How do I determine if an EXE (or DLL) participate in ASLR, i.e. is relocatable?

Question

How do I determine if an EXE (or DLL) participate in ASLR, i.e. is relocatable?

I want to check some EXE's on my system whether they are relocatable and participate in ASLR.

I know the default behavior of the linker is to strip base relocations, so that the EXE is not relocatable?

How do I see from a tool like FileAlyzer whether the image participate in ASLR?

Answer 1

A relocatable module (exe or dll) doesn't necessarily need to have ASLR enabled but a module that has ASLR enabled needs to be relocatable.

A module that is ASLR-enabled (using the /DYNAMICBASE linker switch) will be loaded at a random address regardless of its ImageBase (the preferred load address) and therefore it must be relocatable or it cannot be loaded.

If a module is not ASLR-enabled the loader will first try to load it at the ImageBase. If that is not possible (the memory is already allocated), it will try to load it at another address; if the module is relocatable it will succeed, if not it will fail.

How to identify a relocatable module?

A module that is not relocatable will have the IMAGE_FILE_RELOCS_STRIPPED (0x0001) bit flag set in the Characteristics field of their File Header. A relocatable module will have this bit cleared and it will also have a section with relocations (like .reloc). You can examine that flag with software like PEView or dumpbin /headers your_module.exe (or dll)

How to identify a module with ASLR enabled?

An ASLR-enabled module will be relocatable (the relocs stripped flag unset) and it will also have the IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE (0x0040) flag set in the DllCharacteristics field of the optional header. The DllCharacteristics is used for both EXEs and DLLs regardless of its name.

Again you can check for the presence of this flag set with a PE file explorer like PEView or with dumpbin /headers your_module.dll (or exe).