Shulou(Shulou.com)06/02 Report--

This article focuses on "hiding the content of shell script tool shc analysis", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "shc Analysis, a tool for hiding the content of shell scripts".

Students engaged in Linux development often need to write shell scripts, sometimes some sensitive content is involved in the script, such as some IP address, user name and password, etc., or there is some key code in the script, all of which you do not want others to read or modify. Further, you want to set the expiration time of the script. After the specified time, the script cannot be used.

Is there any way to implement the above requirements without changing the content, function, and execution of the script?

The answer is: yes, under Linux, we can use shc to hide the content of shell scripts and set the expiration time.

Brief introduction

Shc is a general-purpose shell script compiler that compiles shell scripts into executable binaries. Its function and execution are no different from the original script.

Unlike the gcc compiler, shc does not convert the script source code into machine code, it just generates a C language code that contains the encrypted original shell script and adds an expiration function to it, and then compiles the C code into an executable binary file through the gcc compiler

Installation

Currently, shc is already included in the repository of most Linux distributions. You only need to use the default package manager to install it. The specific installation commands are as follows:

Yum install shc

Enter the shc-v command, and the following output indicates that the installation was successful

[root@ecs-centos-7 shc_test] # shc-vshc parse (- f): No source file specifiedshc Usage: shc [- e date] [- m addr] [- I iopt] [- x cmnd] [- l lopt] [- o outfile] [- rvDSUHCABh]-f script Common options

Here are some of the options commonly used by shc and their descriptions

Option description-f shell script file to be compiled-o specifies the binary file generated by compilation-e sets the expiration time, after the format date / month / year-m expires, the prompt when executing the script-v outputs the process of compiling the shell script-r compiles to generate a redistributable binary compilation script

After the sehll script is compiled into an executable binary file, you only need to provide the binary file to the executor, so that the executor cannot know the original script code, thus achieving the purpose that others cannot read and modify the code.

Create a new func.sh script and add the following to it:

Whether / bin/bash# is a valid password valid_passwd () {if ["$1" = = "123"]; then echo 1 else echo 0 fi} # get the maximum number of max_num () {echo 100} # Log in to the remote machine login () {sshpass-p '123456' ssh test@192.168.70.20} # version number ver () {echo" 1.0 "} if [$#-ne 0] Then name= "$1" shift 1 ${name} "$@" fi

Execute the following command to compile the func.sh script

Shc-rf func.sh-o func.bin

After compilation, three files appear in the current directory

[root@ecs-centos-7 shc_test] # ll-rwxrwxr-x 1 root root 11640 July 1 00:24 func.bin-rw-r--r-- 1 root root 373 July 1 00:19 func.sh-rw-r--r-- 1 root root 19811 July 1 00:24 func.sh.x.c

Func.sh is the original script file, func.sh.x.c is the generated c language code, and func.bin is the generated executable binary file. It is used in the same way as the original script.

Note: the compiled binary func.bin must specify the-r option if you want it to run on other machines.

Use the file command to view func.bin and func.sh.x.c, respectively, and the results are as follows:

The script provides four interfaces: valid_passwd, max_num, login and ver. The function of each interface has been indicated in the script. / func.bin API name interface parameter list is used. The following two examples show how to use the script.

Example 1

Execute the. / func.bin ver and. / func.sh ver commands, respectively, and the results are as follows

As can be seen from the above picture, the final result is the same whether it is in script or binary.

Example 2

Execute the. / func.bin login command, and the result is as follows

When the login parameter is passed in, the login function in the func.sh script is executed, which is used to log in to the remote machine using SSH. Sshpass in the function body is a tool that automatically populates the SSH login password.

As you can see from the result, after executing the. / func.bin login command, log in to the / home/test directory of the machine with ip 192.168.70.20, and then type exit to return to the directory of the current machine from the remote machine.

The purpose of compiling func.sh scripts into func.bin binaries is to hide some sensitive information in the script files, such as SSH user test, IP address 192.168.70.20 and password 123456 in the script.

Set expiration time

In addition to compiling the script into binary, shc can also set the expiration time for binary. Let's take the func.sh script as an example.

Execute the shc-e 25 The script is expired 6Accord 2021-m "The script is expired, Please contact test@qq.com"-rf func.sh-o func.bin command to set the expiration time of the script to June 25, 2021, and the script prompt after execution expiration to "The script is expired, Please contact test@qq.com"

Then, execute the. / func.bin ver command to test, and the results are as follows

As you can see from the above picture, after the script has set the expiration time, executing the script again will prompt that it has expired.

How to reference a binary script

After func.sh is compiled into binary, the way other scripts refer to it also needs to be adjusted. The original way of using source. / func.sh needs to be modified, because fun.sh has changed from the original ASICII file to binary file. Here is an example of shell script referencing binary script func.bin.

Create a new test_func.sh script with the following content:

#! / bin/bash# calls valid_passwd function ret=$ (. / func.bin valid_passwd 123) if [$ret-eq 1]; then echo "passwd ok" fi# calls valid_passwd function ret=$ (. / func.bin valid_passwd 124) if [$ret-eq 1] Then echo "passwd ok" else echo "passwd fail" fi# calls max_num function ret=$ (. / func.bin max_num) echo "max_num:" $ret# calls ver function ret=$ (. / func.bin ver) echo "version:" $ret

Execute the. / test_func.sh command, and the result is as follows

As can be seen from the above figure, the test_func.sh script calls the valid_passwd, max_num and ver functions in the binary file fun.bin respectively. According to the content of the func.sh script, you can determine that the output of the result is correct.

From this example, it can be concluded that ordinary scripts can also use binary scripts normally.

Security.

The encryption type used by shc is a variant called RC4 stream cipher, which has been proved to have a weakness and the possibility of being cracked.

Especially in shc, the key is carried into the encryption script itself, so it is possible to crack the key through disassembly and then restore the original script through the key

Therefore, we should not rely on the security of shc encryption, but regard it more as a tool for hiding or confusing the content of shell scripts.

At this point, I believe you have a deeper understanding of "shc Analysis, a tool for hiding the content of shell scripts". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.