trailofbits / winchecksec

Checksec, but for Windows: static detection of security mitigations in executables
https://trailofbits.github.io/winchecksec/
Apache License 2.0
564 stars 77 forks source link
hacktoberfest mitigations security windows

winchecksec

CI

winchecksec performs static detection of common Windows security features.

The following security features are currently detected:

Building

winchecksec depends on pe-parse and uthenticode, which can be installed via vcpkg:

$ vcpkg install pe-parse uthenticode

NOTE: On Windows, vcpkg defaults to 32-bit builds. If you're doing a 64-bit winchecksec build, you'll need to explicitly build the dependencies as 64-bit:

$ vcpkg install pe-parse:x64-windows uthenticode:x64-windows

Building on Linux

$ git clone https://github.com/trailofbits/winchecksec.git
$ cd winchecksec
$ mkdir build
$ cd build
$ cmake -DCMAKE_BUILD_TYPE=Release ..
$ cmake --build .
$ ./build/winchecksec

Building on Windows

> git clone https://github.com/trailofbits/winchecksec.git
> cd winchecksec
> mkdir build
> cd build
> cmake ..
> cmake --build . --config Release
> .\Release\winchecksec.exe C:\Windows\notepad.exe

Usage

As a command-line tool, winchecksec has two output modes: a plain-text mode for easy reading, and a JSON mode for consumption in other programs. The plain-text mode is the default; JSON output is enabled by passing --json or -j:

> .\Release\winchecksec.exe C:\Windows\notepad.exe

Dynamic Base    : "Present"
ASLR            : "Present"
High Entropy VA : "Present"
Force Integrity : "NotPresent"
Isolation       : "Present"
NX              : "Present"
SEH             : "Present"
CFG             : "NotPresent"
RFG             : "NotPresent"
SafeSEH         : "NotApplicable"
GS              : "Present"
Authenticode    : "NotPresent"
.NET            : "NotPresent"

> .\Release\winchecksec.exe -j C:\Windows\notepad.exe

[{
   "path": "C:\\Windows\\notepad.exe",
   "mitigations": {
      "dynamicBase": {
         "presence": "Present",
         "description": "Binaries with dynamic base support can be dynamically rebased, enabling ASLR."
      },
      "rfg": {
         "description": "Binaries with RFG enabled have additional return-oriented-programming protections.",
         "presence": "NotPresent"
      },
      "seh": {
         "description": "Binaries with SEH support can use structured exception handlers.",
         "presence": "Present"
      },
      // ...
   }
}]

winchecksec also provides a C++ API; documentation is hosted here.

Hacking

winchecksec is formatted with clang-format. You can use the clang-format target to auto-format it locally:

$ make clang-format

winchecksec also comes with a suite of unit tests that use pegoat as a reference for various security mitigations. To build the unit tests, pass -DBUILD_TESTS=1 to the CMake build.

Statistics for different flags across EXEs on Windows 10

Prevalence of various security features on a vanilla Windows 10 (1803) installation:

aslr authenticode cfg dynamicBase forceIntegrity gs highEntropyVA isolation nx rfg safeSEH seh
79% 37% 49% 79% 3% 65% 43% 100% 79% 6% 25% 91%