Shc (shell script compiler)


shc is a shell script compiler for Unix-like operating systems written in the C programming language. The Shell Script Compiler encodes and encrypts shell scripts into executable binaries. Compiling shell scripts into binaries provides protection against accidental changes and source code modification, and is a way of hiding shell script source code.

Mechanism

shc takes a shell script which is specified on the command line by the -f option and produces a C source code of the script with added encryption. The generated source code is then compiled and linked to produce a binary executable. It is a two step process where, first, it creates a filename.x.c file of the shell script file filename. Then it is compiled with cc -$CFLAGS filename.x.c to create the binary from the C source code with the default C compiler.
The compiled binary will still be dependent on the shell specified in the shebang, thus shc does not create completely independent binaries.
shc itself is not a compiler such as the C compiler, it rather encodes and encrypts a shell script and generates C source code with the added expiration capability. It then uses the system C compiler to compile the source shell script and build a stripped binary which behaves exactly like the original script. Upon execution, the compiled binary will decrypt and execute the code with the shells' -c option.

Versions

VersionRelease dateChanges
01-Jul-2019
  • Enhance -H flag
  • Remove -s flag
01-Jul-2019
  • Fix typo
  • Fix NULL-ptr dereference in shll string
    • 20-Nov-2018Add LDFLAGS environment variable
    17-Nov-2018
  • Add -H option for extra security without root. It protects against dumping, code injection, `cat /proc/pid/cmdline`, ptrace, etc..
  • Add -s option to force single process for hardening features.
  • dash support
    • 12-Nov-2018Add setuid option -S
    12-Nov-2018Fix -U option not working on macOS
    05-Jun-2017Fix shc causes exec output and aborts processing of bash scripts.
    31-May-2017Fix running shc compiled binary in different shell
    17-May-2017Fix executable not working on Debian
    31-Jul-2016
  • zsh support
  • Fix shc not working with ksh 93u+
    • 25-Aug-2015Added BusyBox support with patch.
    03-Apr-2015Renamed option -T to -U and reversed its logic.
    02-Apr-2015Added output file option with and fixed bug on make install
    shc-3.8.904-Dec-2013Fixing a long-standing bug making the source not hidden.
    shc-3.8.710-Feb-2010Bug on 64bit systems with expiration dates.
    shc-3.8.510-Feb-2010Fixed untraceable problems on FreeBSD.
    shc-3.8.310-Jul-2006Fixed bug: "vfork" fails on multiprocessor systems.
    shc-3.8.206-Jul-2006
  • Fixed bug: "rlax" used after encryption.
  • Read permision of the script.x exposes it to disassembling.
  • Group and others read permision is now removed by default.
    • shc-3.728-Jun-2005
  • Removed all strings in the compiled script.
  • Improved program output and error messages.
  • The -m option allows to define the *complete* expiration message.
  • Updated manpage shc.1.
  • Fix wrong $0 on ksh.
    • shc-3.616-Jun-2005Two new options:
  • -D switch on Debug exec calls.
  • -T switch off unTraceable.
    • shc-3.419-Jun-2003Remove "bad alignment" problem on AIX and other systems.Where exists, use /proc//as in untraceable.
    shc-3.321-Apr-2003Prevent to ptrace the process.
    shc-3.205-Aug-2002Find ancient pclose that must be fclose.
    shc-3.105-Aug-2002Fixed a misbehavior on scripts with a in-first-line option equal to "end of options"
    GCC "warning: return type of `main' is not `int'" removed.
    shc-2.405-Aug-2002

    Alternatives

    • shellcrypt