{"id":18894193,"url":"https://github.com/trailofbits/winchecksec","last_synced_at":"2025-05-15T11:05:12.355Z","repository":{"id":40267294,"uuid":"144762970","full_name":"trailofbits/winchecksec","owner":"trailofbits","description":"Checksec, but for Windows: static detection of security mitigations in executables","archived":false,"fork":false,"pushed_at":"2025-01-13T16:47:05.000Z","size":596,"stargazers_count":582,"open_issues_count":18,"forks_count":77,"subscribers_count":48,"default_branch":"master","last_synced_at":"2025-04-14T18:10:06.512Z","etag":null,"topics":["hacktoberfest","mitigations","security","windows"],"latest_commit_sha":null,"homepage":"https://trailofbits.github.io/winchecksec/","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trailofbits.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-08-14T19:21:14.000Z","updated_at":"2025-04-04T04:44:53.000Z","dependencies_parsed_at":"2025-01-18T22:38:38.951Z","dependency_job_id":"812b8628-1797-4200-9da5-6b7f6dd953a2","html_url":"https://github.com/trailofbits/winchecksec","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fwinchecksec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fwinchecksec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fwinchecksec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fwinchecksec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trailofbits","download_url":"https://codeload.github.com/trailofbits/winchecksec/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248933340,"owners_count":21185460,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest","mitigations","security","windows"],"created_at":"2024-11-08T08:19:43.559Z","updated_at":"2025-04-14T18:10:11.489Z","avatar_url":"https://github.com/trailofbits.png","language":"C++","readme":"winchecksec\n===========\n\n[![CI](https://github.com/trailofbits/winchecksec/actions/workflows/ci.yml/badge.svg)](https://github.com/trailofbits/winchecksec/actions/workflows/ci.yml)\n\n`winchecksec` performs static detection of common Windows security features.\n\nThe following security features are currently detected:\n\n* ASLR:\n    * `/DYNAMICBASE` with stripped relocation entries edge-case\n    * `/HIGHENTROPYVA` for 64-bit systems\n* Code integrity/signing:\n    * `/INTEGRITYCHECK`\n    * Authenticode-signed with a valid (trusted, active) certificate (currently unsupported on Linux)\n* DEP (a.k.a. W^X, NX)\n* Manifest isolation via (`/ALLOWISOLATION`)\n* Structured Exception Handling and SafeSEH support\n* Control Flow Guard and Return Flow Guard instrumentation\n* Stack cookie (`/GS`) support\n\n## Building\n\n`winchecksec` depends on [pe-parse](https://github.com/trailofbits/pe-parse) and\n[uthenticode](https://github.com/trailofbits/uthenticode), which can be installed via `vcpkg`:\n\n```bash\n$ vcpkg install pe-parse uthenticode\n```\n\n**NOTE**: On Windows, `vcpkg` defaults to 32-bit builds. If you're doing a 64-bit `winchecksec`\nbuild, you'll need to explicitly build the dependencies as 64-bit:\n\n```bash\n$ vcpkg install pe-parse:x64-windows uthenticode:x64-windows\n```\n\n### Building on Linux\n```bash\n$ git clone https://github.com/trailofbits/winchecksec.git\n$ cd winchecksec\n$ mkdir build\n$ cd build\n$ cmake -DCMAKE_BUILD_TYPE=Release ..\n$ cmake --build .\n$ ./build/winchecksec\n```\n\n### Building on Windows\n```cmd\n\u003e git clone https://github.com/trailofbits/winchecksec.git\n\u003e cd winchecksec\n\u003e mkdir build\n\u003e cd build\n\u003e cmake ..\n\u003e cmake --build . --config Release\n\u003e .\\Release\\winchecksec.exe C:\\Windows\\notepad.exe\n```\n\n## Usage\n\nAs a command-line tool, `winchecksec` has two output modes: a plain-text mode for easy reading,\nand a JSON mode for consumption in other programs. The plain-text mode is the default; JSON output\nis enabled by passing `--json` or `-j`:\n\n```cmd\n\u003e .\\Release\\winchecksec.exe C:\\Windows\\notepad.exe\n\nDynamic Base    : \"Present\"\nASLR            : \"Present\"\nHigh Entropy VA : \"Present\"\nForce Integrity : \"NotPresent\"\nIsolation       : \"Present\"\nNX              : \"Present\"\nSEH             : \"Present\"\nCFG             : \"NotPresent\"\nRFG             : \"NotPresent\"\nSafeSEH         : \"NotApplicable\"\nGS              : \"Present\"\nAuthenticode    : \"NotPresent\"\n.NET            : \"NotPresent\"\n\n\u003e .\\Release\\winchecksec.exe -j C:\\Windows\\notepad.exe\n\n[{\n   \"path\": \"C:\\\\Windows\\\\notepad.exe\",\n   \"mitigations\": {\n      \"dynamicBase\": {\n         \"presence\": \"Present\",\n         \"description\": \"Binaries with dynamic base support can be dynamically rebased, enabling ASLR.\"\n      },\n      \"rfg\": {\n         \"description\": \"Binaries with RFG enabled have additional return-oriented-programming protections.\",\n         \"presence\": \"NotPresent\"\n      },\n      \"seh\": {\n         \"description\": \"Binaries with SEH support can use structured exception handlers.\",\n         \"presence\": \"Present\"\n      },\n      // ...\n   }\n}]\n```\n\n`winchecksec` also provides a C++ API; documentation is hosted\n[here](https://trailofbits.github.io/winchecksec/).\n\n## Hacking\n\n`winchecksec` is formatted with `clang-format`. You can use the `clang-format` target to\nauto-format it locally:\n\n```bash\n$ make clang-format\n```\n\n`winchecksec` also comes with a suite of unit tests that use\n[pegoat](https://github.com/trailofbits/pegoat) as a reference for various security mitigations.\nTo build the unit tests, pass `-DBUILD_TESTS=1` to the CMake build.\n\n## Statistics for different flags across EXEs on Windows 10\n\nPrevalence of various security features on a vanilla Windows 10 (1803) installation:\n\n| aslr | authenticode | cfg | dynamicBase | forceIntegrity | gs | highEntropyVA |  isolation |  nx |  rfg | safeSEH |  seh |\n| ---- | ------------ | --- | ----------- | -------------- | -- | ------------- | ---------- | --- | ---  | ------- | --- |\n| 79%\t| 37% | 49%\t| 79% | 3% | 65% | 43% | 100% | 79% | 6% | 25%| 91% |\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrailofbits%2Fwinchecksec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrailofbits%2Fwinchecksec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrailofbits%2Fwinchecksec/lists"}