scripts: add PE .reloc section check to security-check.py

author: fanquake <fanquake@gmail.com> 2020-04-13 20:32:19 +0800
committer: fanquake <fanquake@gmail.com> 2020-04-23 08:40:24 +0800
commit: 3e38023af724a76972d39cbccfb0bba4c54a0323 (patch)
tree: 0c2704053585fd93d6b1c40dc5942a3061f8ab36 /contrib/devtools/security-check.py
parent: 47b94a337e1aad0c347fdfecba999b963ab51006 (diff)
1 files changed, 13 insertions, 1 deletions
diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
index 65a80b4102..9444271bdc 100755
--- a/contrib/devtools/security-check.py
+++ b/contrib/devtools/security-check.py
@@ -158,6 +158,17 @@ def check_PE_HIGH_ENTROPY_VA(executable):
         reqbits = 0
     return (bits & reqbits) == reqbits
 
+def check_PE_RELOC_SECTION(executable) -> bool:
+    '''Check for a reloc section. This is required for functional ASLR.'''
+    p = subprocess.Popen([OBJDUMP_CMD, '-h',  executable], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True)
+    (stdout, stderr) = p.communicate()
+    if p.returncode:
+        raise IOError('Error opening file')
+    for line in stdout.splitlines():
+        if '.reloc' in line:
+            return True
+    return False
+
 def check_PE_NX(executable):
     '''NX: DllCharacteristics bit 0x100 signifies nxcompat (DEP)'''
     (arch,bits) = get_PE_dll_characteristics(executable)
@@ -247,7 +258,8 @@ CHECKS = {
 'PE': [
     ('DYNAMIC_BASE', check_PE_DYNAMIC_BASE),
     ('HIGH_ENTROPY_VA', check_PE_HIGH_ENTROPY_VA),
-    ('NX', check_PE_NX)
+    ('NX', check_PE_NX),
+    ('RELOC_SECTION', check_PE_RELOC_SECTION)
 ],
 'MACHO': [
     ('PIE', check_MACHO_PIE),
author	fanquake <fanquake@gmail.com>	2020-04-13 20:32:19 +0800
committer	fanquake <fanquake@gmail.com>	2020-04-23 08:40:24 +0800
commit	3e38023af724a76972d39cbccfb0bba4c54a0323 (patch)
tree	0c2704053585fd93d6b1c40dc5942a3061f8ab36 /contrib/devtools/security-check.py
parent	47b94a337e1aad0c347fdfecba999b963ab51006 (diff)