ionescu007/SpecuCheck ionescu007/SpecuCheck

  • Stars
    star
    559
  • Rank 79,673 (Top 2 %)
  • Language
    C
  • Created almost 7 years ago
  • Updated almost 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
ionescu007/SpecuCheck
github

ionescu007

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SpecuCheck is a Windows utility for checking the state of the software mitigations and hardware against CVE-2017-5754 (Meltdown), CVE-2017-5715 (Spectre v2), CVE-2018-3260 (Foreshadow), and CVE-2018-3639 (Spectre v4)

SpecuCheck

SpecuCheck is a Windows utility for checking the state of the software and hardware mitigations against CVE-2017-5754 (Meltdown), CVE-2017-5715 (Spectre v2), CVE-2018-3260 (Foreshadow), and CVE-2018-3639 (Spectre v4). It uses two new information classes that were added to the NtQuerySystemInformation API call as part of the recent patches introduced in January 2018 and reports the data as seen by the Windows Kernel.

An official Microsoft Powershell Cmdlet Module now exists as well, which is the recommended and supported way to get this information.

Screenshots

Screenshot

Introduction

On January 3rd 2018, Intel, AMD and ARM Holdings, as well as a number of OS Vendors reported a series of vulnerabilities that were discovered by Google Project Zero:

  • Variant 1: bounds check bypass (CVE-2017-5753)
  • Variant 2: branch target injection (CVE-2017-5715)
  • Variant 3: rogue data cache load (CVE-2017-5754)

Microsoft released patches for Windows 7 SP1 and higher later that same day. These patches, depending on architecture, OS version, boot settings and a number of hardware-related properties, apply a number of software and hardware mitigations against these issues. The enablement state of these mitigations, their availability, and configuration is stored by the Windows kernel in a number of global variables, and exposed to user-mode callers through an undocumented system call.

Additionally, new side channel attacks were reported, such as Spectre Variant 4: speculative store bypass (CVE-2018-3639) and Foreshadow: L1 terminal fault (CVE-2018-3620) which were fixed in Windows 7 SP1 and higher with patches in August's Patch Tuesday.

SpecuCheck takes advantage of this system call in order to confirm if a system has indeed been patched (non-patched systems will fail the call) and what the status of the mitigations are, which can be used to determine potential performance pitfalls.

Motivation

There was originally a lot of noise, hype, and marketing around the issue, and not a lot of documentation on how to see if you were affected, and at what performance overhead. SpecuCheck aimed to make that data easily accessible by users and IT departments, to avoid having to use a Windows debugger or reverse engineer the API themselves.

Since then, Microsoft has done great work to expose that data from the kernel-mode in a concise matter, which succinctly indicates the kernel's support and usage of the various mitigating technologies and hardware features, and released a PowerShell CmdLet Module to retrieve that data. SpecuCheck, therefore, remains only as a research tool and is not recommended -- please use the Microsoft-approved PowerShell Module instead.

Installation on Windows

To run SpecuCheck, simply execute it on the command-line:

c:\SpecuCheck.exe

Which will result in an informational screen indicating which features/mitigations are enabled. If you see the text:

Your system either does not have the appropriate patch, or it may not support the information class required

This indicates that your system is not currently patched to mitigate against these vulnerabilities.

References

If you would like to know more about my research or work, I invite you to check out my blog at http://www.alex-ionescu.com as well as my training & consulting company, Winsider Seminars & Solutions Inc., at http://www.windows-internals.com.

You should also definitely read the incredibly informative Project Zero Post.

For additional information on the appropriate and required Windows patches, please read the Microsoft Advisory and additional Microsoft Guidance.

Caveats

SpecuCheck relies on undocumented system calls and information classes which are subject to change. Additionally, SpecuCheck only returns the information that the Windows Kernel is storing about the state of the mitigations and hardware features -- based on policy settings (registry, boot parameters) or other compatibility flags, the Windows Kernel's state may not match the true hardware state. The goal of this tool is to give you a Windows-specific assessment, not a hardware assessment that is OS-agnostic.

SpecuCheck is only a research tool and is not recommended for general or commercial use -- please use the Microsoft-approved PowerShell Module instead.

License

Copyright 2018 Alex Ionescu. All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met: 
1. Redistributions of source code must retain the above copyright notice, this list of conditions and
   the following disclaimer. 
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
   and the following disclaimer in the documentation and/or other materials provided with the 
   distribution. 

THIS SOFTWARE IS PROVIDED BY ALEX IONESCU ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ALEX IONESCU
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The views and conclusions contained in the software and documentation are those of the authors and
should not be interpreted as representing official policies, either expressed or implied, of Alex Ionescu.

More Repositories

1

SimpleVisor

SimpleVisor is a simple, portable, Intel VT-x hypervisor with two specific goals: using the least amount of assembly code (10 lines), and having the smallest amount of VMX-related code to support dynamic hyperjacking and unhyperjacking (that is, virtualizing the host state from within the host). It works on Windows and UEFI.
C
1,607
star
2

lxss

Fun with the Windows Subsystem for Linux (WSL/LXSS)
C++
831
star
3

VisualUefi

A project for allowing EDK-II Development with Visual Studio
C
444
star
4

winipt

The Windows Library for Intel Process Trace (WinIPT) is a project that leverages the new Intel Processor Trace functionality exposed by Windows 10 Redstone 5 (1809), through a set of libraries and a command-line tool.
C
341
star
5

minlzma

The Minimal LZMA (minlzma) project aims to provide a minimalistic, cross-platform, highly commented, standards-compliant C library (minlzlib) for decompressing LZMA2-encapsulated compressed data in LZMA format within an XZ container, as can be generated with Python 3.6, 7-zip, and xzutils
C
332
star
6

faxhell

A Bind Shell Using the Fax Service and a DLL Hijack
C
317
star
7

Simpleator

Simpleator ("Simple-ator") is an innovative Windows-centric x64 user-mode application emulator that leverages several new features that were added in Windows 10 Spring Update (1803), also called "Redstone 4", with additional improvements that were made in Windows 10 October Update (1809), aka "Redstone 5".
C++
313
star
8

hdk

(unofficial) Hyper-Vยฎ Development Kit
C
209
star
9

HookingNirvana

Recon 2015 Presentation from Alex Ionescu
C
205
star
10

PrintDemon

PrintDemon is a PoC for a series of issues in the Windows Print Spooler service, as well as potetial misuses of the functionality.
C
196
star
11

clfs-docs

Unofficial Common Log File System (CLFS) Documentation
143
star
12

tpmtool

The TpmTool utility is a simple cross-platform tool for accessing TPM2.0 Non-Volatile (NV) Spaces (Index Values) on compliant systems, with zero dependencies on any TPM2.0 stack. It provides the ability to enumerate, create, delete, query, and lock NV indices, as well as to read and write data stored in them.
C++
133
star
13

wnfun

WNF Utilities 4 Newbies (WNFUN)
Python
87
star
14

hazmat5

Local OXID Resolver (LCLOR) : Research and Tooling
C++
31
star
15

Blackwood-4NT

Blackwood 4NT -- Grand Slam Authentication for Windows NT (10)
26
star
16

smctool

SMC Utility for Apple Macintosh Computers
13
star