microsoft/binskimPublic

NotificationsYou must be signed in to change notification settings
Fork164
Star816

A binary static analysis tool that provides security and correctness results for Windows Portable Executable and *nix ELF binary formats

License

View license

816 stars 164 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 927 Commits
.devcontainer		.devcontainer
.github		.github
.nuget		.nuget
.vscode		.vscode
docs		docs
refs		refs
scripts		scripts
src		src
.gitattributes		.gitattributes
.gitignore		.gitignore
BinSkim.png		BinSkim.png
BuildAndTest.cmd		BuildAndTest.cmd
BuildAndTest.sh		BuildAndTest.sh
BuildPackages.cmd		BuildPackages.cmd
CreatePackagesFromLayoutDirectory.cmd		CreatePackagesFromLayoutDirectory.cmd
DelistCurrentPackages.cmd		DelistCurrentPackages.cmd
LICENSE		LICENSE
NuGet.Config		NuGet.Config
PublishSignedPackages.cmd		PublishSignedPackages.cmd
README.md		README.md
ReleaseHistory.md		ReleaseHistory.md
SECURITY.md		SECURITY.md
SetCurrentVersion.cmd		SetCurrentVersion.cmd
ado-build.yml		ado-build.yml

Repository files navigation

BinSkim Binary Analyzer

This repository contains the source code for BinSkim, a Portable Executable (PE) light-weight scanner that validates compiler/linker settings and other security-relevant binary characteristics.

For Developers

Fork the repository --Need Help?
Read theRule Contributions Guide
Load and compilesrc\BinSkim.sln to develop changes for contribution.
Execute BuildAndTest.cmd at the root of the enlistment to validate before submitting a PR.

Submit Pull Requests

RunBuildAndTest.cmd at the root of the enlistment to ensure that all tests pass, release build succeeds, and NuGet packages are created
Submit a Pull Request to the 'develop' branch --Need Help?

For Users

Download BinSkim fromNuGet
Read theUser Guide
Find out more about the Static Analysis Results Interchange Format(SARIF) used to output Binskim results

How to extract the exe file from the nuget package

If you only want to run the Binskim tool without installing anything, then you can

Download BinSkim fromNuGet
Rename the file extension from .nupkg to .zip (ie. via commandline:rename microsoft.codeanalysis.binskim.x.y.z.nupkg microsoft.codeanalysis.binskim.x.y.z.zip)
Unzip
Executable files are now available in the OS specific folder withintools\netcoreapp3.1 (ie. linux-x64, win-x64, and osx-x64).
Navigate to this location to invoke the executable:
- Windows:binskim.exe analyze c:\bld\*.dll --recurse true --output MyRun.sarif
- Linux/Unix:./BinSkim analyze /someDirectory/testBinary -o MyRun.sarif
- Mac:./BinSkim analyze /someDirectory/testBinary -o MyRun.sarif
- Using dotnet sdk:dotnet binskim.dll analyze /directoryPath/testBinary -o MyRun.sarif

Command-Line Quick Guide

Argument (short form, long form)	Meaning
`--trace`	Execution traces, expressed as a semicolon-delimited list enclosed in double quotes, that should be emitted to the console and log file (if appropriate). Valid values: PdbLoad, ScanTime, RuleScanTime, PeakWorkingSet, TargetsScanned, ResultsSummary.
`--sympath`	Symbol paths, expressed as a semicolon-delimited list enclosed in double quotes. (e.g.`SRVhttps://msdl.microsoft.com/download/symbols` or`Cached:\symbols;Srv*https://symweb`) Seehttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/advanced-symsrv-use for syntax information.
`--local-symbol-directories`	Local directory paths, expressed as a semicolon-delimited list enclosed in double quotes, that will be examined when attempting to locate PDBs.
`-o, --output`	File path used to write and output analysis usingSARIF
`-r, --recurse [true\|false]`	If true, recurse into subdirectories when evaluating file specifier arguments
`-c, --config`	(Default: ‘default’) Path to policy file to be used to configure analysis. Passing value of 'default' (or omitting the argument) invokes built-in settings
`-q, --quiet [true\|false]`	If true, do not log results to the console
`-s, --statistics`	Generate timing and other statistics for analysis session
`--insert`	Optionally present data, expressed as a semicolon-delimited list enclosed in double quotes, that should be inserted into the log file. Valid values include Hashes, TextFiles, BinaryFiles, EnvironmentVariables, RegionSnippets, ContextRegionSnippets, ContextRegionSnippetPartialFingerprints, Guids, VersionControlDetails, and NondeterministicProperties.
`-e, --environment [true\|false]`	If true, log machine environment details of run to output file. WARNING: This option records potentially sensitive information (such as all environment variable values) to the log file.
`-p, --plugin`	Paths to plugin, expressed as a semicolon-delimited list enclosed in double quotes, that will be invoked against all targets in the analysis set.
`--rich-return-code [true\|false]`	If true, output a more detailed exit code consisting of a series of flags about execution, rather than outputting '0' for success/'1' for failure (see codes below)
`--level`	Failure levels, expressed as a semicolon-delimited list enclosed in double quotes, that is used to filter the scan results. Valid values: Error, Warning and Note.
`--kind`	Result kinds, expressed as a semicolon-delimited list enclosed in double quotes, that is used to filter the scan results. Valid values: Fail (for literal scan results), Pass, Review, Open, NotApplicable and Informational.
`--baseline`	A Sarif file to be used as baseline.
`--help`	Table of argument information.
`--version`	BinSkim version details.
`value pos. 0`	One or more specifiers to a file, directory, or filter pattern that resolves to one or more binaries to analyze.