BinSkim: a great tool for Windows PE Binary security assessments

Validate compiler/linker settings and other security-relevant binary characteristics

BinSkim is one of the tools released by Microsoft with Open Source license.

Is a binary static analysis tool that scans Windows Portable Executable (PE) files in order to validate compiler/linker settings and other security-relevant binary characteristics.

Those include:

  • Use of outdated compiler toolsets. Binaries should be compiled against the most recent compiler toolsets wherever possible to maximize use of current compiler-level and OS-provided security mitigations.
  • Insecure compilation settings. Binaries should be compiled with the most secure settings possible, to enable OS-provided security mitigations, maximize compiler error and warnings reporting, etc.
  • Signing issues. Signed binaries should be signed with cryptographically strong algorithms.

Command-Line Documentation

-o, — output File path to which analysis output will be written.
-v, — verbose Emit verbose output. The resulting comprehensive report is designed to provide appropriate evidence for compliance scenarios.
-r, — recurse Recurse into subdirectories when evaluating file specifier arguments.
-p, — policy Path to policy file that will be used to configure analysis. Pass value of ‘default’ to use built-in settings.
-s, — statistics Generate timing and other statistics for analysis session.
-h, — hashes Output SHA-256 hash of analysis targets when emitting SARIF reports.
 — sympath Symbols path value, e.g., SRV or Cached:symbols;Srv**http://symweb
 — help Display this help screen.
 — version Display version information.
value pos. 0 One or more specifiers to a file, directory, or filter pattern that resolves to one or more binaries to analyze.

Example Command-Line

The primary function of BinSkim is to analyze Windows portable executables (.dlls, .exes, etc). To analyze a file, pass one or more arguments that resolve one or more portable executables.

// Analyze a single binary named MyProjectFile.dll found in c:temp
// and emit verbose messages during analysis
binskime.exe analyze c:tempMyProjectFile.dll –verbose
// Analyze all files with the .dll or .exe extension starting in the
// current working directory and recursing through all child directories
binskim analyze *.exe *.dll –recurse
// Analyze all files with the .dll extension starting in the current
// current directory and write results to a SARIF log file
binskim analyze *.dll --output MyLog.sarif

Documentation and downloads