x000 Signature        : 0x4550
   +0x004 FileHeader       : _IMAGE_FILE_HEADER
   +0x018 OptionalHeader   : _IMAGE_OPTIONAL_HEADER

Dump OPTIONAL HEADER #

Next step is to dump IMAGE OPTIONAL HEADER at offset 0x18. There we go at offset 0x46 from OPTIONAL HEADER and we see the DllCharacteristics is 0 meaning there is no SafeSEH, ASLR or NXCompat compiled on this module.
We can also do the same using ProcessHacker (automated by the program)

0:001> dt ntdll!_IMAGE_OPTIONAL_HEADER 02240000 + 0xe8 + 0x18
   +0x000 Magic            : 0x10b
   +0x002 MajorLinkerVersion : 0x6 ''
   +0x003 MinorLinkerVersion : 0 ''
   +0x004 SizeOfCode       : 0x14000
   +0x008 SizeOfInitializedData : 0x14000
   +0x00c SizeOfUninitializedData : 0
   +0x010 AddressOfEntryPoint : 0x3632
   +0x014 BaseOfCode       : 0x1000
   +0x018 BaseOfData       : 0x15000
   +0x01c ImageBase        : 0x10000000
   +0x020 SectionAlignment : 0x1000
   +0x024 FileAlignment    : 0x1000
   +0x028 MajorOperatingSystemVersion : 4
   +0x02a MinorOperatingSystemVersion : 0
   +0x02c MajorImageVersion : 0
   +0x02e MinorImageVersion : 0
   +0x030 MajorSubsystemVersion : 4
   +0x032 MinorSubsystemVersion : 0
   +0x034 Win32VersionValue : 0
   +0x038 SizeOfImage      : 0x29000
   +0x03c SizeOfHeaders    : 0x1000
   +0x040 CheckSum         : 0
   +0x044 Subsystem        : 2
   +0x046 DllCharacteristics : 0
   +0x048 SizeOfStackReserve : 0x100000
   +0x04c SizeOfStackCommit : 0x1000
   +0x050 SizeOfHeapReserve : 0x100000
   +0x054 SizeOfHeapCommit : 0x1000
   +0x058 LoaderFlags      : 0
   +0x05c NumberOfRvaAndSizes : 0x10
   +0x060 DataDirectory    : [16] _IMAGE_DATA_DIRECTORY