2015-09-24 17:42:46 +00:00
|
|
|
#
|
|
|
|
# Get-HardenFlags - Checks hardening flags on the binaries.
|
|
|
|
#
|
|
|
|
# Copyright 2015 Graham Bloice <graham.bloice@trihedral.com>
|
|
|
|
#
|
|
|
|
# Wireshark - Network traffic analyzer
|
|
|
|
# By Gerald Combs <gerald@wireshark.org>
|
|
|
|
# Copyright 1998 Gerald Combs
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or
|
|
|
|
# modify it under the terms of the GNU General Public License
|
|
|
|
# as published by the Free Software Foundation; either version 2
|
|
|
|
# of the License, or (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program; if not, write to the Free Software
|
|
|
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
|
|
|
|
|
#requires -version 2
|
|
|
|
|
|
|
|
# Get-HardenFlags does:
|
|
|
|
# call the dumpbin utility to get the binary header flags
|
|
|
|
# on all the binaries in the distribution, and then filters
|
|
|
|
# for the NXCOMPAT and DYNAMICBASE flags.
|
|
|
|
|
2015-10-30 18:18:45 +00:00
|
|
|
# This script will probably fail for the forseeable future.
|
|
|
|
#
|
|
|
|
# Many of our third-party libraries are compiled using MinGW-w64. Its version
|
|
|
|
# of `ld` doesn't enable the dynamicbase, nxcompat, or high-entropy-va flags
|
|
|
|
# by default. When you *do* pass --dynamicbase it strips the relocation
|
|
|
|
# section of the executable:
|
|
|
|
#
|
|
|
|
# https://sourceware.org/bugzilla/show_bug.cgi?id=19011
|
|
|
|
#
|
|
|
|
# As a result, none of the distributions that produce Windows applications
|
|
|
|
# and libraries have any sort of hardening flags enabled:
|
|
|
|
#
|
|
|
|
# http://mingw-w64.org/doku.php/download
|
|
|
|
#
|
|
|
|
|
2015-09-24 17:42:46 +00:00
|
|
|
<#
|
|
|
|
.SYNOPSIS
|
|
|
|
Checks the NXCOMPAT and DYNAMICBASE flags on all the binaries.
|
|
|
|
|
|
|
|
.DESCRIPTION
|
|
|
|
This script downloads and extracts third-party libraries required to compile
|
|
|
|
Wireshark.
|
|
|
|
|
|
|
|
.PARAMETER BinaryDir
|
|
|
|
Specifies the directory where the binaries may be found.
|
|
|
|
|
|
|
|
.INPUTS
|
|
|
|
-BinaryDir Directory containing the binaries to be checked.
|
|
|
|
|
|
|
|
.OUTPUTS
|
|
|
|
Any binary that doesn't have the flags is written to the error stream
|
|
|
|
|
|
|
|
.EXAMPLE
|
|
|
|
C:\PS> .\tools\Get-HardenFlags.ps1 -BinaryDir run\RelWithDebInfo
|
|
|
|
#>
|
|
|
|
|
|
|
|
Param(
|
|
|
|
[Parameter(Mandatory=$true, Position=0)]
|
|
|
|
[String]
|
|
|
|
$BinaryDir
|
|
|
|
)
|
|
|
|
|
|
|
|
# CD into the bindir, allows Resolve-Path to work in relative mode.
|
|
|
|
Push-Location $BinDir
|
|
|
|
|
|
|
|
# Retrieve the list of binaries. -Filter is quicker than -Include, but can only handle one item
|
|
|
|
$Binaries = Get-ChildItem -Path $BinaryDir -Recurse -Include *.exe,*.dll
|
|
|
|
|
|
|
|
# Number of "soft" binaries found
|
|
|
|
$Count = 0;
|
|
|
|
|
|
|
|
# Iterate over the list
|
|
|
|
$Binaries | ForEach-Object {
|
|
|
|
|
|
|
|
# Get the flags
|
|
|
|
$flags = dumpbin $_ /HEADERS;
|
|
|
|
|
|
|
|
# Check for the required flags
|
|
|
|
$match = $flags | Select-String -Pattern "NX compatible", "Dynamic base"
|
|
|
|
if ($match.Count -ne 2) {
|
|
|
|
|
|
|
|
# Write-Error outputs error records, we simply want the filename
|
|
|
|
[Console]::Error.WriteLine((Resolve-Path $_ -Relative))
|
|
|
|
|
|
|
|
$Count++
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
exit $Count
|