Cybersecurity

ERC.Net – A Toolset for Analyzing Windows Application Crashes

Coalfire Cybersecurity Team

October 3, 2019

This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free.

Introduction

ERC.Net is a collection of tools designed to assist in analyzing and debugging Windows application crashes in order to identify potential security vulnerabilities. Supporting both 64 and 32 bit applications, ERC.Net has many use cases including parsing Windows file headers, identifying compile-time flags such as ASLR, DEP and SafeSEH, generating nonrepeating patterns and platform-specific egg hunters, detecting process information such as loaded modules and running threads, reading the TEB of a specific thread, and assisting in the identification of numerous types of memory vulnerabilities.

The purpose of ERC is to provide the tools to enable programmatic analysis of application crashes and to assist security professionals in identifying exploitable application crashes.

Installation

The source code for the library can be downloaded from the Github repo or installed directly from the Nuget package (x86/x64).

If you choose to build from source, simply open the project in Visual Studio and set the appropriate target platform for your system.

Features

A brief overview of the features is discussed below, with example usage provided in the following section. For full documentation, go here.

  • ERC.Net can be utilized to analyze crashes from both 32 and 64 bit programs.
  • Gather a list of all modules associated with a process and associated information about the module.
  • Gather a list of all threads associated with a process and associated information about the thread.
  • Generate nonrepeating patterns.
  • Identify nonrepeating patterns in memory.
  • View file headers.
  • Identify if DEP is enabled.
  • Identify if ASLR is enabled.
  • Identify if a DLL can be rebased.
  • Identify if SafeSEH is enabled.
  • Generate a platform specific egg hunter with a custom tag.
  • Read the TEB.
  • View a thread’s SEH chain.
  • View processor context.
  • Assemble instructions into opcodes.
  • Disassemble opcodes into instructions.
  • Generate a customizable array of bytes and compare it to a section of memory.

Example Usage

Below is a collection of code snippets which can be utilized for carrying out common tasks. Not all the functionality of the library is detailed here, consult the documentation for a more detailed overview.

Creating a Non-Repeating Pattern

A non-repeating pattern can be created either through the PatternTools class or through the DisplayOutput class. If done through PatternTools a string is returned and if done through DisplayOutput a string will be returned, the pattern will be output to the screen and written to a new file created using the path from the value of ErcCore WorkingDirectory.

Identifying the Location of a String in the Non-Repeating Pattern

Searching for the position of a string within the non-repeating pattern can also be done using the PatternTools class.

List all Usable Processes

Listing all processes will automatically remove unusable processes, such as those that are simply placeholders for kernel processes on the local host.

Display Process Module Info

Listing information about all modules loaded by a specific process can be done using the DisplayOutput module. This will also output the information to a text document in the path specified in the ErcCore working directory variable. Further information can be gathered about specific modules through querying the associated ModuleInfo object.

Search Process Memory for a Byte Array or String

It is possible to search the memory of a process for a byte array or a string (ASCII, Unicode, UTF-8, UTF-7 or UTF-32) an array of pointers will be returned, if none are found null will be returned.

Assemble Instructions into Opcodes

Both 32-bit and 64-bit instructions can be assembled into opcodes. This can be used in conjunction with the search process memory methods in order to find things like jumps to specific registers and other useful instruction sets.

Disassemble Opcodes into Instructions

It is possible to disassemble both 32-bit and 64-bit opcodes into the associated instruction sets.

ERC.Net is intended to aid security professionals in the identification of new vulnerabilities in applications running on the Windows operating system, potentially to be used alongside a fuzzer. Hopefully you will find this library useful and you will find all the vulnerabilities!