Wednesday, November 24, 2010

!exploitable Crash Analyzer

!exploitable (pronounced "bang exploitable") Crash Analyzer is a plugin for the Windows Debugger that parses your crash logs and gives you two important pieces of information. First, it will collate all of your crashes and determine exactly how many there actually are. So for example, out of 60 crash reports, there may only be 2 or 3 actual problems.


0:006> g
(19ec.1a0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00000113 ecx=00000001 edx=00000000 esi=7c57edd2 edi=007f46bc
eip=41414141 esp=0098fd88 ebp=0098fde0 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
41414141 ??              ???
0:001> !load msec.dll
0:001> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at 
Unknown Symbol @ 0x0000000041414141 called from KERNEL32!BaseThreadStart+0x0000000000000052 (Hash=0x264d5172.0x5a5e1f77)

Access violations at the instruction pointer are exploitable if not near NULL.


The second thing it does is look at the type of crash and try to determine if the error is something that could be exploited by a malicious hacker. This means that more junior employees can work these bug issues without taking the time of more senior examiners. Jason Shirk from the Security Core team joined us to take a look at !exploitable. To download the app, go to: http://www.codeplex.com/msecdbg.

download video :