winchecksec: performs static detection of common Windows security features

winchecksec

performs static detection of common Windows security features. Developed to satisfy our analysis and research needs, it aims to surpass current open-source security feature detection tools in depth, accuracy, and performance without sacrificing simplicity.

Feature

  • Address-space layout randomization (ASLR) and 64-bit-aware high-entropy ASLR (HEASLR)
  • Authenticity/integrity protections (Authenticode, Forced Integrity)
  • Data Execution Prevention (DEP), better known as W^X or No eXecute (NX)
  • Manifest isolation
  • Structured Exception Handling (SEH) and SafeSEH
  • Control Flow Guard (CFG) and Return Flow Guard (RFG)
  • Guard Stack (GS), better known as stack cookies or canaries

Install

git clone https://github.com/trailofbits/winchecksec.git
> cd winchecksec
> mkdir build
> cd build
> cmake -G "Visual Studio 15 2017 Win64" ..
> cmake --build . --config Release
> .\Release\winchecksec.exe C:\Windows\notepad.exe

Use

winchecksec has two output modes: a plain-text mode for easy reading, and a JSON mode for consumption in other programs. The plain-text mode is the default; JSON output is enabled by passing -j:winchecksec

> .\Release\winchecksec.exe C:\Windows\notepad.exe

Dynamic Base    : true
ASLR            : true
High Entropy VA : true
Force Integrity : false
Isolation       : true
NX              : true
SEH             : true
CFG             : true
RFG             : false
SafeSEH         : false
GS              : true
Authenticode    : false

> .\Release\winchecksec.exe -j C:\Windows\notepad.exe

{"aslr":true,"authenticode":false,"cfg":true,"dynamicBase":true,"forceIntegrity":false,"gs":true,"highEntropyVA":true,"isolation":true,"nx":true,"path":"C:\\Windows\\notepad.exe","rfg":false,"safeSEH":false,"seh":true}

 

winchecksec only takes one file at a time. To run it on multiple files or entire directories, wrap it in a loop.

Copyright 2018 Trail of Bits, Inc.
Source: https://github.com/trailofbits/

Share