build/win32/autowinchecksec.py

   1 #!/usr/bin/env python
   2
   3 # This Source Code Form is subject to the terms of the Mozilla Public
   4 # License, v. 2.0. If a copy of the MPL was not distributed with this
   5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
   6
   7 # run the Winchecksec tool (https://github.com/trailofbits/winchecksec)
   8 # against a given Windows binary.
   9
  10 import json
  11 import subprocess
  12 import sys
  13
  14 import buildconfig
  15
  16 # usage
  17 if len(sys.argv) != 2:
  18     print("""usage : autowinchecksec.by path_to_binary""")
  19     sys.exit(0)
  20
  21 binary_path = sys.argv[1]
  22
  23 # execute winchecksec against the binary, using the WINCHECKSEC environment
  24 # variable as the path to winchecksec.exe
  25 try:
  26     winchecksec_path = buildconfig.substs["WINCHECKSEC"]
  27 except KeyError:
  28     print(
  29         "TEST-UNEXPECTED-FAIL | autowinchecksec.py | WINCHECKSEC environment variable is "
  30         "not set, can't check DEP/ASLR etc. status."
  31     )
  32     sys.exit(1)
  33
  34 wine = buildconfig.substs.get("WINE")
  35 if wine and winchecksec_path.lower().endswith(".exe"):
  36     cmd = [wine, winchecksec_path]
  37 else:
  38     cmd = [winchecksec_path]
  39
  40 try:
  41     result = subprocess.check_output(cmd + ["-j", binary_path], universal_newlines=True)
  42
  43 except subprocess.CalledProcessError as e:
  44     print(
  45         "TEST-UNEXPECTED-FAIL | autowinchecksec.py | Winchecksec returned error code %d:\n%s"
  46         % (e.returncode, e.output)
  47     )
  48     sys.exit(1)
  49
  50
  51 result = json.loads(result)
  52
  53 checks = [
  54     "aslr",
  55     "cfg",
  56     "dynamicBase",
  57     "gs",
  58     "isolation",
  59     "nx",
  60     "seh",
  61 ]
  62
  63 if buildconfig.substs["CPU_ARCH"] == "x86":
  64     checks += [
  65         "safeSEH",
  66     ]
  67 else:
  68     checks += [
  69         "highEntropyVA",
  70     ]
  71
  72 failed = [c for c in checks if result.get(c) is False]
  73
  74 if failed:
  75     print(
  76         "TEST-UNEXPECTED-FAIL | autowinchecksec.py | Winchecksec reported %d error(s) for %s"
  77         % (len(failed), binary_path)
  78     )
  79     print(
  80         "TEST-UNEXPECTED-FAIL | autowinchecksec.py | The following check(s) failed: %s"
  81         % (", ".join(failed))
  82     )
  83     sys.exit(1)
  84 else:
  85     print("TEST-PASS | autowinchecksec.py | %s succeeded" % binary_path)