Plug-ins now set the ASLR, DEP, LAA and NOSEH flags (bug #1188)

git-svn-id: https://svn.code.sf.net/p/nsis/code/NSIS/trunk@6942 212acab6-be3b-0410-9dea-997c60f758d6

Docs/src/history.but

@@ -26,9 +26,11 @@ Released on ??? ??rd, 20??
 
 \b Added IntOp and System::Int64Op >>> operator
 
-\b Removed unused NSD_LB_Clear macro parameter
+\b Plug-ins now set the ASLR, DEP, LAA and NOSEH PE flags (\W{http://sf.net/p/nsis/bugs/1188}{bug #1188})
 
-\b MakeNSIS now returns 0 for various information commands (\W{http://sf.net/p/nsis/bugs/1193}{bug #1193})
+\b MakeNSIS exits with code 0 for various information commands (\W{http://sf.net/p/nsis/bugs/1193}{bug #1193})
+
+\b Removed unused NSD_LB_Clear macro parameter
 
 \S2{} Translations
 

SCons/utils.py

@@ -131,4 +131,38 @@ def GetOptionOrEnv(name, defval = None):
 		return os.environ[name]
 	return defval
 
-Export('AddAvailableLibs AddZLib FlagsConfigure GetAvailableLibs GetOptionOrEnv')
+def EnablePESecurityFlagsHelper(filepath):
+	"""
+	Sets the [HE]ASLR, DEP and LAA flags in the PE header
+	"""
+	import struct
+	def ReadU16LE(f, fpos):
+		if not fpos is None: f.seek(fpos)
+		return struct.unpack("<H", f.read(2))[0]
+	def ReadU32LE(f, fpos):
+		if not fpos is None: f.seek(fpos)
+		return struct.unpack("<I", f.read(4))[0]
+	def WriteU16LE(f, v, fpos):
+		if not fpos is None: f.seek(fpos)
+		f.write(struct.pack("<H", v))
+	f = open(filepath, "r+b")
+	try:
+		if not 0x5A4D == ReadU16LE(f, 0): return
+		pepos = ReadU32LE(f, 60)
+		if not 0x00004550 == ReadU32LE(f, pepos): return
+		pe64 = 0x20b == ReadU16LE(f, pepos+4+20) # IMAGE_NT_OPTIONAL_HDR64_MAGIC?
+		ifh_c = ReadU16LE(f, pepos+4+18)
+		ifh_c |= 0x0020 # +IMAGE_FILE_LARGE_ADDRESS_AWARE
+		WriteU16LE(f, ifh_c, pepos+4+18)
+		ioh_dc = ReadU16LE(f, pepos+4+20+70)
+		ioh_dc |= 0x0100 # +IMAGE_DLLCHARACTERISTICS_NX_COMPAT
+		ioh_dc |= 0x0400 # +IMAGE_DLLCHARACTERISTICS_NO_SEH
+		if not (ifh_c & 0x0001): # IMAGE_FILE_RELOCS_STRIPPED?
+			ioh_dc |= 0x0040 # +IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
+			if pe64: ioh_dc |= 0x0020 # +IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
+		# TODO: IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE?
+		WriteU16LE(f, ioh_dc, pepos+4+20+70)
+	finally:
+		f.close()
+
+Export('AddAvailableLibs AddZLib FlagsConfigure GetAvailableLibs GetOptionOrEnv EnablePESecurityFlagsHelper')

SConstruct

@@ -420,6 +420,16 @@ def Sign(targets):
 			a = defenv.Action('$CODESIGNER "%s"' % t.path)
 			defenv.AddPostAction(t, a)
 
+Import('EnablePESecurityFlagsHelper')
+def EnablePESecurityFlagsAction(target, source, env):
+	for t in target:
+		EnablePESecurityFlagsHelper(t.path)
+
+def EnablePESecurityFlags(targets):
+	for t in targets:
+		a = defenv.Action(EnablePESecurityFlagsAction, cmdstr=('Setting PE flags on %s' % (t)))
+		defenv.AddPostAction(t, a)
+
 def TestScript(scripts):
 	defenv.Install('$TESTDISTDIR/Tests', scripts)
 
@@ -436,6 +446,7 @@ defenv.DistributeDoc = DistributeDoc
 defenv.DistributeDocs = DistributeDocs
 defenv.DistributeExamples = DistributeExamples
 defenv.Sign = Sign
+defenv.EnablePESecurityFlags = EnablePESecurityFlags
 defenv.TestScript = TestScript
 
 def DistributeExtras(env, target, examples, docs):
@@ -675,6 +686,7 @@ def BuildPluginWorker(target, source, libs, examples = None, docs = None,
 	defenv.Alias(target, plugin)
 	defenv.Alias('plugins', plugin)
 
+	defenv.EnablePESecurityFlags(plugin)
 	defenv.Sign(plugin)
 
 	CleanMap(env, plugin, target)