winchecksec: performs static detection of common Windows security features
performs static detection of common Windows security features. Developed to satisfy our analysis and research needs, it aims to surpass current open-source security feature detection tools in depth, accuracy, and performance without sacrificing simplicity.
- Address-space layout randomization (ASLR) and 64-bit-aware high-entropy ASLR (HEASLR)
- Authenticity/integrity protections (Authenticode, Forced Integrity)
- Data Execution Prevention (DEP), better known as W^X or No eXecute (NX)
- Manifest isolation
- Structured Exception Handling (SEH) and SafeSEH
- Control Flow Guard (CFG) and Return Flow Guard (RFG)
- Guard Stack (GS), better known as stack cookies or canaries
git clone https://github.com/trailofbits/winchecksec.git > cd winchecksec > mkdir build > cd build > cmake -G "Visual Studio 15 2017 Win64" .. > cmake --build . --config Release > .\Release\winchecksec.exe C:\Windows\notepad.exe
winchecksec has two output modes: a plain-text mode for easy reading, and a JSON mode for consumption in other programs. The plain-text mode is the default; JSON output is enabled by passing -j:
winchecksec only takes one file at a time. To run it on multiple files or entire directories, wrap it in a loop.
Copyright 2018 Trail of Bits, Inc.