EXE Audit: Buffer Overflow Protections

TL;DR

This guide shows you how to check if your Windows executable (.exe) files have important security features enabled to help prevent buffer overflow attacks. We’ll use tools built into Windows and some freely available utilities.

Checking EXE Protections

1. Understand the Protections

• Data Execution Prevention (DEP): Prevents code from running in memory areas marked for data.
• Address Space Layout Randomization (ASLR): Randomly arranges the positions of key data areas to make exploits harder to predict.
• Structured Exception Handler Overwrite Protection (SEHOP): Protects against overwriting exception handlers, a common exploit target.

Using Dependency Walker (depends.exe)

Dependency Walker is an older tool but still useful for basic checks.

• Download Dependency Walker from https://www.dependencywalker.com/
• Run Dependency Walker on your .exe file.
• Look in the ‘Imports’ section for entries related to security features:
• kernel32.dll – Check for functions like VirtualProtect (related to DEP).
• If ASLR is enabled, you won’t see specific imports directly indicating it; however, a lack of relocation entries can suggest it’s not fully active.

Using the `dumpbin` command-line tool

dumpbin is part of Visual Studio and provides detailed information about executables.

• Open a Developer Command Prompt for Visual Studio (search in Windows Start menu).
• Navigate to the directory containing your .exe file.
• Run the following command:

  dumpbin /headers your_executable.exe

• Examine the output, specifically looking at these flags in the ‘OPTIONAL HEADER’ section:
• DLL Characteristics: Look for 0x0040 (IMAGE_DLLCHARACTERISTICS_NX_COMPAT) – indicates DEP compatibility.
• Image Base: If this is a fixed address, ASLR may not be fully enabled. A random base suggests ASLR is active.

Using PEView (for more detailed analysis)

PEView provides a graphical interface for examining the Portable Executable (PE) file format.

• Download PEView from https://www.ntcore.com/?pid=peview
• Open your .exe file in PEView.
• Navigate to the ‘Section Headers’ tab.
• Check for sections with the IMAGE_SCN_MEM_EXECUTE flag set – these are executable sections. DEP will prevent code execution from these sections if properly configured.
• Examine the ‘Relocations’ tab. A large number of relocations suggests ASLR is likely enabled, as it needs to adjust addresses at runtime. Few or no relocations might indicate a lack of ASLR.

Checking SEHOP Status (using `editbin`)

SEHOP status can be checked with the editbin tool.

• Open a Developer Command Prompt for Visual Studio.
• Navigate to your .exe file’s directory.
• Run:

  editbin /headers your_executable.exe

• Look for the ‘SEHOP’ flag in the output. If it shows SEHOP enabled, SEHOP is active. If it says SEHOP disabled, it’s not protected.

Important Considerations

• These tools provide indicators, but aren’t foolproof. A sophisticated attacker might bypass these protections.
• Regularly update your compilers and linkers to benefit from the latest security features.
• Consider using a code analysis tool for more in-depth vulnerability detection.