Often, we need to hide shell script code to prevent unintentional modification and hide sensitive information in scripts like passwords. There are tools such as obfsh and shellcrypt available to hide source code.
SHC stands for the generic shell script compiler. Created by Francisco Javier Rosales García, it converts shell scripts directly into binaries, compiles scripts, hides source code, protects against accidental changes and hides sensitive data in script.
How it works
SHC creates a stripped binary executable version of the script specified with -f on the command line. The binary version will get a .x extension appended, and will usually be a bit larger in size than the original ASCII code. Generated C source code is saved in a file with the extension .x.c.
Here, I have chosen the Centos 6.7 version (equivalent: RHEL 6.7) with minimal installation in the virtual box. To install the required packages for compiling SHC from the source code, execute the command below on a terminal with root privileges:
#yum groupinstall Development Tools
Or, give the following command:
#yum install make gcc gcc-c++ kernel-devel
Download the latest source code tar package for shc, for that first install wget package:
#yum install wget #cd /usr/local/src # wget -c http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.9b.tgz
Extract the tar package:
#tar -zvxf shc-3.8.9b.tgz #cd shc-3.8.9b
To compile SHC, execute the make command, as follows:
[root@test shc-3.8.9b]# make cc -Wall shc.c -o shc *** ¿Do you want to probe shc with a test script? *** Please try... make test
To install the SHC binary, execute the commands below:
[root@test shc-3.8.9b]# make install *** Installing shc and shc.1 on /usr/local *** ¿Do you want to continue? y
install -c -s shc /usr/local/bin/ install -c -m 644 shc.1 /usr/local/man/man1/ install: target `/usr/local/man/man1/ is not a directory: No such file or directory make: *** [install] Error 1
It will show an error message, as the minimal installation default man package is not installed. You can ignore it, install the man package or create the /usr/local/man/man1/ directory, and again execute the make install command.
[root@test shc-3.8.9b]# make install *** Installing shc and shc.1 on /usr/local *** ¿Do you want to continue? y <<--------------Press Y install -c -s shc /usr/local/bin/ install -c -m 644 shc.1 /usr/local/man/man1/
cross check that shc is installed properly
[root@test shc-3.8.9b]# which shc /usr/local/bin/shc
It will display the path of the SHC binary.
Hands-on usage of SHC
1. Creating a test shell script
First, create the test shell script that you are going to use to encrypt. Lets create a script for testing purposes, which will display a simple Welcome to the Linux world message, as follows:
$vi welcome.sh #!/bin/sh echo "Welcome to linux world"
save using: wq
2. Encrypting using SHC
Encrypt the welcome.sh shell scripting using SHC, as shown below:
[root@test src]# shc -v -f welcome.sh shc shll=sh shc [-i]=-c shc [-x]=exec %s $@ shc [-l]= shc opts= shc: cc welcome.sh.x.c -o welcome.sh.x shc: strip welcome.sh.x shc: chmod go-r welcome.sh.x
This will create two extra files, as shown below:
[root@test src]# ll welcome.sh* -rw-r--r--. 1 root root 40 Dec 16 04:39 welcome.sh -rwx--x--x. 1 root root 11552 Dec 16 05:23 welcome.sh.x -rw-r--r--. 1 root root 9236 Dec 16 05:23 welcome.sh.x.c
- welcome.sh is the original unencrypted shell script
- welcome.sh.x is the encrypted shell script in binary format
- welcome.sh.x.c is the C source code of the welcome.sh file. This C source code is compiled to create the above encrypted welcome.sh.x file.
3. Executing the encrypted shell script
Now, let us execute the encrypted shell script to make sure it works as expected.
[root@test src]# ./welcome.sh.x Welcome to Linux World
Please note that the binary itself is dependent on the shell (the first line provided in welcome.sh., i.e., /bin/sh) is available to execute the script.
4. Setting an expiry date to the encrypted shell script
Using SHC, you can also specify an expiry date. When somebody tries to execute the shell script after this date, theyll get an error message.
If you dont want anybody to execute the welcome.sh.x after December 31, 2014 (I used an earlier years date for testing purposes), create a new encrypted shell script using the shc -e option to specify the expiry date, which needs to be specified in the dd/mm/yyyy format.
[root@test src]# shc -e 31/12/2014 -f welcome.sh
In this example, if someone tries to execute welcome.sh.x after December 31, 2014, theyll get a default expiry message as shown below:
[root@test src]# ./welcome.sh.x ./welcome.sh.x: has expired! Please contact your provider
To display custom expiration messages, use the -m option (along with the -e option as shown below):
[root@test src]# shc -e 31/12/2014 -m Contact firstname.lastname@example.org for new version of this script -f welcome.sh [root@test src]# ./welcome.sh.x ./welcome.sh.x: has expired!
Contact email@example.com for new version of this script.
5. Creating redistributable encrypted shell scripts
You can create redistributable encrypted shell scripts using the -r (relax security) and -T (traceable using strace) options:
[root@test src]# shc -v -r -T -f welcome.sh shc shll=sh shc [-i]=-c shc [-x]=exec %s $@ shc [-l]= shc opts= shc: cc welcome.sh.x.c -o welcome.sh.x shc: strip welcome.sh.x shc: chmod go-r welcome.sh.x