Find out if a process is using ASLR in C#

Question:

In general, this opus was written, which is below. Google for the fifth day, could not do anything sensible. The code should work, but most likely I did not define the functions and variables correctly, which causes False on each process.

Here is the code:

class Program{
    const int PROCESS_QUERY_INFORMATION = 0x0400;
    const int PROCESS_WM_READ = 0x0010;

    public enum PROCESS_MITIGATION_POLICY
    {
        ProcessDEPPolicy = 0,
        ProcessASLRPolicy = 1,
        ProcessDynamicCodePolicy = 2,
        ProcessStrictHandleCheckPolicy = 3,
        ProcessSystemCallDisablePolicy = 4,
        ProcessMitigationOptionsMask = 5,
        ProcessExtensionPointDisablePolicy = 6,
        ProcessControlFlowGuardPolicy = 7,
        ProcessSignaturePolicy = 8,
        ProcessFontDisablePolicy = 9,
        ProcessImageLoadPolicy = 10,
        MaxProcessMitigationPolicy = 11
    }
    [StructLayout(LayoutKind.Explicit)]
    public struct union
    {
        [FieldOffset(0)]
        uint EnableBottomUpRandomization;
        [FieldOffset(0)]
        uint EnableForceRelocateImages;
        [FieldOffset(0)]
        uint EnableHighEntropy;
        [FieldOffset(0)]
        uint DisallowStrippedImages;
        [FieldOffset(0)]
        uint ReservedFlags;
    }

    public struct PROCESS_MITIGATION_ASLR_POLICY
    {
        uint Flags;
        union other;
    }

    [DllImport("kernel32.dll")]
    public static extern IntPtr OpenProcess(
        int dwDesiredAccess,
        bool bInheritHandle,
        int dwProcessId);

    [DllImport("kernel32.dll")]
    static extern bool GetProcessMitigationPolicy(
        IntPtr hProcess,
        PROCESS_MITIGATION_POLICY mitigationPolicy,
        ref PROCESS_MITIGATION_ASLR_POLICY lpBuffer,
        int dwLength);

    static void Main()
    {
        string ID_str = Console.ReadLine();
        int ID = int.Parse(ID_str);
        Process proc = Process.GetProcessById(ID);

        IntPtr hProc = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_WM_READ, false, proc.Id);
        PROCESS_MITIGATION_ASLR_POLICY PMAP = new PROCESS_MITIGATION_ASLR_POLICY();

        bool result = GetProcessMitigationPolicy(hProc, PROCESS_MITIGATION_POLICY.ProcessASLRPolicy, ref PMAP, Marshal.SizeOf(PMAP));
        Console.WriteLine(result);
        Console.ReadKey();
    }
}

pinvoke.net doesn't share these features, so I'm kind of stumped.

Answer:

In the original, PROCESS_MITIGATION_ASLR_POLICY contains a bit structure that C# does not support. So the definition needs to be reworked a bit (check Marshal.SizeOf should return 4):

struct PROCESS_MITIGATION_ASLR_POLICY
{
    uint Flags;

    bool EnableBottomUpRandomization {
        get { return (Flags & 1) > 0; }
    }

    bool EnableForceRelocateImages {
        get { return (Flags & 2) > 0; }
    }

    bool EnableHighEntropy {
        get { return (Flags & 4) > 0; }
    }

    bool DisallowStrippedImages {
        get { return (Flags & 8) > 0; }
    }
}
Post Views: 12
Scroll to Top