Full Report
Microsoft released !exploitable at CanSecWest this year. The debugger extension, and the accompanying slide deck can be found [here]. I have not looked at it, but a glance at the slides implies that they aim to solve the problem of too many dumps – not enough time.. Its pretty cool.. and that Microsoft is releasing this is even cooler..
Analysis Summary
# Tool/Technique: !exploitable
## Overview
`!exploitable` is a debugger extension released by Microsoft at CanSecWest. Its primary purpose appears to be addressing the challenge of analyzing too many crash dumps efficiently, likely by quickly identifying whether a crash dump is exploitable.
## Technical Details
- Type: Tool
- Platform: Windows (Debugger extension, implies use with Windows debugging tools like WinDbg)
- Capabilities: Aims to automate or significantly speed up the triage and analysis of crash dumps to determine exploitability.
- First Seen: Released around March 2009 (based on the article publication date).
## MITRE ATT&CK Mapping
*Note: Since this tool is focused on vulnerability analysis and post-mortem triage rather than active exploitation, direct definitive mappings are difficult without reviewing the tool's functionality in detail. The tool itself is defensive/analytical in nature, intended for security professionals.*
- **TA0004 - Privilege Escalation** (If used by an attacker to analyze crashes for potential vulnerabilities leading to PE)
- T1055 - Process Injection (If the analysis identifies a weakness related to injection)
- **TA0003 - Persistence** (If used to analyze crashes for flaws affecting persistent functionality)
- T1548 - Abuse Elevation Control Mechanism (If the tool flags a way to bypass these)
## Functionality
### Core Capabilities
- Analyzing memory dump files generated from crashes.
- Providing a rapid assessment of whether a specific crash state is likely due to an exploitable vulnerability (e.g., buffer overflows, use-after-free conditions).
### Advanced Features
- Implies functionality beyond basic crash inspection, aimed at reducing the manual time analysts spend triaging overwhelming numbers of crash reports ("too many dumps – not enough time").
## Indicators of Compromise
- File Hashes: N/A (Tool)
- File Names: `!exploitable` (Debugger extension)
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A (Tool is used offline for analysis)
## Associated Threat Actors
- This tool is a legitimate utility released by Microsoft aimed at security professionals and defenders.
## Detection Methods
- N/A (A defensive tool used during analysis, not an offensive artifact.)
## Mitigation Strategies
- N/A (Tool is used for detection/analysis efforts.)
## Related Tools/Techniques
- WinDbg extensions used for crash dump analysis.
- Tools designed for automated vulnerability triage and vulnerability research.