DEP is not module based, but process based

[mrexodia]

The DEP option for each module is interesting to have, but it doesn't tell you much because DEP could be enabled anyway. Below is a code snippet that checks if DEP is enabled in the process (it's also a neat DLL that you can inject to enable DEP on processed that don't have it enabled):

#include <windows.h>

char message[256];

extern "C" __declspec(dllexport) BOOL WINAPI DllMain(
    _In_ HINSTANCE hinstDLL,
    _In_ DWORD     fdwReason,
    _In_ LPVOID    lpvReserved
)
{
    auto bSetProcessDEPPolicy = SetProcessDEPPolicy(PROCESS_DEP_ENABLE);
    auto hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId());
    DWORD lpFlags;
    BOOL bPermanent;
    auto bGetProcessDEPPolicy = GetProcessDEPPolicy(hProcess, &lpFlags, &bPermanent);
    CloseHandle(hProcess);
    wsprintfA(message, "[EnableDEP] bSetProcessDEPPolicy: %d, bGetProcessDEPPolicy = %d, lpFlags = %d, bPermanent = %d", bSetProcessDEPPolicy, bGetProcessDEPPolicy, lpFlags, bPermanent);
    OutputDebugStringA(message);
    return TRUE;
}

[klks]

The checksec plugin currently only enumerates items in the Module::ModuleInfo and checks if the DllCharacteristics has the IMAGE_DLLCHARACTERISTICS_NX_COMPAT flag set. I don't believe I have any active checks done on the current debugged processes, they are passively collected via flags set in the PE headers.

[mrexodia]

I know, that's why I opened this issue 😄