shc is one of the most widely used Shell Script Compilers. It converts a shell script into C source code and then builds it into a binary to prevent source code exposure.
However, shc has a fundamental architectural limitation: it relies on the system shell for script execution, making it vulnerable to operating system-level logging and hooking attacks.
Shell Script Compiler
A generic shell script compiler. Shc takes a script, which is specified on the command line and produces C source code. The generated source code is then compiled and linked to produce a stripped binary executable.
The compiled binary will still be dependent on the shell specified in the first line of the shell code (i.e shebang) (i.e. #!/bin/sh), thus shc does not create completely independent binaries.
shc itself is not a compiler such as cc, it rather encodes and encrypts a shell script and generates C source code with the added expiration capability. It then uses the system compiler to compile a stripped binary which behaves exactly like the original script. Upon execution, the compiled binary will decrypt and execute the code with the shell -c option.
Install
./configure
make
sudo make install
Note If make fails due to automake version, run ./autogen.sh before running the…
Binaries generated by shc execute shell scripts by passing them to the system shell (for example, /bin/bash).
As a result, if an attacker monitors the moment the script is passed to the system shell, the original shell script can be recovered with relative ease.
Let’s reproduce the issue and examine the limitation in practice.
Test Environment
On Ubuntu 24.04, use the following shell script.
Use the maximum security settings as shown below
shc -Uf launcher.sh -o shc_binary
Reproducing the Issue
# Install auditd
sudo apt install auditd -y
# Register monitoring rule
sudo auditctl -a exit,always -F arch=b64 -S execve
# Run the shc binary
./shc_binary
# Check logs
sudo ausearch -i -sc execve | grep "shc_binary" -A 100
As shown in the screenshot below, the original shell script can be recovered using auditd, an operating system-level monitoring tool.
Mitigation
To avoid this issue, a Shell Script Compiler should not rely on the system shell for script execution.
Architectures that depend on the system shell are inherently exposed to operating system-level logging and hooking attacks such as the one demonstrated above.
Several alternatives exist, including ssc and HimitsuShell. However, ssc also has its own architectural limitations.
The following articles provide additional analysis:
Top comments (0)