模拟shadow_stack保护(可编译选项) 认识shadow_stack 什么是shadow stack Shadow Stack(影子栈)是一种由硬件或操作系统直接管控的只读备份栈,专门用于同步存储主栈中的返回地址。其核心机制是:当程序执行CALL指令时,返回地址会同时压入主执行栈和影子栈;而执行RET指令时,系统会校验主栈弹出的返回地址与影子栈中的备份是否一致 —— 若不一致则立即终止执行,以此防御 ROP这类通过篡改主栈返回地址、拼接无害代码片段(gadget)来劫持程序执行流的攻击。
验证某程序是否在编译时启用 CET:
1 2 3 4 $ readelf -n <application> | grep -a SHSTK $ readelf -n <application> | grep -a IBT
验证当前程序(cat)运行时是否已启用 Shadow Stack:(通常不会启用)
1 2 $ cat /proc/self/status | grep shstk
HSTK 的主要逻辑就在 arch/x86/kernel/shstk.c
引用自[初探 Shadow Stack](初探 Shadow Stack - RiK’s Blog )
COOP攻击 Shadow Stack 启用后,传统的 ROP 等技术失效,但并非无法做到类似链式 gadgets 的任意代码执行。可以采用一种叫“伪面向对象编程”(Counterfeit Object-Oriented Programming / COOP)的新技术,其基本思路是在类似 C++ 的面向对象语言中通过修改虚函数表为 vfgadgets 来达到类似 ROP 的效果。vfgadget 分为 Main Loop Gadget(将其他 gadgets 串联起来)、Argument Loader Gadget(类似 ROP 中的 pop rdi; ret;)、Invoker Gadget(类似 ROP 中的 system)、Collector Gadget(存储 Invoker 的返回值)。
大小 任务的影子堆栈从内存中分配到 MIN(RLIMIT_STACK, 4 GB) 的固定大小。
信号 启用shaow_stack后,执行call时的函数的返回地址会被同时push到shadow_stack上。
随后在ret时,内核会验证ssp(shadow_stack的栈顶指针)与call stack的返回地址。
关于用户态simulate_shadow_stack的设想 演示poc 由于笔者水平有限,所以只能尝试在用户态上分配一块内存来模拟shadow_stack
以下是笔者写的一个写入源码里面演示poc(初版)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <stdarg.h> #include <sys/mman.h> void *shadow_stack;void **ssp;void **sbp;void create_stack () NULL , 4096 , PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1 , 0 );if (shadow_stack == MAP_FAILED)"mmap failed" );exit (1 );void **)((char *)shadow_stack + 4096 );printf ("Shadow stack created:\n" );printf (" Base address: %p\n" , shadow_stack);printf (" Stack base (high): %p\n" , sbp);printf (" Stack top (current): %p\n" , ssp);printf (" Stack size: 4096 bytes\n" );void push_addr () void *ret_addr = __builtin_return_address(1 );if (ssp <= (void **)shadow_stack)printf ("Shadow stack overflow!\n" );exit (1 );printf ("Pushed return address: %p to stack position: %p\n" , ret_addr, ssp);void check_addr () void *curr_addr = __builtin_return_address(1 );if (ssp >= sbp)printf ("Shadow stack underflow!\n" );exit (1 );void *saved_addr = *ssp;printf ("Checking: current=%p, saved=%p\n" , curr_addr, saved_addr);if (curr_addr != saved_addr)printf ("Address mismatch detected! Potential ROP attack!\n" );printf ("Expected: %p\n" , saved_addr);printf ("Found: %p\n" , curr_addr);exit (1 );else printf ("Address check passed\n" );void __printf(const char *format, ...)vprintf (format, args);void __gets(char *buf)int main () char buf[16 ];"Hello, World!\n" );return 0 ;
第二版poc:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <stdarg.h> #include <sys/mman.h> #include <string.h> #define FUNC_ENTRY() do { \ void *__ret_addr = __builtin_return_address(0); \ shadow_stack_push(__ret_addr); \ } while(0) #define FUNC_EXIT() do { \ void *__ret_addr = __builtin_return_address(0); \ shadow_stack_check(__ret_addr); \ } while(0) #define PROTECTED_FUNC_BEGIN() FUNC_ENTRY() #define PROTECTED_FUNC_END() FUNC_EXIT() void *shadow_stack;void **ssp;void **sbp;void shadow_stack_init () {NULL , 4096 , PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1 , 0 );if (shadow_stack == MAP_FAILED) {"[system]Shadow stack init failed" );exit (1 );void **)((char *)shadow_stack + 4096 );printf ("[system]Shadow stack protection enabled\n" );printf ("Shadow stack created:\n" );printf (" Base address: %p\n" , shadow_stack);printf (" Stack base (high): %p\n" , sbp);printf (" Stack top (current): %p\n" , ssp);printf (" Stack size: 4096 bytes\n" );void shadow_stack_push (void *ret_addr) {if (ssp <= (void **)shadow_stack) {printf ("[system]Shadow stack overflow!\n" );exit (1 );void shadow_stack_check (void *curr_addr) {if (ssp >= sbp) {printf ("[system]Shadow stack underflow!\n" );exit (1 );void *saved_addr = *ssp;if (curr_addr != saved_addr) {printf ("[system]SECURITY ALERT: Return address tampering detected!\n" );printf ("Expected: %p\n" , saved_addr);printf ("Found: %p\n" , curr_addr);printf ("Possible ROP/JOP attack blocked!\n" );exit (1 );void vulnerable_function () {char buffer[16 ];int main () {return 0 ;
初版脚本 写了一个脚本,把模拟影子栈的那部分源码放到了脚本里面,然后利用gcc里面的-finstrument-functions选项来帮助完成插入。利用这个脚本,任意一个c源码都可以快速加上模拟影子栈保护
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 #!/bin/bash "$(cd "$(dirname "${BASH_SOURCE[0]} " ) " && pwd) " "$SCRIPT_DIR " "gcc" '\033[0;31m' '\033[0;32m' '\033[1;33m' '\033[0;34m' '\033[0m' show_help echo "Shadow Stack Compiler Wrapper" echo "用法: $0 [选项] 源文件..." echo "" echo "Shadow Stack 选项:" echo " -shadow 启用影子栈保护" echo " -shadow-debug 启用影子栈保护并显示调试信息" echo " -shadow-silent 启用影子栈保护但不显示系统信息" echo " -shadow-help 显示此帮助信息" echo "" echo "其他选项将直接传递给 GCC" echo "" echo "示例:" echo " $0 -shadow test.c -o test" echo " $0 -shadow-debug -g test.c -o test" while [[ $# -gt 0 ]]; do case $1 in exit 0shift shift shift "$1 " )"$1 " )shift "$1 " )shift esac done if [[ $ENABLE_SHADOW -eq 1 ]]; then echo -e "${GREEN} [Shadow Stack]${NC} 启用影子栈保护" mktemp -d)trap "rm -rf $TEMP_DIR " EXITfor src_file in "${SOURCE_FILES[@]} " ; do if [[ -f "$src_file " ]]; then basename "$src_file " )"$TEMP_DIR /$base_name " echo -e "${BLUE} [Shadow Stack]${NC} 处理源文件: $src_file " head -n 10 "$src_file " | grep -E '^#include' cat << 'EOF' while (s[len]) len++;return len;shadow_stack_init if (shadow_stack_enabled)return ;if (shadow_stack == MAP_FAILED)"[system]Shadow stack init failed" );exit (1);4096 );1 ;shadow_stack_cleanup if (shadow_stack_enabled)if (shadow_stack != NULL) {printf ,因为可能导致段错误if (!shadow_stack_enabled || shadow_stack == NULL)return ;if (ssp <= (void **)shadow_stack)"[system]Shadow stack overflow!\n" );exit (1);if (!shadow_stack_enabled || shadow_stack == NULL)return ;if (ssp >= sbp)return ; // 静默处理空栈情况if (curr_addr != saved_addr)"\n=== SHADOW STACK SECURITY ALERT ===\n" );"Return address tampering detected!\n" );"Possible ROP/JOP attack blocked!\n" );"Process terminated for security.\n" );"===================================\n" );if (!shadow_stack_enabled || in_hook)return ;if (call_site != NULL && call_site != (void *)0x1) {"[DEBUG] Function enter - pushing to shadow stack\n" );else {"[DEBUG] Function enter - skipping (invalid call_site)\n" );if (call_site != NULL && call_site != (void *)0x1 && shadow_stack != NULL)if (!shadow_stack_enabled || in_hook)return ;if (call_site != NULL && call_site != (void *)0x1) {"[DEBUG] Function exit - checking shadow stack\n" );else {"[DEBUG] Function exit - skipping (invalid call_site)\n" );if (call_site != NULL && call_site != (void *)0x1 && shadow_stack != NULL)tail -n +1 "$src_file " | grep -v '^#include' "$temp_file " "$temp_file " )fi done for arg in "${GCC_ARGS[@]} " ; do for i in "${!SOURCE_FILES[@]} " ; do if [[ "$arg " == "${SOURCE_FILES[$i]} " ]]; then "${MODIFIED_FILES[$i]} " )break fi done if [[ $found -eq 0 ]]; then "$arg " )fi done "-finstrument-functions" if [[ $SHADOW_DEBUG -eq 1 ]]; then "-DSHADOW_DEBUG" )echo -e "${YELLOW} [Shadow Stack]${NC} 启用调试模式" fi if [[ $SHADOW_SILENT -eq 1 ]]; then "-DSHADOW_SILENT" )echo -e "${YELLOW} [Shadow Stack]${NC} 启用静默模式" fi "$ORIGINAL_GCC " "${SHADOW_FLAGS[@]} " "${NEW_GCC_ARGS[@]} " echo -e "${BLUE} [Shadow Stack]${NC} 执行编译命令:" echo -e "${BLUE} [Shadow Stack]${NC} ${FINAL_COMMAND[*]} " "${FINAL_COMMAND[@]} " if [[ $compile_result -eq 0 ]]; then echo -e "${GREEN} [Shadow Stack]${NC} 编译成功,影子栈保护已启用" else echo -e "${RED} [Shadow Stack]${NC} 编译失败" fi exit $compile_result else exec "$ORIGINAL_GCC " "${GCC_ARGS[@]} " fi
安全版本(2025/9/9改) 上一版本的shadow_stack漏洞过多,比如可以通过其他漏洞修改shadow_stack_enable这个全局变量来关闭保护(可以用来出题),直接修改影子栈等问题。这个版本与canary类似引入了一个储存在fs:0x48段的一个随机key值,并把key与储存在shadow_stack上的返回地址进行加密,在比较的时候再引用key值来解密,这样就可以起到防止修改shadow_stack段的作用,同时修复了修改shadow_stack_enable这个全局变量来关闭保护的bug,现在只在保护初始化的时候使用这个全局变量。
poc 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/mman.h> #include <fcntl.h> char *gets (char *s) ;void *shadow_stack;void **ssp;void **sbp;static int in_hook = 0 ;static size_t safe_strlen (const char *s) {size_t len = 0 ;while (s[len]) len++;return len;static void safe_write (const char *msg) {static inline void write_fs_48 (unsigned long value) volatile ("movq %0, %%fs:0x48" : : "r" (value)) ;static inline unsigned long read_fs_48 () unsigned long key;volatile ("movq %%fs:0x48, %0" : "=r" (key)) ;return key;unsigned long read_urandom_key () int fd;unsigned long key = 0 ;ssize_t bytes_read;"/dev/urandom" , O_RDONLY);if (fd == -1 )"[ERROR] 无法打开/dev/urandom\n" );exit (-1 );sizeof (key));if (bytes_read != sizeof (key))"[WARNING]key读取出错\n" );exit (-1 );return key;unsigned long generate_and_store_shadow_key () static int initialized = 0 ;if (!initialized)unsigned long key = read_urandom_key();unsigned long stored_key = read_fs_48();if (stored_key != key)exit (-1 );1 ;return read_fs_48();void restore_fs_original_value () if (read_fs_48()) {0 );if (shadow_stack != NULL ) {4096 );NULL ;void shadow_stack_init () if (read_fs_48())return ;NULL , 4096 , PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1 , 0 );if (shadow_stack == MAP_FAILED)"[system]Shadow stack init failed\n" );exit (1 );void **)((char *)shadow_stack + 4096 );void __fshadow_stack_push_encrypted(void *ret_addr)if (!read_fs_48() || shadow_stack == NULL )return ;if (ssp <= (void **)shadow_stack)"[system]Shadow stack overflow!\n" );exit (1 );void *encrypted_addr = (void *)((unsigned long )ret_addr ^ read_fs_48());void __fshadow_stack_check_encrypted(void *curr_addr)if (!read_fs_48() || shadow_stack == NULL )return ;if (ssp >= sbp)return ; void *encrypted_addr = *ssp;void *decrypted_addr = (void *)((unsigned long )encrypted_addr ^ read_fs_48());if (curr_addr != decrypted_addr)"\n=== FS:0x48 SHADOW STACK SECURITY ALERT ===\n" );"Return address tampering detected!\n" );"FS:0x48-based encryption detected attack!\n" );"Possible ROP/JOP attack blocked!\n" );"Process terminated for security.\n" );"==========================================\n" );1 );#define PROTECTED_FUNC_BEGIN() \ do \ { \ void *__ret_addr = __builtin_return_address(0); \ __fshadow_stack_push_encrypted(__ret_addr); \ } while (0) #define PROTECTED_FUNC_END() \ do \ { \ void *__ret_addr = __builtin_return_address(0); \ __fshadow_stack_check_encrypted(__ret_addr); \ } while (0) void vulnerable_function () char buffer[16 ];printf ("输入数据: " );printf ("您输入的是: %s\n" , buffer);int main () return 0 ;
脚本 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 #!/bin/bash "$(cd "$(dirname "${BASH_SOURCE[0]} " ) " && pwd) " "$SCRIPT_DIR " "gcc" '\033[0;31m' '\033[0;32m' '\033[1;33m' '\033[0;34m' '\033[0m' show_help echo "Shadow Stack Compiler Wrapper" echo "用法: $0 [选项] 源文件..." echo "" echo "Shadow Stack 选项:" echo " -shadow 启用影子栈保护" echo " -shadow-debug 启用影子栈保护并显示调试信息" echo " -shadow-silent 启用影子栈保护但不显示系统信息" echo " -shadow-help 显示此帮助信息" echo "" echo "其他选项将直接传递给 GCC" echo "" echo "示例:" echo " $0 -shadow test.c -o test" echo " $0 -shadow-debug -g test.c -o test" echo " $0 -shadow-silent test.c -o test" echo "" echo "注意:" echo " - 必须包含至少一个 .c/.cpp/.cc/.cxx 源文件" echo " - 使用影子栈选项时,源文件会被自动处理" echo " - 不使用影子栈选项时,直接调用原始 GCC" show_error echo -e "${RED} 错误: $1${NC} " >&2echo "" exit 1if [[ $# -eq 0 ]]; then exit 0fi while [[ $# -gt 0 ]]; do case $1 in exit 0shift shift shift "$1 " )shift "$1 " )"$1 " )shift "$1 " )shift esac done if [[ ${#UNKNOWN_SHADOW_OPTIONS[@]} -gt 0 ]]; then "未知的影子栈选项: ${UNKNOWN_SHADOW_OPTIONS[*]} " fi if [[ $ENABLE_SHADOW -eq 1 ]]; then if [[ ${#SOURCE_FILES[@]} -eq 0 ]]; then "启用影子栈保护时必须指定至少一个源文件 (.c/.cpp/.cc/.cxx)" fi echo -e "${GREEN} [Shadow Stack]${NC} 启用影子栈保护" mktemp -d)trap "rm -rf $TEMP_DIR " EXITfor src_file in "${SOURCE_FILES[@]} " ; do if [[ -f "$src_file " ]]; then basename "$src_file " )"$TEMP_DIR /$base_name " echo -e "${BLUE} [Shadow Stack]${NC} 处理源文件: $src_file " head -n 10 "$src_file " | grep -E '^#include' cat << 'EOF' while (s[len]) len++;return len;"movq %0, %%fs:0x48" : : "r" (value));read_in "movq %%fs:0x48, %0" : "=r" (key));return key;read_urandom_key "/dev/urandom" , O_RDONLY);if (fd == -1)"[ERROR] 无法打开/dev/urandom\n" );exit (-1);read (fd, &key, sizeof(key));if (bytes_read != sizeof(key))"[WARNING] key读取出错\n" );exit (-1);return key;generate_and_store_shadow_key if (!initialized)if (stored_key != key)"[ERROR] 密钥验证失败\n" );exit (-1);"[system] 加密密钥已生成\n" );return read_in();shadow_stack_init if (shadow_stack_enabled)return ;if (shadow_stack == MAP_FAILED)"[system] Shadow stack init failed\n" );exit (1);4096 );1 ;shadow_stack_cleanup if (shadow_stack_enabled)if (read_in())if (shadow_stack != NULL) {if (shadow_stack == NULL || !read_in())return ;if (ssp <= (void **)shadow_stack)"[system] Shadow stack overflow!\n" );exit (1);"[DEBUG] 加密返回地址并推入影子栈\n" );if (shadow_stack == NULL || !read_in())return ;if (ssp >= sbp)return ;"[DEBUG] 解密并检查返回地址\n" );if (curr_addr != decrypted_addr)"\n=== SHADOW STACK SECURITY ALERT ===\n" );"Return address tampering detected!\n" );"Simulate shadow stack detected attack!\n" );"Possible ROP/JOP attack blocked!\n" );"Process terminated for security.\n" );"==========================================\n" );if (!shadow_stack_enabled || in_hook)return ;if (call_site != NULL && call_site != (void *)0x1) {"[DEBUG] Function enter - pushing encrypted address to shadow stack\n" );else {"[DEBUG] Function enter - skipping (invalid call_site)\n" );if (call_site != NULL && call_site != (void *)0x1 && shadow_stack != NULL)if (!shadow_stack_enabled || in_hook)return ;if (call_site != NULL && call_site != (void *)0x1) {"[DEBUG] Function exit - checking encrypted shadow stack\n" );else {"[DEBUG] Function exit - skipping (invalid call_site)\n" );if (call_site != NULL && call_site != (void *)0x1 && shadow_stack != NULL)tail -n +1 "$src_file " | grep -v '^#include' "$temp_file " "$temp_file " )fi done for arg in "${GCC_ARGS[@]} " ; do for i in "${!SOURCE_FILES[@]} " ; do if [[ "$arg " == "${SOURCE_FILES[$i]} " ]]; then "${MODIFIED_FILES[$i]} " )break fi done if [[ $found -eq 0 ]]; then "$arg " )fi done "-finstrument-functions" if [[ $SHADOW_DEBUG -eq 1 ]]; then "-DSHADOW_DEBUG" )echo -e "${YELLOW} [Shadow Stack]${NC} 启用调试模式" fi if [[ $SHADOW_SILENT -eq 1 ]]; then "-DSHADOW_SILENT" )echo -e "${YELLOW} [Shadow Stack]${NC} 启用静默模式" fi "$ORIGINAL_GCC " "${SHADOW_FLAGS[@]} " "${NEW_GCC_ARGS[@]} " echo -e "${BLUE} [Shadow Stack]${NC} 执行编译命令:" echo -e "${BLUE} [Shadow Stack]${NC} ${FINAL_COMMAND[*]} " "${FINAL_COMMAND[@]} " if [[ $compile_result -eq 0 ]]; then echo -e "${GREEN} [Shadow Stack]${NC} 编译成功,影子栈保护已启用" else echo -e "${RED} [Shadow Stack]${NC} 编译失败" fi exit $compile_result else exec "$ORIGINAL_GCC " "${GCC_ARGS[@]} " fi