DLL Characteristics——x64dbg基址问题

DLL Characteristics

DLL Characteristics是Optional Header的一个Word字段。位置处于OptionalHeader+0x46处,即文件偏移+0x16E处

Constant Value Description
0x0001 Reserved, must be zero.
0x0002 Reserved, must be zero.
0x0004 Reserved, must be zero.
0x0008 Reserved, must be zero.
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA 0x0020 Image can handle a high entropy 64-bit virtual address space.
IMAGE_DLLCHARACTERISTICS_
DYNAMIC_BASE		 0x0040 DLL can be relocated at load time.
IMAGE_DLLCHARACTERISTICS_
FORCE_INTEGRITY		 0x0080 Code Integrity checks are enforced.
IMAGE_DLLCHARACTERISTICS_
NX_COMPAT		 0x0100 Image is NX compatible.
IMAGE_DLLCHARACTERISTICS_ NO_ISOLATION 0x0200 Isolation aware, but do not isolate the image.
IMAGE_DLLCHARACTERISTICS_ NO_SEH 0x0400 Does not use structured exception (SE) handling. No SE handler may be called in this image.
IMAGE_DLLCHARACTERISTICS_ NO_BIND 0x0800 Do not bind the image.
IMAGE_DLLCHARACTERISTICS_APPCONTAINER 0x1000 Image must execute in an AppContainer.
IMAGE_DLLCHARACTERISTICS_ WDM_DRIVER 0x2000 A WDM driver.
IMAGE_DLLCHARACTERISTICS_GUARD_CF 0x4000 Image supports Control Flow Guard.
IMAGE_DLLCHARACTERISTICS_ TERMINAL_SERVER_AWARE 0x8000 Terminal Server aware.

x64dbg加载基址

在x64dbg调试过程中,如果设置了IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE标志,则会启用Windows的ASLR功能,这在与其他调试软件如IDA配合使用中带来了一定不便(IDA似乎会无视这个标志,始终将64为程序加载进0x140000000)

因此可用HEX编辑器(注意小端)或者CFF将其更改

CFF中取消勾选DLL can move选项

image


image


再用x64dbg启动就可看见加载基址为默认的0x140000000

image

2025-7-27更

是我大意了,x64dbg现在能关闭ASLR的选项


image

posted @ 2025-07-26 15:33  Darkexpeller  阅读(68)  评论(0)    收藏  举报