Skip to content
/ checksecc Public

The checksecc is a c rewrite of checksec and has some highlights. It retains all the core functionality of checksec,you can operate on it just like the original.

License

MIT license
3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

fuxxcss/checksecc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

48 Commits
include
include
 
 
lib
lib
 
 
srcs
srcs
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

checksecc

why

checksec.sh is a linux specified gadget,because it used Shell and readelf. If you need to check pe, elf in other place, maybe you need checksecc.

introduction

The checksecc is a c rewrite of checksec and has some highlights. It retains all the core functionality of checksec,you can operate on it just like the original.we removed some uncommon features and added some useful features.

> checkc -h or just checkc
Usage: checkc [OPTION] [--format={cli,csv,xml,json}]

      Options:
      ## Checksecc Options
      --file={file}
      --dir={directory}
      --file-list={file list separated by *}
      --proc-list={proc list separated by *}
      --proc-id={process ID}
      --kernel
      --version
      --help

     ## Modifiers
      --format={cli,csv,xml,json}
      --extended

For more information, see:
/~https://github.com/fuxxcss/checksecc

install

install checksecc by release:

release 1.0 now.

install checksecc by source:

cd srcs
make && make install

if you need to update , make clean first

make clean

check one elf file

For example , we compile one file with gcc features.

> gcc -z now -fstack-protector-all test.c -o test

And then use checkc to check this file.

> checkc --file=./test
File                        ./test
RELRO                       Full RELRO
STACK CANARY                Canary found
NX                          NX enabled
PIE                         PIE enabled
RPATH                       NO RPATH
RUNPATH                     NO RUNPATH
Stripped                    Not Stripped
Frame Pointer               Not Omit

For example , we compile one file with clang features.

> clang -fsanitize=address test.c -o test

And then use checkc to check this file with extended features.

> checkc --file=./test --extended
File                        ./test
RELRO                       Partial RELRO
STACK CANARY                No Canary found
NX                          NX enabled
PIE                         PIE enabled
RPATH                       NO RPATH
RUNPATH                     NO RUNPATH
Stripped                    Not Stripped
Frame Pointer               Not Omit
Sanitized asan              Yes
Sanitized tsan              NO
Sanitized msan              NO
Sanitized lsan              Yes
Sanitized ubsan             Yes
Sanitized dfsan             NO
Sanitized safestack         NO
Sanitized cet-ibt           NO
Sanitized cet-shadow-stack  NO
Fortified                   FORTIFY SOURCE support available (/lib/x86_64-linux-gnu/libc.so.6) : Yes
Fortified                   Binary compiled with FORTIFY SOURCE support (./test) : Yes
Fortified                   __sprintf_chk Fortified
Fortified                   __longjmp_chk Fortified
Fortified                   __fprintf_chk Fortified
Fortified                   __vsprintf_chk Fortified
Fortified                   __snprintf_chk Fortified
Fortified                   __vsnprintf_chk Fortified

check one dynamic elf.

> checkc --file=./libchkc.so
File                        ./libchkc.so
RELRO                       Partial RELRO
STACK CANARY                No Canary found
NX                          NX enabled
PIE                         DSO
RPATH                       NO RPATH
RUNPATH                     NO RUNPATH
Stripped                    Stripped
Frame Pointer               Not Omit

check file list

We need delim * to check file list

> checkc --file-list=test*test1*
File                        test
RELRO                       Partial RELRO
STACK CANARY                No Canary found
NX                          NX enabled
PIE                         PIE enabled
RPATH                       NO RPATH
RUNPATH                     NO RUNPATH
Stripped                    Not Stripped
Frame Pointer               Not Omit

File                        test1
RELRO                       Partial RELRO
STACK CANARY                No Canary found
NX                          NX enabled
PIE                         PIE enabled
RPATH                       NO RPATH
RUNPATH                     NO RUNPATH
Stripped                    Stripped
Frame Pointer               NULL

check the kernel

For example , we check Linux debian 5.10.0-20-amd64.

> checkc --kernel
Kconfig                     /boot/config-5.10.0-20-amd64
User ASLR                   LEVEL 2
Kernel ASLR                 Enabled
Kernel NX                   Enabled
Kernel Stack Canary         Strong
Kernel Stack Poison         Disabled
Slab Freelist Hardened      Enabled
Slab Freelist Random        Enabled
SMAP                        Enabled
PTI                         Enabled

check one process

we focus on selinux and seccomp.

> ps -aux | grep upowerd
root        1273  0.0  0.1 320404  8828 ?        Ssl  Jan23   0:01 /usr/libexec/upowerd
> checkc --proc-id=1273
PID                         1273
Selinux                     No Selinux
SECCOMP                     Seccomp-bpf
File                        /usr/libexec/upowerd
RELRO                       Full RELRO
STACK CANARY                Canary found
NX                          NX enabled
PIE                         PIE enabled
RPATH                       NO RPATH
RUNPATH                     NO RUNPATH
Stripped                    Stripped
Frame Pointer               NULL

format output

cli is default.

> checkc --file=./test -format=csv
./test,Partial RELRO,No Canary found,NX enabled,PIE enabled,NO RPATH,NO RUNPATH,Not Stripped,Not Omit
> checkc --file=./test -format=xml
<?xml version="1.0" encoding="UTF-8"?>
<File="./test" RELRO="Partial RELRO" STACK CANARY="No Canary found" NX="NX enabled" PIE="PIE enabled" RPATH="NO RPATH" RUNPATH="NO RUNPATH" Stripped="Not Stripped" Frame Pointer="Not Omit" />
> checkc --file=./test -format=json
{"./test":{"RELRO":"Partial RELRO","STACK CANARY":"No Canary found","NX":"NX enabled","PIE":"PIE enabled","RPATH":"NO RPATH","RUNPATH":"NO RUNPATH","Stripped":"Not Stripped","Frame Pointer":"Not Omit"}}

version information

> checkc -v
checksecc v1.0,fuxxcss
/~https://github.com/fuxxcss/checksecc

ToDo

todo in version 2.0:

1. `pe` check
2. `windows` check

About

The checksecc is a c rewrite of checksec and has some highlights. It retains all the core functionality of checksec,you can operate on it just like the original.

Topics

config c linux open-source security binary code coding security-tools checksec

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 3

v1.0 stable Latest
Jan 24, 2025
+ 2 releases

Packages

No packages published

Languages