Решението е, че опцията е вградена в PE двоичния хедър. Но по-скоро отколкото

loadedImage.FileHeader.FileHeader.Characteristics

it's in:

loadedImage.FileHeader.OptionalHeader.DllCharacteristics

Къде сте поставили флага:

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = 0x0040; //The DLL can be relocated at load time.

За псевдокод на помощна функция на:

void SetPEOptFlags(String filename, UInt32 flags)
{
   // Any code is released into the public domain. No attribution required.
   LOADED_IMAGE li;
   MapAndLoad(filename, null, li, false, false);
  
   li.FileHeader.OptionalHeader.DllCharacteristics |= flags;
   UnMapAndLoad(li);
}

и след това се обаждам

//Optional dll characteristics
const IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = 0x0040; //The DLL can be relocated at load time.
const IMAGE_DLLCHARACTERISTICS_NX_COMPAT =    0x0100; //The image is compatible with data execution prevention (DEP).


SetPEOptFlags("C:\Foo\Contoso.exe", 
   IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE | IMAGE_DLLCHARACTERISTICS_NX_COMPAT);