!Exploitable crash analyzer version 1.6

On Wednesday May 1st, !Exploitable crash analyzer version 1.6 became available.  Source code and binaries can be found at https://msecdbg.codeplex.com/.

For those who may be unfamiliar with the tool, !Exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. Its primary use is in evaluating crashes found by fuzzing.

The first new feature involves changes to the stack hashing portion of !Exploitable. !Exploitable provides two hashes of the stack at the point of the crash. One important part of creating the hashes is determining if a specific frame of the stack should, or should not be included in the hash calculation. By default !Exploitable uses a set of patterns to filter out stack frames which are used in processing exceptions, providing clr functionality,  or are OS resource functions. !Exploitable 1.6 allows this list to be extended via a configuration file. This allows teams to filter out parts of the stack they specifically do not care about, resulting in hashes that are more relevant to them.

The second new feature is support for processing crash dump files from Windows RT.  This means !Exploitable has a working knowledge of ARM assembly and can translate the ARM instructions into its meta assembly, allow for the current rules to be applied.

To learn more about !Exploitable please visit https://msecdbg.codeplex.com/. Questions and comments can be left in the discussions section https://msecdbg.codeplex.com/discussions.

Andy Renk

Microsoft Security Engineering Center

About the Author
SDL Team

Trustworthy Computing, Microsoft