Compile duplicacy with `buildmode=pie` // CGO_ENABLED

Current state of affairs, on Windows DEP/ASLR/CFG are not used:

> Get-PESecurity -File 'C:\ProgramData\chocolatey\bin\duplicacy.exe'                                                        

FileName         : C:\ProgramData\chocolatey\bin\duplicacy.exe
ARCH             : AMD64
DotNET           : False
ASLR             : False
DEP              : False
Authenticode     : False
StrongNaming     : N/A
SafeSEH          : N/A
ControlFlowGuard : False
HighentropyVA    : False

Reading through the go documentation, necessary flag seems to be available:

 -buildmode=pie
    	Build the listed main packages and everything they import into
    	position independent executables (PIE). Packages not named
    	main are ignored.

Interestingly, Wireguard manages to score points for DEP and /HIGHENTROPYVA:

> Get-PESecurity -File 'C:\Program Files\WireGuard\wireguard.exe'                                                           

FileName         : C:\Program Files\WireGuard\wireguard.exe
ARCH             : AMD64
DotNET           : False
ASLR             : True
DEP              : True
Authenticode     : True
StrongNaming     : N/A
SafeSEH          : N/A
ControlFlowGuard : False
HighentropyVA    : True

Here is how they do it: wireguard-windows/build.bat at 3ca5d24273d0a8bf943332c3fe0b2b5040ac49fb · WireGuard/wireguard-windows · GitHub

Can it be enabled for future Duplicacy builds?

1 Like

Thanks for the pointer. I’ll play with that option.

1 Like