winchecksec

performs static detection of common Windows security features. Developed to satisfy our analysis and research needs, it aims to surpass current open-source security feature detection tools in depth, accuracy, and performance without sacrificing simplicity.

Feature

• Address-space layout randomization (ASLR) and 64-bit-aware high-entropy ASLR (HEASLR)
• Authenticity/integrity protections (Authenticode, Forced Integrity)
• Data Execution Prevention (DEP), better known as W^X or No eXecute (NX)
• Manifest isolation
• Structured Exception Handling (SEH) and SafeSEH
• Control Flow Guard (CFG) and Return Flow Guard (RFG)
• Guard Stack (GS), better known as stack cookies or canaries

Install

git clone https://github.com/trailofbits/winchecksec.git
> cd winchecksec
> mkdir build
> cd build
> cmake -G "Visual Studio 15 2017 Win64" ..
> cmake --build . --config Release
> .\Release\winchecksec.exe C:\Windows\notepad.exe

Use

winchecksec has two output modes: a plain-text mode for easy reading, and a JSON mode for consumption in other programs. The plain-text mode is the default; JSON output is enabled by passing -j:

> .\Release\winchecksec.exe C:\Windows\notepad.exe



Dynamic Base    : true

ASLR            : true

High Entropy VA : true

Force Integrity : false

Isolation       : true

NX              : true

SEH             : true

CFG             : true

RFG             : false

SafeSEH         : false

GS              : true

Authenticode    : false



> .\Release\winchecksec.exe -j C:\Windows\notepad.exe



{"aslr":true,"authenticode":false,"cfg":true,"dynamicBase":true,"forceIntegrity":false,"gs":true,"highEntropyVA":true,"isolation":true,"nx":true,"path":"C:\\Windows\\notepad.exe","rfg":false,"safeSEH":false,"seh":true}

winchecksec only takes one file at a time. To run it on multiple files or entire directories, wrap it in a loop.

Copyright 2018 Trail of Bits, Inc.
Source: https://github.com/trailofbits/