Turn your scripts into binaries using the awesome shc tool!

Assume the following scenario, you need to provide to a client a shell script to do a specific tasks, in the same time you have the following limitations you need to conform

• The script contains sensitive information (fo example a password) that the client must not learn
• The script must run on a specific machine only
• The script should not run after a specific date
• There is always the option to re-write the same tool in a compiled language like Go or Java but you dont have the knowledge nor the time to do this

You start getting anxious but after some googling around you found this awesome tool! shc https://www.datsi.fi.upm.es/~frosal/

How shc works?

The author of the tool describes its functionality

shc itself is not a compiler such as cc, it rather encodes and encrypts a shell script and generates C source code with the added expiration capability. It then uses the system compiler to compile a stripped binary which behaves exactly like the original script. Upon execution, the compiled binary will decrypt and execute the code with the shell -c option. Unfortunately, it will not give you any speed improvement as a real C program would.

shc’s main purpose is not protect your shell scripts from modification or inspection. You can use it if you wish to distribute your scripts but don’t want them to be easily readable by other people.

Installing shc

We can install shc using our systems package manager

In deb like systems you can use apt

sudo apt-get update 
sudo apt-get install shc

In rpm you can use yum

sudo yum install shc

shc is not limited to Linux only systems and can be used in macos as well, to install shc in macos we can use the brew package manager

brew install shc

Examples

Lets compile a “Hello world” bash script

Create the following file and name it hello.sh

#!/bin/bash 
echo "Hello World!"

Lets compile it, to compile a shell script we use the -f parameter, after the compilation it will create a binary file with the same filename as our script but with the .x at the end

% shc -f ./hello.sh  
% ./hello.sh.x  
Hello World!

Listing the directory we nottice that it had actually created two files

-rw-r--r--    1 kpatronas  staff    33B Oct 31 13:07 hello.sh 
-rw-r--r--    1 kpatronas  staff    17K Oct 31 13:08 hello.sh.x.c 
-rwxrwxr-x    1 kpatronas  staff    50K Oct 31 13:08 hello.sh.x

The one is the shell script converted to a C program which contains our shell script code and the binary version of the C program.

Adding expiration date

One other very cool feature is the ability to “expire” in order not being able to run after a specific date, i dont know the actual implementation of this feature it might be something very simple like comparing the system date with the specified date and which can make it easy to fool by changing the system date, but still is one very nice feature since most people will not dare the to change the date of a production system :)

In the following example i set the expiration date as one day before the current date using the -e option with the date in the dd/mm/yyyyformat.

Running the script prints the message as defined with the -m parameter and exits.

% shc -f ./arguments.sh -e 30/10/2023 -m "Please contact your provider kpatronas@gmail.com" 
% ./arguments.sh.x                                                                          
./arguments.sh.x: has expired! 
Please contact your provider kpatronas@gmail.com

Loosening script security

By default the compiled script will run only to the system where compiled, -r parameter loosens the security settings for compiling so that the binary program will also run on other computers with the same operating system.

Conclusion

This tool is awesome! its very handy that can encrypt your shell code and be able to pass it to other people, of course is not impossible to decrypt the code but still for not so much security critical things is very handy! i hope you enjoyed reading this article as much i enjoyed writting it!