msecdbg Discussions Rss Feed

New Post: Major/Minor hash

AndyRenk — Thu, 03 May 2012 16:49:11 GMT

The hashes are 32 bit numbers and it is encoded in hex, 32 memory addresses share the same property.

The Major hash is calculated over the first five frames of a stand and does not include the offset from a symbol. This allows for stacks to have small variances to end up with the same hash. The Minor hash is calculated over the top 64 frames and includes offsets. So if you have two crashes with the same minor hash you know they have crashed at the exact same spot and most likely are the same issue.

New Post: Can't build 64bit msec.dll under .NET 4

AndyRenk — Thu, 03 May 2012 16:44:39 GMT

Binaries are shiped with the source code, there is a x64 verion in there.

New Post: Some documentation on the tool

AndyRenk — Thu, 03 May 2012 16:43:43 GMT

Slides from the presentation given at CanSecWest 2009

http://download.microsoft.com/download/7/2/8/728FE40F-93B6-47BD-B67D-78D04B63E27D/Automated%20Security%20Crash%20Dump%20Analysis.pptx

New Post: Arguments to debugWrapper script

AndyRenk — Thu, 03 May 2012 16:32:00 GMT

I hope the following example helps clarify the issue.

debuggerWrapper.cmd takes 5 arguments

The program to debug
The command line to the program
The path to the file being tested
- This is needed because not all programs consume a file from the command line. Without this argument it would not be possible to copy the file to the repro location when a crash occurred.
Max Time in seconds to debug the program
The directory to save crashes and repro files too.

In this example lets say you want to test the string literal search functionality of findstr.exe. The command line to this this is "findstr.exe /C:string filename". You have created a file named:\Files\TemplateFile.txt that you want to use as the file. If the debuggerWrapper detects a problem you want the files saved to c:\repro. To Run this scenario you would use the following command line.

DebuggerWrapper.cmd %systemdir%\system32\findstr.exe "/C:string C:\Files\TemplateFile.txt" C:\File\TempalteFile.txt 5 C:\repro

New Post: Arguments to debugWrapper script

heykart — Mon, 21 Nov 2011 22:07:02 GMT

Hi, I think the debugWrapper script is going to be useful to me. Would anyone be able to explain these two parameters to the script?

@REM ^%~2 = command line arguments including tempate name if needed. I.E. "/C:search" TemplateFile.txt
@REM ^%~3 = Temple file to process.

What is a template file supposed to be, and which parameter number should it be? Which parameter number should the input file, that causes an application crash, be? I'm a bit confusion by the repetition of "template" in parameters 2 and 3.

Thanks for the help!

New Post: Some documentation on the tool

tosanjay — Tue, 21 Dec 2010 15:46:25 GMT

Hi,

In the introduction to the tool, it is mentioned that more details are provided in the following .pptx file, but I could not get any file. I am looking for details on how this tools classifies the vulnerability as highly/less exploitable i.e. what are the parameters that are considered. Pointer to any articles or blog entries are appreciated.

thanks & regards

-sanjay

New Post: Can't build 64bit msec.dll under .NET 4

puckaby — Wed, 17 Nov 2010 07:53:53 GMT

I get this error when trying to load MSECDbgExts64 in Visual C++ 2008 express :

The project consists entirely of configurations that require support for platforms which are not installed on this machine.

I think it has something to do with the latest version of the windbg SDK for win 7 and .NET framework 4. Any thoughts? Has anyone tried this and have it work?

I was able to build MSECDbgExts32 but that dll isn't compatible with the 64bit version of the debugger I installed on my OS (win 7 home premium).

Thanks!

EDIT: Never mind, I saw the readme caveat that that express edition of C++ won't work for the 64bit.

New Post: Major/Minor hash

thebogman87 — Tue, 13 Jul 2010 14:15:07 GMT

I'm a little confused about this major and minor hash. Why does it look like a memory address? What exactly is being hashed? And what's the difference between major and minor?

New Post: How to compile windbg extension code for windows device driver using DDK.

rajdesire — Wed, 03 Mar 2010 12:48:31 GMT

Hi All,

I am facing problem, while I am writting and compiling code for windbg. I am new to windbg extension code writting.

I need to know basic steps to compile code using DDK.

If anyone have some good example of it, pl. share with me. My id is callforkumar@yahoo.com.

Regards,

Raj

New Post: Installing/Running/Using - How?

DaveWeinstein — Mon, 20 Jul 2009 17:40:07 GMT

Hi tsp,

You issue that command from inside WinDbg.

In answer to your other question, the only tool you need to use !exploitable is the Windows Debugger (WinDbg or the command line equivalents).

--Dave

New Post: Installing/Running/Using - How?

tsp — Fri, 17 Jul 2009 17:50:09 GMT

Hi Dave,

I went through readme and it says to use !load winext\MSEC.dll to load !exploitable to windbg. I have no clue from where I should initiate this command. Readme appears to be very high level document to me. Can you explain how to load this dll to windbg? Also, Can I use Vista to load w2k3 symbols to read crash dump on Windows 2003? Do we require VC2008 ++ to use !exploitable?

TIA

New Post: Is /GS violation really exploitable?

DaveWeinstein — Mon, 13 Jul 2009 23:31:10 GMT

Hi Jim,

The /GS stack protection is considered defense in depth. It is bad practice to depend on defense in depth mechanisms, because that removes the "in depth". Compile them in, turn them on, but don't allow their existence to be used as a rationale for leaving vulnerable code in place.

To use an analogy, the fact that I have airbags in my car does not mean I shouldn't worry about the fact that my brakes don't work.

In the case of a /GS violation, we know that there is an unconstrained (or improperly constrained) copy onto the stack. If the state of the art is such that an attacker is able to evade the version of /GS that the application was compiled against, then the attacker has the ability to get remote execution of code.

Regards,

--Dave

New Post: Installing/Running/Using - How?

DaveWeinstein — Mon, 13 Jul 2009 23:26:42 GMT

Hi Gunny,

The compiled debugger extensions are actually a DLL, which is loaded into the Windows Debugger (WinDbg). You can find instructions on how to use it in the readme file included in the package.

--Dave

New Post: Is /GS violation really exploitable?

jvonder — Fri, 10 Jul 2009 20:39:28 GMT

I fuzzed a network application, and !exploitable gave me this analysis of the crash dump:

Exploitability Classification: EXPLOITABLE

Recommended Bug Title: Exploitable - Stack Buffer Overrun (/GS Exception) starting at

An overrun of a protected stack buffer has been detected. This is considered exploitable, and must be fixed.

My questions is: If this was detected by the /GS stack protection, then is it really exploitable? Isn't GS doing its job, and preventing this from being exploitable?

Thanks!

Jim

New Post: Installing/Running/Using - How?

tahilg — Wed, 24 Jun 2009 01:59:55 GMT

I have downloaded the MSEC Debugger Extensins 1.0.6 package, but it contains no executables (.exe) files in it.

How do I install or run or use it?

Regards,

Gunny

New Post: Command options for !exploitable

jasoshi — Fri, 19 Jun 2009 18:25:46 GMT

Sumit,

Sorry for the long delay, I've got a batch file for you though, just take the below, throw it in notepad, and then save it as a .bat. Let us know if you have any questions.

Cheers,

Jason

Code begins==>

@echo off
setlocal ENABLEEXTENSIONS
@REM get local Path of script
for /F %%I in ("%0") do set localDir=%%~dpI

@REM Check for MSEC.dll in current directory, and in script directory
if not exist .\msec.dll (
	if not exist %localDir%\msec.dll (
		echo.
		echo MSEC.dll not in current directory, please copy MSEC.dll locally and 
		echo rerun classify.bat.
		echo.
		goto error
	) else (
		set msecPath=%localdir%\msec.dll
	)
) else (
	set msecPath=.\msec.dll
)

@REM Check that cdb.exe is in the path or local directory
WHERE /Q cdb.exe
IF  ERRORLEVEL 1 (
    echo.
    echo cdb.exe was not found in the local directory or path
    echo.
    goto error
  )

@REM Validate First Parameter 
if /i "%~1" EQU "" goto Usage
if /i "%~1" EQU "/?" goto Usage
if /i "%~1" EQU "-?" goto Usage
if /i "%~1" EQU "/help" goto Usage
if /i "%~1" EQU "-help" goto Usage
if not exit "%~1" (
	echo.
    echo "%~1" could not be found.
    echo.
    goto error
)

@REM Validate second Parameter
if /i "%~2" EQU "" goto Usage
if exist "%~2" (
  dir /a:d "%~2" > nul
  IF  ERRORLEVEL 1 (
    echo.
    echo "%~2" is a file, the second paremeter should be a directory
    echo.
    goto error
  )
)

@REM ERROR Checking Is Over
set Hash=
set Type=
set Exploitability=
set tempLog=.\ExploitableLog-%random%.Log

cdb -z "%~1" -a%msecPath% -c ".symfix+; .reload; .logopen \"%tempLog%\";!exploitable -m;.logclose;q"

for /f "tokens=1* delims=:" %%a in (%tempLog%) do (
	for /f "tokens=1*" %%c in ("%%b") do (
	   if /i "%%a" EQU "MAJOR_HASH" set MajorHash=%%c
	   if /i "%%a" EQU "MINOR_HASH" set MinorHash=%%c
	   if /i "%%a" EQU "SHORT_DESCRIPTION" set Type=%%c
	   if /i "%%a" EQU "CLASSIFICATION" set Exploitability=%%c
	)
)

set ResultDir=%~2\%CrashDir%\%Exploitability%\%type%\%MajorHash%\%MinorHash%
md "%ResultDir%"
copy /b /y "%~1" "%ResultDir%"
copy /b /y %tempLog% "%ResultDir%"
del /q %tempLog%
goto end

:usage
Echo classify.bat ^ ^
echo.
echo Classify.bat will place the specified dump and log into a directory structure as follows:
echo.
echo ^\^\^\^
echo.
echo Examples:
echo ^\EXPLOITABLE\WriteAV\0x6e05193a\0x7505193a
echo ^\PROBABLY_EXPLOITABLE\TaintedDataControlsCodeFlow\0x6e05193a\0x7505193a
echo ^\UNKNOWN\PossibleStackCorruption\0x6e05193a\0x7505193a
echo.
echo Classify.bat requires MSEC.dll to be in the current directory and cdb to be 
echo in the path.
echo.
echo To easily run classify.bat against a set of dumps try the following command:
echo.
echo for /R . ^%%a in (*.dmp) do classify.bat ^%%a C:\Crashes
echo.
goto error
:error
exit /b 1
:end
exit /b 0

New Post: Command options for !exploitable

sumitkchawla — Wed, 13 May 2009 10:33:11 GMT

Can you please provide some more information about command usage of this extension? I have more than 100 crash dump files to analyze. Can you tell me the Command line options to analyze all the 100 dump files using a single command / batch file

Thanks

Sumit

New Post: Welcome

jasoshi — Tue, 24 Mar 2009 17:47:10 GMT

Welcome to the MSEC Debugger Extensions CodePlex project, including !exploitable Crash Analyzer.

Please use the discussion area to report bugs, and post noteworthy comments about tool improvements and recommendations.