forked from neurobin/shc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
shc.1
168 lines (168 loc) · 4.84 KB
/
shc.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
.\" Automatically generated by Pandoc 3.3
.\"
.TH "shc" "1" "August 19, 2024" "shc user manual"
.SH NAME
shc \- Generic shell script compiler
.SH SYNOPSIS
\f[B]shc\f[R] [ \-e \f[I]DATE\f[R] ] [ \-m \f[I]MESSAGE\f[R] ] [ \-i
\f[I]IOPT\f[R] ] [ \-x \f[I]CMD\f[R] ] [ \-l \f[I]LOPT\f[R] ] [ \-o
\f[I]OUTFILE\f[R] ] [ \-2ABCDHpPSUhrv ] \-f \f[I]SCRIPT\f[R]
.SH DESCRIPTION
\f[B]shc\f[R] creates a stripped binary executable version of the script
specified with \f[CR]\-f\f[R] on the command line.
.PP
The binary version will get a \f[CR].x\f[R] extension appended by
default if \f[I]OUTFILE\f[R] is not defined with [\-o \f[I]OUTFILE\f[R]]
option and will usually be a bit larger in size than the original ascii
code.
Generated C source code is saved in a file with the extension
\f[CR].x.c\f[R] or in a file specified with appropriate option.
.PP
If you provide an expiration DATE with the \f[CR]\-e\f[R] option, the
compiled binary will refuse to run after the date specified.
The message \f[B]Please contact your provider\f[R] will be displayed
instead.
This message can be changed with the \f[CR]\-m\f[R] option.
.PP
You can compile any kind of shell script, but you need to supply valid
\f[CR]\-i\f[R], \f[CR]\-x\f[R] and \f[CR]\-l\f[R] options.
.PP
The compiled binary will still require the shell specified in the first
line of the shell code (i.e.\ \f[CR]#!/bin/sh\f[R]) to be available on
the system, therefore \f[B]shc\f[R] does not create completely
independent binaries, it mainly obfuscates the source script.
.PP
\f[B]shc\f[R] itself is not a compiler such as cc, it rather encodes and
encrypts a shell script and generates C source code with the added
expiration capability.
It then uses the system compiler to compile a stripped binary which
behaves exactly like the original script.
Upon execution, the compiled binary will decrypt and execute the code
with the shell \f[CR]\-c\f[R] option.
It will not give you any speed improvement as a real C program would.
.PP
\f[B]shc\f[R]\[cq]s main purpose is to protect your shell scripts from
modification or inspection.
You can use it if you wish to distribute your scripts but don\[cq]t want
them to be easily readable by other people.
.SH OPTIONS
.TP
\-e \f[I]DATE\f[R]
Expiration date in \f[I]dd/mm/yyyy\f[R] format \f[CR][none]\f[R]
.TP
\-m \f[I]MESSAGE\f[R]
message to display upon expiration
\f[CR][\[dq]Please contact your provider\[dq]]\f[R]
.TP
\-f \f[I]SCRIPT\f[R]
File path of the script to compile
.TP
\-P
Use a pipe to feed the script, with ARGV fixes.
Enabled automatically for \f[CR]python\f[R], \f[CR]perl\f[R] and
\f[CR]csh\f[R].
.TP
\-p
Use a pipe to feed the script, without ARGV fixing.
.TP
\-i \f[I]IOPT\f[R]
Inline option for the shell interpreter i.e: \f[CR]\-e\f[R]
.TP
\-x \f[I]CMD\f[R]
eXec command, as a printf format i.e:
\f[CR]exec(\[rs]\[rs]\[aq]%s\[rs]\[rs]\[aq],\[at]ARGV);\f[R]
.TP
\-l \f[I]LOPT\f[R]
Last shell option i.e: \f[CR]\-\-\f[R]
.TP
\-o \f[I]OUTFILE\f[R]
output to the file specified by OUTFILE
.TP
\-r
Relax security.
Make a redistributable binary which executes on different systems
running the same operating system.
You can release your binary with this option for others to use
.TP
\-v
Verbose compilation
.TP
\-S
Enable setuid for root callable programs
.TP
\-D
Enable debug (show exec calls, etc.)
.TP
\-U
Make binary execution untraceable (using \f[I]strace\f[R],
\f[I]ptrace\f[R], \f[I]truss\f[R], etc.)
.TP
\-H
Hardening.
Extra security flag without root access requirement that protects
against dumping, code injection, \f[CR]cat /proc/pid/cmdline\f[R],
\f[CR]ptrace\f[R], etc\&...
This feature is \f[B]experimental\f[R] and may not work on all systems.
it requires bourne shell (sh) scripts
.TP
\-C
Display license and exit
.TP
\-A
Display abstract and exit
.TP
\-2
Use \f[CR]mmap2\f[R] system call.
.TP
\-B
Compile for BusyBox
.TP
\-h
Display help and exit
.SH ENVIRONMENT VARIABLES
These can be used to provide options to the GCC Compiler.
Examples: static compilation, machine architecture, sanitize options.
.TP
CC
C compiler command \f[CR][cc]\f[R]
.TP
CFLAGS
C compiler flags \f[CR][none]\f[R]
.TP
LDFLAGS
Linker flags \f[CR][none]\f[R]
.SH EXAMPLES
Compile a script which can be run on other systems with the trace option
enabled (without \f[CR]\-U\f[R] flag):
.IP
.EX
shc \-f myscript \-o mybinary
.EE
.PP
Compile an untraceable binary:
.IP
.EX
shc \-Uf myscript \-o mybinary
.EE
.PP
Compile an untraceable binary that doesn\[cq]t require root access
(experimental):
.IP
.EX
shc \-Hf myscript \-o mybinary
.EE
.SH LIMITATIONS
The maximum size of the script that could be executed once compiled is
limited by the operating system configuration parameter
\f[CR]_SC_ARG_MAX\f[R] (see sysconf(2))
.SH MAIN AUTHORS
Francisco Rosales \c
.MT frosal@fi.upm.es
.ME \c
\ Md Jahidul Hamid \c
.MT jahidulhamid@yahoo.com
.ME \c
.PP
Note: Do not contact them, they are no longer actively involved
.SH REPORT BUGS TO
https://github.com/NextSHC/shc/issues