Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/trailofbits/winchecksec

Checksec, but for Windows: static detection of security mitigations in executables
https://github.com/trailofbits/winchecksec

hacktoberfest mitigations security windows

Last synced: about 4 hours ago
JSON representation

Checksec, but for Windows: static detection of security mitigations in executables

Host: GitHub
URL: https://github.com/trailofbits/winchecksec
Owner: trailofbits
License: apache-2.0
Created: 2018-08-14T19:21:14.000Z (about 6 years ago)
Default Branch: master
Last Pushed: 2023-05-10T20:11:57.000Z (over 1 year ago)
Last Synced: 2023-11-07T17:15:14.771Z (about 1 year ago)
Topics: hacktoberfest, mitigations, security, windows
Language: C++
Homepage: https://trailofbits.github.io/winchecksec/
Size: 581 KB
Stars: 531
Watchers: 48
Forks: 76
Open Issues: 19
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        winchecksec

===========

[![CI](https://github.com/trailofbits/winchecksec/actions/workflows/ci.yml/badge.svg)](https://github.com/trailofbits/winchecksec/actions/workflows/ci.yml)

`winchecksec` performs static detection of common Windows security features.

The following security features are currently detected:

* ASLR:

    * `/DYNAMICBASE` with stripped relocation entries edge-case

    * `/HIGHENTROPYVA` for 64-bit systems

* Code integrity/signing:

    * `/INTEGRITYCHECK`

    * Authenticode-signed with a valid (trusted, active) certificate (currently unsupported on Linux)

* DEP (a.k.a. W^X, NX)

* Manifest isolation via (`/ALLOWISOLATION`)

* Structured Exception Handling and SafeSEH support

* Control Flow Guard and Return Flow Guard instrumentation

* Stack cookie (`/GS`) support

## Building

`winchecksec` depends on [pe-parse](https://github.com/trailofbits/pe-parse) and

[uthenticode](https://github.com/trailofbits/uthenticode), which can be installed via `vcpkg`:

```bash

$ vcpkg install pe-parse uthenticode

```

**NOTE**: On Windows, `vcpkg` defaults to 32-bit builds. If you're doing a 64-bit `winchecksec`

build, you'll need to explicitly build the dependencies as 64-bit:

```bash

$ vcpkg install pe-parse:x64-windows uthenticode:x64-windows

```

### Building on Linux

```bash

$ git clone https://github.com/trailofbits/winchecksec.git

$ cd winchecksec

$ mkdir build

$ cd build

$ cmake -DCMAKE_BUILD_TYPE=Release ..

$ cmake --build .

$ ./build/winchecksec

```

### Building on Windows

```cmd

> git clone https://github.com/trailofbits/winchecksec.git

> cd winchecksec

> mkdir build

> cd build

> cmake ..

> cmake --build . --config Release

> .\Release\winchecksec.exe C:\Windows\notepad.exe

```

## Usage

As a command-line tool, `winchecksec` has two output modes: a plain-text mode for easy reading,

and a JSON mode for consumption in other programs. The plain-text mode is the default; JSON output

is enabled by passing `--json` or `-j`:

```cmd

> .\Release\winchecksec.exe C:\Windows\notepad.exe

Dynamic Base    : "Present"

ASLR            : "Present"

High Entropy VA : "Present"

Force Integrity : "NotPresent"

Isolation       : "Present"

NX              : "Present"

SEH             : "Present"

CFG             : "NotPresent"

RFG             : "NotPresent"

SafeSEH         : "NotApplicable"

GS              : "Present"

Authenticode    : "NotPresent"

.NET            : "NotPresent"

> .\Release\winchecksec.exe -j C:\Windows\notepad.exe

[{

   "path": "C:\\Windows\\notepad.exe",

   "mitigations": {

      "dynamicBase": {

         "presence": "Present",

         "description": "Binaries with dynamic base support can be dynamically rebased, enabling ASLR."

      },

      "rfg": {

         "description": "Binaries with RFG enabled have additional return-oriented-programming protections.",

         "presence": "NotPresent"

      },

      "seh": {

         "description": "Binaries with SEH support can use structured exception handlers.",

         "presence": "Present"

      },

      // ...

   }

}]

```

`winchecksec` also provides a C++ API; documentation is hosted

[here](https://trailofbits.github.io/winchecksec/).

## Hacking

`winchecksec` is formatted with `clang-format`. You can use the `clang-format` target to

auto-format it locally:

```bash

$ make clang-format

```

`winchecksec` also comes with a suite of unit tests that use

[pegoat](https://github.com/trailofbits/pegoat) as a reference for various security mitigations.

To build the unit tests, pass `-DBUILD_TESTS=1` to the CMake build.

## Statistics for different flags across EXEs on Windows 10

Prevalence of various security features on a vanilla Windows 10 (1803) installation:

| aslr | authenticode | cfg | dynamicBase | forceIntegrity | gs | highEntropyVA |  isolation |  nx |  rfg | safeSEH |  seh |

| ---- | ------------ | --- | ----------- | -------------- | -- | ------------- | ---------- | --- | ---  | ------- | --- |

| 79%	| 37% | 49%	| 79% | 3% | 65% | 43% | 100% | 79% | 6% | 25%| 91% |