SkyLined/BugId SkyLined/BugId

  • Stars
    star
    499
  • Rank 88,341 (Top 2 %)
  • Language
    Python
  • License
    Other
  • Created over 9 years ago
  • Updated 5 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
SkyLined/BugId
github

SkyLined

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Detect, analyze and uniquely identify crashes in Windows applications

BugId

Detect, analyze and uniquely identify application bugs.

TL;DR

Do you...

  • want to know what kind of bug is causing an application to crash?
  • want to know if a bug might be security vulnerability?
  • want to find out if two or more crashes are caused by the same bug?
  • want a human readable report with an analysis of a bug?

...then BugId may be for you!

Quick setup

To use BugId, please download and install the following software:

If you install Python and Debugging Tools for Windows with their default settings, BugId should be able to run without adjusting any settings. You can unzip BugId anywhere you want on your local file system.

Before you start BugId, you should enable full page heap in the target application. This can be done per binary by setting certain Global Flags. The easiest way to do this is to use the pageheap.cmd script that comes with BugId. For instance, to enable full page heap for notepad, run the following command:

C:\BugId>pageheap notepad.exe ON

(Note that this command must be run from an elevated command-prompt with administrative access to the machine).

To make things even easier, pageheap.cmd has a list of known applications. You can enable or disable full page heap for any one of them by providing its name, e.g. pageheap msie ON enables full page heap for Microsoft Internet Explorer. Use pageheap /? to get more information about command-line arguments.

At this point, you may want to test if BugId is working correctly. We can do this by running an application in BugId and crashing it to see if BugId reports the bug correctly. A good application to use for this test is rundll32.exe which is found on all Windows installations in the system32 sub-folder of the Windows folder (%WinDir%). It can be used to load any dll found on the local file system and call an exported function in this dll with a certain call format. There are many dlls in the system32 folder that export functions. Most of these exported functions expect arguments in a completely different format than what rundll32 will provide, causing the application to crash.

First we must turn on full page heap in rundll32 with the following command:

C:\BugId>pageheap rundll32.exe ON

Next we will start BugId and tell it to start rundll32 with arguments that instruct it to load advapi32.dll and call CloseThreadWaitChainSession. At the time of this writing that causes a so-called NULL pointer access violation, which BugId should detect and report.

C:\BugId>BugId.cmd %WinDir%\system32\rundll32.exe -- advapi32 CloseThreadWaitChainSession

Notice there is a -- between rundll32.exe and the arguments passed to it. This is because you may want to provide arguments to both BugId itself and the application you want to test. These two sets of arguments should be separated by -- on the command-line. Everything before -- is handled by BugId and everything after is ignored by BugId but passed to the application.

If all is well, the output of BugId will look like this:

* Command line: C:\WINDOWS\system32\rundll32.exe advapi32 CloseThreadWaitChainSession
+ Main process 8024/0x1F58 (rundll32.exe): Attached; command line = C:\WINDOWS\system32\rundll32.exe advapi32 CloseThreadWaitChainSession.
,-- A bug was detect in the application ----------------------------------------
| Id @ Location:    AVR@NULL a1f.904 @ rundll32.exe!advapi32.dll!WctRemoveEntry
| Description:      Access violation while reading memory at 0x0 using a NULL pointer.
| Security impact:  Denial of Service
| Version:          rundll32.exe 10.0.16299.15 (x64)
|                   advapi32.DLL 10.0.16299.15 (x64)
| Bug report:       AVR@NULL a1f.904 @ rundll32.exe!advapi32.dll!WctRemoveEntry.html (60703 bytes)
'-------------------------------------------------------------------------------

The first line tells you the command-line BugId is going to start. The second line tells you that this caused a new process to be created with process id 8024, running rundll32.exe and the command line for this process (which is of course the same as in the first line). Soon after starting the application, a bug was detected. BugId generated a unique id (AVR@NULL a1f.904) for this bug and reported its location is in the WctRemoveEntry function of the advapi32.dll dll loaded by rundll32.exe. Since NULL pointer crashes are normally not exploitable other than to crash the application, the bug's security impact is Denial of Service. BugId by default generates a HTML formatted report for every bug it finds and tells you the location where this report was stored. As you can see, the file name of the report is based on the bug id and location.

Every bug id generated by BugId consists of two part separated by a space. The first part describes the type of bug. In the above example, AVR@NULL, this means Access Violation Reading memory at address NULL. The second part describes the location of the bug; it consists of two short hashes separated by a dot. These hashes are calculated from the top functions on the stack that are considered relevant to the bug. In the example, a1f.904 consists of a1f (calculated from advapi32.dll!WctRemoveEntry) and 904 (calculated from advapi32.dll!CloseThreadWaitChainSession).

If you run that same command again, BugId will report the exact same BugId, as this should couse the exact same bug in the exact some code.

Congratulations! You are now ready to test your own crashes with BugId, but you may want to run BugId.cmd --help at some point to get information about the many different command-line options BugId supports.

Notes

BugId has been developed for and tested on a large number of applications during fuzzing to analyze hundreds of thousands of crashes caused by hundreds of different bugs. In this role it has proven to be extremely accurate in analyzing bugs with a very low false positive and negative rate; both are less than 1%.

Of course not all types of bugs are easy to detect and analyze. Some bugs cannot currently be detected reliably at the time they happen but cause a crash much later on in completely unrelated code, leading to a completely incorrect analysis. In such cases, repeatedly reproducing the same bug will lead to a number of different bug ids as the application crashes in different ways at different times. To make sure this is not the case, you are advised to run your test case in BugId a number of times to see if the bug id stays the same.

Others bugs cause crashes that look like they are caused by a different type of bug. This can result in incorrect analysis and bug ids. Most notably, bugs that are the result of bad casts in C/C++ code are currently impossible to detect and report by BugId. They can result in various different types of crashes; most commonly access violations when values stored in properties of an object are incorrectly used as pointers. If you expect bad casts might be the cause of a crash, you should double check the analysis done by BugId to make sure it is correct.

BugId is highly dependent on full page heap being used by the application to be able to detect and analyze a large number of heap related bugs. This means that it will be much less effective at detecting and analyzing bugs in application that use their own internal heap manager that does not rely on the standard Windows heap.

License

Creative Commons License BugId has a free 30-day trial period for commercial and non-commercial use. During this trial period this work is licensed under a [Creative Commons Attribution-NonCommercial 4.0 International License](http://creativecommons.org/licenses/by-nc/4.0/).

After the trial period, paid license must be acquired at license.skylined.nl if you want to continue to use BugId.

Non-Commercial licenses are available for a very small fee; just enough to pay for my expenses. Commercial licenses for individual security researchers are available at a huge discount too.

If you have any questions about licensing, or want to discuss a bulk-discount, please contact [email protected].

BugId has a trial period to allow you to assess its usefulness. If you want to continue to use BugId after the trial period has ended, I ask that you contribute a small fee to pay for my work on BugId and handling of the license request. If you are using BugId commercially, I ask that you pay a regular license fee to share some of the profit you are making off of your use of BugId.

More Repositories

1

LocalNetworkScanner

PoC Javascript that scans your local network when you open a webpage
HTML
156
star
2

alpha3

Alphanumeric shellcode encoder.
Assembly
149
star
3

Bugs

Collection of software bugs found by SkyLined
HTML
68
star
4

mBugId

Python module to detect, analyze and id application bugs
Python
21
star
5

rs

Regular expression Search on the command-line
Python
15
star
6

mWindowsAPI

Module that allows easy access to Windows API calls from Python
Python
10
star
7

w32-msgbox-shellcode

140 bytes null-free 32-bit Windows shellcode that shows a message box (all OS/SPs)
Python
7
star
8

cWinPerfCounter

Access Windows performance counters from node.js
C++
7
star
9

mHTTP

Python module for communicating using the HTTP protocol
Python
5
star
10

w32-speaking-shellcode

null-free 32-bit Windows shellcode that speaks (all OS/SPs)
Python
5
star
11

mMultiThreading

A set of classes and functions for multi-threaded Python scripts.
Python
4
star
12

FileSystemBrowser

Create a webpage from a directory tree.
Python
4
star
13

mWindowsSDK

Python scripts that facilitate loading of arbitrary DLLs and calling native functions.
Python
3
star
14

testival

Automatically exported from code.google.com/p/testival
C++
3
star
15

mFileSystem2

A set of Python classes that can be used to access files, folders and zip archives on the file system.
Python
3
star
16

mProductDetails

Python module that implements product version and license related functionality
Python
3
star
17

HTTP

Script to make HTTP requests
Python
3
star
18

mRegistry

Python scripts to access the Windows registry
Python
3
star
19

mDebugOutput

A set of classes and functions for use in debugging Python scripts.
Python
3
star
20

beta3

Multi-format shellcode encoding tool.
Python
3
star
21

blog.skylined.nl

blog.skylined.nl source
HTML
2
star
22

mHTTPConnection

HTTP Connections based on mTCPIPConnections for socket handling and mHTTPProtocol for data handling
Python
2
star
23

mBase64

A Pure Python function to decode base64 encoded data, with proper error reporting
Python
2
star
24

webcam.skylined.nl

A simple HTML page to view your own webcam in your browser.
HTML
2
star
25

zyp

Zip/unzip utility written in Python
Python
2
star
26

JSDemos

Javascript demos
JavaScript
2
star
27

mHTTPProtocol

HTTP Protocol data structures and processing
Python
2
star
28

skybuild

Automatically exported from code.google.com/p/skybuild
Python
2
star
29

mFileSystemItem

A Python script to access local and network files and folders.
Python
2
star
30

mConsole

Python object that allows easy console output
Python
2
star
31

mTCPIPConnection

Wrapper for Python's built-in socket that offers buffering and transactions
Python
2
star
32

w32-bind-ngs-shellcode

Automatically exported from code.google.com/p/w32-bind-ngs-shellcode
Assembly
2
star
33

mDateTime

Standardized Python, PHP and Javascript classes for processing dates and durations
Python
2
star
34

headsup

File format analysis and verification tool
Python
2
star
35

pBackground

Run a Node.js script as a daemon/service in the background
JavaScript
2
star
36

mFileSystem

A standardized Python API for common file system I/O tasks
Python
2
star
37

mHumanReadable

A Python function that returns a human readable estimation of a number of bytes.
Python
2
star
38

mHTTPClient

Python HTTP client API
Python
1
star
39

mSSL

SSL data structures and socket wrapper
Python
1
star
40

mTCPJSONRPC

Module with classes to make remote procedure calls using JSON over TCP.
JavaScript
1
star
41

mRPCHive

Module with classes to distribute activities on machines across a network.
JavaScript
1
star
42

mTCPJSON

Module with classes to send and receive data as JSON over TCP.
JavaScript
1
star
43

mUDPJSON

Module with classes to send and receive data as JSON over UDP.
JavaScript
1
star
44

jsondebugger

Automatically exported from code.google.com/p/jsondebugger
C++
1
star
45

foParseArguments

Parse Node.js arguments library
JavaScript
1
star
46

mNotProvided

Python module for making it easy to use default values with optional arguments
Python
1
star
47

mColor

Node module to create and manipulate RGB/HSL colors
JavaScript
1
star
48

mHive

Module with classes to distribute activities on machines.
JavaScript
1
star
49

pWinRunInNodeVersion

Program to run a script in any processor architecture and version of Node.js on Windows
JavaScript
1
star
50

mTreeServer

A Python script to create a HTTP server that serves a page showing a tree structure
Python
1
star
51

pWinStatusBlinkStick

Program to show CPU usage and network connectivity status through blinkstick
JavaScript
1
star