Application Security Testing: An Integral Part of DevOps
This article provides a simple program that acts as a debugger while running another user-specified application.
Here's what it does:
- Send a log of debugging events to STDOUT.
This includes DLL loading information, thread creation/destruction info, exceptions and fatal errors (page faults), and so forth.
- Intercept and handle crashes of the debugged application.
Instead of letting the system display an error message requiring user interaction, the debugged application is immediately terminated, and the debugger exits with a specific return code.
What I Use It For
- Building the affected application in both debug and release modes.
- Building and running some automated tests.
During these automated tests, we may detect and report problems using any technique. But sometimes, the whole application may crash because of a page fault or other fatal error. When this happens, the system normally suspends the crashed application and waits for the user to confirm what should be done (for example, debug or terminate the application).
Because these are fully automated/scripted tests running on a rarely accessed machine, this user intervention is not desirable.
The most elegant way to avoid it, on Win32, is to pretend to the system that we are debugging the application. Additionally, this allows the test script to access an execution log (written using OutputDebugString), which is integrated in an error report.
A single source file is attached to this article. It is the C++ source code of a console application that you should compile with your favorite compiler (I had used MSVC6): DebugStub.exe.
Once compiled, the application can be tested as follows:
- Drag and drop any application (not a shortcut) onto DebugStub.exe.
Note that this will not allow you to see any error message, and does not allow you to pass any parameters to the application.
- Lauch it from the command line:
- Make sure you know how to launch the debugged application from the command line, passing parameters as appropriate.
- Just insert DebugStub.exe (or a full path as appropriate) at the beginning of the command line, and the other application will run as usual but under DebugStub's control.
About This Implementation
I do not have much to say about the source code. All the system calls are public and documented Win32 APIs. However, I had found it difficult to put the pieces together and handle the essential cases appropriately, so I think you may find it useful.
Note, however, that this example has been coded very quickly. It is only Good Enough For What I Want To Do With It. You will probably want to tune the output for your own needs.
-- Ivan Vecerina, Dr. med. <> http://www.post1.com/~ivec Brainbench MVP for C++ <> http://www.brainbench.com