{"id":13537888,"url":"https://github.com/skylined/bugid","last_synced_at":"2025-04-02T04:32:01.939Z","repository":{"id":36749134,"uuid":"41055757","full_name":"SkyLined/BugId","owner":"SkyLined","description":"Detect, analyze and uniquely identify crashes in Windows applications","archived":false,"fork":false,"pushed_at":"2025-02-20T09:10:58.000Z","size":4916,"stargazers_count":501,"open_issues_count":11,"forks_count":90,"subscribers_count":31,"default_branch":"main","last_synced_at":"2025-02-20T10:23:58.058Z","etag":null,"topics":["analysis","bug","bug-analysis","crash","crash-analysis","crash-reporting","debugger","debugging","debugging-tool","id","python","report","security","unique-id","vulnerabilities","vulnerability","vulnerability-analysis","vulnerability-assessment","vulnerability-detection","windows"],"latest_commit_sha":null,"homepage":"https://bugid.skylined.nl","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SkyLined.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.TXT","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-08-19T19:36:55.000Z","updated_at":"2025-02-20T09:11:03.000Z","dependencies_parsed_at":"2024-01-07T20:48:20.542Z","dependency_job_id":"82ac2d5c-7c5d-45e7-a2a6-df12aa10e275","html_url":"https://github.com/SkyLined/BugId","commit_stats":null,"previous_names":[],"tags_count":24,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SkyLined%2FBugId","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SkyLined%2FBugId/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SkyLined%2FBugId/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SkyLined%2FBugId/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SkyLined","download_url":"https://codeload.github.com/SkyLined/BugId/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246757525,"owners_count":20828914,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analysis","bug","bug-analysis","crash","crash-analysis","crash-reporting","debugger","debugging","debugging-tool","id","python","report","security","unique-id","vulnerabilities","vulnerability","vulnerability-analysis","vulnerability-assessment","vulnerability-detection","windows"],"created_at":"2024-08-01T09:01:04.615Z","updated_at":"2025-04-02T04:31:57.494Z","avatar_url":"https://github.com/SkyLined.png","language":"Python","readme":"BugId\n=====\n\nDetect, analyze and uniquely identify application bugs.\n\nTL;DR\n-----\nDo you...\n* want to know what kind of bug is causing an application to crash?\n* want to know if a bug might be security vulnerability?\n* want to find out if two or more crashes are caused by the same bug?\n* want a human readable report with an analysis of a bug?\n\n...then BugId may be for you!\n\nQuick setup\n-----------\nTo use BugId, please download and install the following software:\n* Latest [Python 2.7.14](https://www.python.org/downloads/release/python-2715/)\n* Latest [Debugging Tools for Windows](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/)\n* Latest [BugId release](https://github.com/SkyLined/BugId/releases)\n\nIf you install Python and Debugging Tools for Windows with their default\nsettings, BugId should be able to run without adjusting any settings. You can\nunzip BugId anywhere you want on your local file system.\n\nBefore you start BugId, you should enable *full page heap* in the target application.\nThis can be done *per binary* by setting certain [Global Flags](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/global-flag-reference). The easiest way to do this is to use the\n`pageheap.cmd` script that comes with BugId. For instance, to enable full page heap\nfor notepad, run the following command:\n\n```\nC:\\BugId\u003epageheap notepad.exe ON\n```\n*(Note that this command must be run from an elevated command-prompt with\nadministrative access to the machine).*\n\nTo make things even easier, `pageheap.cmd` has a list of *known applications*. You\ncan enable or disable full page heap for any one of them by providing its name, e.g.\n`pageheap msie ON` enables full page heap for Microsoft Internet Explorer. Use\n`pageheap /?` to get more information about command-line arguments.\n\nAt this point, you may want to test if BugId is working correctly. We can do this by\nrunning an application in BugId and crashing it to see if BugId reports the bug\ncorrectly. A good application to use for this test is `rundll32.exe` which is found\non all Windows installations in the `system32` sub-folder of the Windows folder\n(`%WinDir%`). It can be used to load any dll found on the local file system and call\nan exported function in this dll with a certain call format. There are many dlls in\nthe `system32` folder that export functions. Most of these exported functions expect\narguments in a completely different format than what rundll32 will provide, causing\nthe application to crash.\n\nFirst we must turn on full page heap in rundll32 with the following command:\n\n```\nC:\\BugId\u003epageheap rundll32.exe ON\n```\nNext we will start BugId and tell it to start rundll32 with arguments that instruct it\nto load `advapi32.dll` and call `CloseThreadWaitChainSession`. At the time of this\nwriting that causes a so-called NULL pointer access violation, which BugId should\ndetect and report.\n\n```\nC:\\BugId\u003eBugId.cmd %WinDir%\\system32\\rundll32.exe -- advapi32 CloseThreadWaitChainSession\n```\nNotice there is a `--` between rundll32.exe and the arguments passed to it.\nThis is because you may want to provide arguments to both BugId itself and\nthe application you want to test. These two sets of arguments should be\nseparated by `--` on the command-line. Everything before `--` is handled by\nBugId and everything after is ignored by BugId but passed to the application.\n\nIf all is well, the output of BugId will look like this:\n\n```\n* Command line: C:\\WINDOWS\\system32\\rundll32.exe advapi32 CloseThreadWaitChainSession\n+ Main process 8024/0x1F58 (rundll32.exe): Attached; command line = C:\\WINDOWS\\system32\\rundll32.exe advapi32 CloseThreadWaitChainSession.\n,-- A bug was detect in the application ----------------------------------------\n| Id @ Location:    AVR@NULL a1f.904 @ rundll32.exe!advapi32.dll!WctRemoveEntry\n| Description:      Access violation while reading memory at 0x0 using a NULL pointer.\n| Security impact:  Denial of Service\n| Version:          rundll32.exe 10.0.16299.15 (x64)\n|                   advapi32.DLL 10.0.16299.15 (x64)\n| Bug report:       AVR@NULL a1f.904 @ rundll32.exe!advapi32.dll!WctRemoveEntry.html (60703 bytes)\n'-------------------------------------------------------------------------------\n```\n\nThe first line tells you the command-line BugId is going to start. The second\nline tells you that this caused a new process to be created with *process id*\n8024, running `rundll32.exe` and the command line for this process (which is\nof course the same as in the first line). Soon after starting the application,\na bug was detected. BugId generated a unique id (`AVR@NULL a1f.904`) for this\nbug and reported its location is in the `WctRemoveEntry` function of the \n`advapi32.dll` dll loaded by `rundll32.exe`. Since NULL pointer crashes are\nnormally not exploitable other than to crash the application, the bug's\nsecurity impact is `Denial of Service`. BugId by default generates a HTML\nformatted report for every bug it finds and tells you the location where this\nreport was stored. As you can see, the file name of the report is based on the\nbug id and location.\n\nEvery bug id generated by BugId consists of two part separated by a space. The\nfirst part describes the type of bug. In the above example, `AVR@NULL`, this\nmeans *A*ccess *V*iolation *R*eading memory *at* address *NULL*. The second\npart describes the location of the bug; it consists of two short hashes\nseparated by a dot. These hashes are calculated from the top functions on the\nstack *that are considered relevant to the bug*. In the example, `a1f.904`\nconsists of `a1f` (calculated from `advapi32.dll!WctRemoveEntry`) and `904`\n(calculated from `advapi32.dll!CloseThreadWaitChainSession`).\n\nIf you run that same command again, BugId will report the exact same BugId, as\nthis should couse the exact same bug in the exact some code.\n\nCongratulations! You are now ready to test your own crashes with BugId, but\nyou may want to run `BugId.cmd --help` at some point to get information about\nthe many different command-line options BugId supports.\n\nNotes\n-----\nBugId has been developed for and tested on a large number of applications\nduring fuzzing to analyze hundreds of thousands of crashes caused by hundreds\nof different bugs. In this role it has proven to be extremely accurate in\nanalyzing bugs with a very low false positive and negative rate; both are\nless than 1%.\n\nOf course not all types of bugs are easy to detect and analyze. Some bugs\ncannot currently be detected reliably at the time they happen but cause a\ncrash much later on in completely unrelated code, leading to a completely\nincorrect analysis. In such cases, repeatedly reproducing the same bug will\nlead to a number of different bug ids as the application crashes in\ndifferent ways at different times. To make sure this is not the case, you\nare advised to run your test case in BugId a number of times to see if the\nbug id stays the same.\n\nOthers bugs cause crashes that look like they are caused by a different\ntype of bug. This can result in incorrect analysis and bug ids. Most\nnotably, bugs that are the result of *bad casts* in C/C++ code are\ncurrently impossible to detect and report by BugId. They can result in\nvarious different types of crashes; most commonly access violations when\nvalues stored in properties of an object are incorrectly used as pointers.\nIf you expect bad casts might be the cause of a crash, you should double\ncheck the analysis done by BugId to make sure it is correct.\n\nBugId is highly dependent on full page heap being used by the application\nto be able to detect and analyze a large number of heap related bugs. This\nmeans that it will be much less effective at detecting and analyzing bugs\nin application that use their own internal heap manager that does not rely\non the standard Windows heap.\n\nLicense\n-------\n\u003ca rel=\"license\" href=\"http://creativecommons.org/licenses/by-nc/4.0/\"\u003e\n  \u003cimg alt=\"Creative Commons License\" style=\"vertical-align: middle; float: left;\" src=\"https://i.creativecommons.org/l/by-nc/4.0/88x31.png\"/\u003e\n\u003c/a\u003e\nBugId has a free 30-day trial period for commercial and non-commercial use.\nDuring this trial period this work is licensed under a\n[Creative Commons Attribution-NonCommercial 4.0 International License](http://creativecommons.org/licenses/by-nc/4.0/).\n\nAfter the trial period, paid license must be acquired at\n[license.skylined.nl](https://license.skylined.nl) if you want to continue\nto use BugId.\n\nNon-Commercial licenses are available for a very small fee; just enough to pay\nfor my expenses. Commercial licenses for individual security researchers are\navailable at a huge discount too.\n\nIf you have any questions about licensing, or want to discuss a bulk-discount,\nplease contact [license@skylined.nl](mailto:license@skylined.nl).\n\nBugId has a trial period to allow you to assess its usefulness. If you want to\ncontinue to use BugId after the trial period has ended, I ask that you contribute\na small fee to pay for my work on BugId and handling of the license request. If\nyou are using BugId commercially, I ask that you pay a regular license fee to\nshare some of the profit you are making off of your use of BugId.\n","funding_links":[],"categories":["\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e新添加的","\u003ca id=\"3ed50213c2818f1455eff4e30372c542\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"31185b925d5152c7469b963809ceb22d\"\u003e\u003c/a\u003e新添加的","\u003ca id=\"caab36bba7fa8bb931a9133e37d397f6\"\u003e\u003c/a\u003eWindows"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fskylined%2Fbugid","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fskylined%2Fbugid","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fskylined%2Fbugid/lists"}