In simplistic terms, PE Headers contain all the information needed by Windows to run compiled images. What I’m interested in are the PE (Portable Executable) headers within compiled 32bit and 64bit images. PowerShell is a great solution for this because it is a native tool and can tap into the Windows API and carve out information within files. However, I find that each of these are inefficient for scanning multiple files. There are a few solutions out there that do this already, namely PEStudio, CFFExplorer, Windbg with plugins, and Immunity Debugger with mona.py. As a side note, SafeSEH is only available when linking 32bit images. Without going into much detail, ASLR, DEP, and SafeSEH are considered best practices for all developers to implement as they help protect against users exploiting insecure code. Today I am releasing a PowerShell script that easily displays whether images (DLLs and EXEs) are compiled with ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention), and SafeSEH (Structured Exception Handling).
Update: This post is a little bit out-of-date in regards to using the PowerShell script. Refer to the Github repo ( ) for an updated script and instructions on how to use it.
0 kommentar(er)
