How can I enable DEP/NX and ASLR on a Delphi 2006 or earlier executable?

Question

Delphi 2007 (and newer) supports enabling DEP and ASLR via any of these three techniques:

• add the command-line switch –dynamicbase when compiling with dcc32
• add the preprocessor command {$DYNAMICBASE ON} to the source code
• manually OR in the bit in the header, with {$SETPEOPTFLAGS $40} in the source code

I'd like to be able to do the same thing with Delphi 2006 and C++ Builder 2006 (aka BDS 2006). Does anyone know how to do this?

Answer 1

Set PE flags

You can use {$SetPEOptFlags $40} to set the DEP flag, and {$SetPEOptFlags $100} to set the ASLR flag. To set both use {$SetPEOptFlags $140}.

If you have a version of Delphi with the necessary definitions in the Windows.pas unit you can use the much more readable:

{$SetPEOptFlags IMAGE_DLLCHARACTERISTICS_NX_COMPAT or
    IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE }

Typically you include the $SetPEOptFlags setting in the .dpr file. And so you need to make sure that Windows is in the .dpr file uses clause for these IMAGE_XXX constants to be available.

Set DEP policy at runtime

For versions that don't support PE flag based approaches you can call this function early in your app's initialization:

procedure EnableDEP;
const
  PROCESS_DEP_ENABLE: DWORD=$00000001;
var
  SetProcessDEPPolicy: function(dwFlags: DWORD): BOOL; stdcall;
begin
  SetProcessDEPPolicy := GetProcAddress(GetModuleHandle(kernel32), 
     'SetProcessDEPPolicy');
  if Assigned(SetProcessDEPPolicy) then begin
    //don't bother checking for errors since we don't need to know if it fails
    SetProcessDEPPolicy(PROCESS_DEP_ENABLE);
  end;
end;

This will work for any version of Delphi.

You cannot set the ASLR flag at runtime since it influences how the module is loaded. So ASLR can only be set using PE flags.

Modifying PE flags for very old versions of Delphi

Older versions of Delphi do not support $SetPEFlags and $SetPEOptFlags. For such versions you need to use an external tool to modify the executable post-build. When I originally wrote this answer I assumed that EDITBIN from the MS toolchain would do the job. For DEP it will suffice, using the /NXCOMPAT option. For ASLR you will need to use a different PE flag editor. My websearch revealed peflags from cygwin.

peflags --dynamicbase=true --nxcompat=true MyApp.exe

I'm sure there are other PE flag editing options available.

Answer 2

‘{$DYNAMICBASE ON}’ is new in Delphi2007, ‘{$SETPEOPTFLAGS $40}' was an existing directive: info

{$SetPEOptFlags $40} works in Delphi2006