Part of this issue has already been discussed on the forum, but at the moment the task is a bit different. You need to get information about whether the process uses ASLR and DEP technologies in C #.

This code, which is a reinterpretation of this code , works correctly:

/* Definitions required for getting policies */ const int Process_Query_Information = 0x0400; const int Process_WM_Read = 0x0010; public enum Process_Mitigation_Policy { ProcessDEPPolicy = 0, ProcessASLRPolicy = 1 } [StructLayout(LayoutKind.Explicit)] public struct union { [FieldOffset(0)] uint EnableBottomUpRandomization; [FieldOffset(0)] uint EnableForceRelocateImages; [FieldOffset(0)] uint EnableHighEntropy; [FieldOffset(0)] uint DisallowStrippedImages; [FieldOffset(0)] uint ReservedFlags; } public struct Process_Mitigation_Type_Policy { uint Flags; bool EnableBottomUpRandomization { get { return (Flags & 1) > 0; } } bool EnableForceRelocateImage { get { return (Flags & 2) > 0; } } bool EnableHighEntropy { get { return (Flags & 4) > 0; } } bool DisallowStrippedImages { get { return (Flags & 8) > 0; } } }

By analogy, I tried to get information about DEP. According to MSDN , I defined the structure of this type:

  public struct Process_Mitigation_DEP_Policy { uint Flags; bool Enable { get { return (Flags & 1) > 0; } } bool DisableAtlThunkEmulation { get { return (Flags & 2) > 0; } } }

Having tried to use the implemented functionality, it turned out that the same functions refuse to work with this structure. One of the problems is that I need to define a union of another kind, again, according to MSDN ( union for DEP ), but then a union override error occurs. How to define another structure and use it in the same code is not clear to me, especially considering that the WINAPI functions described on MSDN represent examples of functions for C ++ and transferring the latter to C # is also quite difficult.

Question: how to get information about the use of DEP and ASLR process?

  • If you are given an exhaustive answer, mark it as correct (a daw opposite the selected answer). - Nicolas Chabanovsky

1 answer 1

You forgot the Permanent field in the structure:

 struct Process_Mitigation_DEP_Policy { uint Flags; bool Permanent; bool Enable { get { return (Flags & 1) > 0; } } bool DisableAtlThunkEmulation { get { return (Flags & 2) > 0; } } }

Further, indeed, the function GetProcessMitigationPolicy takes the 3rd argument to a pointer to one of the many structures. Therefore, it is necessary to declare the corresponding overloads for all types of structures that you intend to use:

 // Для ASLR [DllImport("kernel32.dll")] static extern bool GetProcessMitigationPolicy( IntPtr hProcess, PROCESS_MITIGATION_POLICY mitigationPolicy, ref Process_Mitigation_DEP_Policy lpBuffer, int dwLength); // Для DEP [DllImport("kernel32.dll")] static extern bool GetProcessMitigationPolicy( IntPtr hProcess, PROCESS_MITIGATION_POLICY mitigationPolicy, ref PROCESS_MITIGATION_ASLR_POLICY lpBuffer, int dwLength);

We call the function as before, passing the corresponding structure to it:

 // информация по DEP var depPolicy = new Process_Mitigation_DEP_Policy(); bool success = GetProcessMitigationPolicy(hProc, PROCESS_MITIGATION_POLICY.ProcessDEPPolicy, ref depPolicy, Marshal.SizeOf(depPolicy)); if (success) { // ... } // информация по ASLR var aslrPolicy = new PROCESS_MITIGATION_ASLR_POLICY(); success = GetProcessMitigationPolicy(hProc, PROCESS_MITIGATION_POLICY.ProcessASLRPolicy, ref aslrPolicy, Marshal.SizeOf(aslrPolicy)); if (success) { // ... }
  • Thank you very much, your answer really helped - the code is executed correctly. The only time is that I cannot get information about DEP about 64-bit applications (the function returns false, while Process Explorer says that DEP is enabled for this application, and this is observed only in the case of 64-bit applications), with 32-bit everything is working. Do not tell me how to solve this situation? Perhaps you can solve it via WMI? Thank you in advance! - Brian O'Conner 2:55 pm
  • Sorry, @kmv, forgot to include your nickname in the comments - Brian O'Conner
  • @ BrianO'Conner is valid, it does not work for 64-bit processes. I can not yet say why. - kmv
  • 2
    @ BrianO'Conner is possible because, for 64-bit processes, DEP is always on and cannot be disabled: On the 64-bit versions of Windows, there are no system configuration settings to disable it. stackoverflow.com/questions/1209052/… - kmv
  • Thank you very much, @kmv, I’ll consider this in the program - Brian O'Conner