msecdbg Releases Rss Feed

Updated Release: !exploitable 1.6 (May 01, 2013)

AndyRenk — Thu, 02 May 2013 00:17:27 GMT

1.6.0 Updates:

ARM Dump Support Added
Changed default hashing algorithm to SHA256
Added Support to chose the hashing algorithm used (for backwards compatibility)
Added support for custom exclude hash list
Updated -v output to show which frames are used to determine the major and minor hash
Added version number logging
Added line number and source file reporting
Added checking for exception handler chain corruption as an Exploitable case
Added Stack Exhaustion as a Probably Not Exploitable case
Added more AppVerifier symbols to the excluded symbols list
Added checking for kernel mode code running in user land as an Exploitable case
Moved "Read AV Near Null" to terminal rule status
Added "App Verifier Stop Detected"
Moved "Read AV Near Null" to Probably Not Exploitable
Moved "Write AV Near Null" to Unknown
Added the XLAT command for x86 and x64
Correctly pull the TEB32 for WOW process on 64 bit Windows
Translate stack exhaustion cases that manifest as Write AVs into stack exhaustion
Changed the naming of Stack Overflow to Stack Exhaustion
Fixed a bug in the logic determining if code is in user or kernel space

Released: !exploitable 1.6 (May 01, 2013)

Thu, 02 May 2013 00:17:27 GMT

Updated Release: !exploitable 1.6 (May 01, 2013)

AndyRenk — Thu, 02 May 2013 00:11:40 GMT

Updated Release: Automation Scripts (May 01, 2013)

AndyRenk — Thu, 02 May 2013 00:11:06 GMT

Classify - A batch file used to sport crash dumps based on !exploitable output.
DebugWrapper - A batch file used to debug an application. If a crash occurs it is evaluated by !exploitable and a crash dump is saved and sorted.

Released: Automation Scripts (May 01, 2013)

Thu, 02 May 2013 00:11:06 GMT

Updated Release: MSEC Debugger Extensions v1.0.6 (Jun 17, 2009)

AndyRenk — Thu, 13 Dec 2012 02:41:16 GMT

New MSECExtensions bits, changelog below:

1.0.1 Updates:

A bug that resulted in overtainting H or L registers has been fixed.
Initial External Release: March, 2009

1.0.2 Updates:

When loading user mode mini-dumps, the Gather rule now correctly sets the stack context.

1.0.3 Updates:

New state and gather functionality and analyze rules to identify exceptions where the faulting address is on the stack.
Hashes are fixed at 32 bit display (8 hex characters) and code locations are fixed at 64 bit display (16 hex characters).
Added support for the REP SCAS instruction in the disassembler
Fixed a serious bug in the wildcard match function, which would result in anything that matched up to the first wildcard matching the entire string
Fixed a bug in which the destination pointer registers were not being set to the tainted value set for Write AVs that required taint analysis
Fixed bugs in the distinction between source and data registers for taint tracking in some rep instructions

1.0.4 Updates:

Fixed a reporting and analysis bug, in which we change the faulting instruction as well as the invoking function when we skip excluded stack frames

1.0.5 Updates:

Updates to the excluded symbols list
Handle POP instructions that pop to memory
Handle PUSH instructions that push to memory
Treat POP instructions to memory the same as MOV instructions to memory

1.0.6 Updates:

External Release: June, 2009

Released: MSEC Debugger Extensions v1.0.6 (Jun 17, 2009)

Thu, 13 Dec 2012 02:41:16 GMT

Updated Release: MSEC Debugger Extensions v1.0.6 (Jun 17, 2009)

jasoshi — Fri, 13 Aug 2010 00:30:11 GMT

Released: MSEC Debugger Extensions v1.0.6 (Jun 17, 2009)

Fri, 13 Aug 2010 00:30:11 GMT

Updated Release: MSEC Debugger Extensions v1.0.6 (Jun 17, 2009)

jasoshi — Wed, 17 Jun 2009 19:11:35 GMT

Released: MSEC Debugger Extensions v1.0.6 (Jun 17, 2009)

Wed, 17 Jun 2009 19:11:35 GMT

Created Release: MSEC Debugger Extensions v1.0.6 (Jun 17, 2009)

jasoshi — Wed, 17 Jun 2009 19:11:14 GMT

Updated Release: MSEC.dll BETA v1.0.1.0 Source and Bins x86 x64 (Mar 20, 2009)

jasoshi — Fri, 20 Mar 2009 08:00:18 GMT

Requirements:

Windows Debugger (windbg.exe)

Installation Instructions :

Copy the correct version (x86 or x64) to your Windows Debugger winext sub-directory

Usage Instructions:

You may need to explicitly load the MSEC DLL. If you installed it to the winext sub-directory, you can load
it with !load winext\msec.dll

{preserving formatting

!exploitable
Gives an analysis, including a proposed bug title

!exploitable -v
Gives a verbose analysis

!exploitable -m
Gives the same output as -v, but formatted for easy machine parsing

!exploitable -jit:address
Use the JIT Exception Record to determine the exception

!ror [-n <Rotation Count> [-c] <Value>
Get the API name for hash value <Value> using rotation count <Rotation Count>. Use -c to do a reverse lookup from an API name to a hash value. Run !ror without options for examples.

!xoru -b <addr> <length> <key>
Do the Xor transformation on the buffer from address <addr> to address <addr> + <length> using the key <key> and disassemble the buffer. Use -b to leave the transformed buffer in memory. Run !xoru without options for examples. You can do other types of transformation using xora, xorui, xorua, suba, subu, adda, addu, rola, or rolu.}

End of format preservation}

Known Issues:

!exploitable

The instruction set is known to be incomplete.

KERNELMODEEXCEPTIONNOTHANDLED / KERNELMODEEXCEPTIONNOTHANDLED_M does not currently differentiate between read and write access violations.

Released: MSEC.dll BETA v1.0.1.0 Source and Bins x86 x64 (Mar 20, 2009)

Fri, 20 Mar 2009 08:00:18 GMT

Requirements:

Windows Debugger (windbg.exe)

Installation Instructions :

Copy the correct version (x86 or x64) to your Windows Debugger winext sub-directory