Recommended for classic software: appverifier (Application validators)

Appverifier usage

This section discusses how to test an application using appverfier.

The first thing to note about appverifier is that it is not an automatic test program for your applications. appverifier attaches to a program and performs tests whenever you run the program. it is possible to use appverifier and an automatic test procedure simultaneously. appverifier attaches a "stub" or small piece of code to the executable program you are testing so that appverifier will be engaged every time the program is run.

To test an application with appverifier

1. To open appverifier, clickStart, And then clickPrograms.

2. Under programs, clickApplication Verifier.

3. Right click the mouse in the Application Section of the Main Page and clickAdd ApplicationTo displayAdd ApplicationDialog Box shown in figure 2.

   Figure 2:Using the Add application dialog box to select an executable file to test

4. Browse to your application, and select the executable file to test. Double-click to open the file. Repeat Steps 3 and 4 for any additional executables to be tested.

5. In the test settings pane, see Figure 3, select the tests you want to perform from the following list:

   Figure 3:Using the tests area, click the checkbox next to the test to run.

   • Memory

     Ensures APIs for virtual space manipulations are used correctly.

   • TLS

     Ensures that Thread Local Storage APIs are used correctly

   • Low resource simulation

     This simulates an environment under low resources for example, out of memory.

   • Limited User Account predictor

     This test simulates an environment running as a user with a limited user account and has two primary goals: predictive and diagnostic. the predictive element determines whether an application that is running in an administrative environment wowould also run well in an environment with less privilege, as a limited user, for example. the diagnostic element Evaluates an application when it is running as a limited user and identifies potential problems.

   • Miscellaneous

     Consists of dirty stacks and dangerous APIs.

6. Save the settings within application Verifier

7. To start testing, simply use the application. Try to use all of the program's functions to generate the best data for the appverifier logs. Close the application when finished.

8. View the test results in the appverifier log file by clickingView logsIn appverifier.

The test settings you specify for a special application will remain active every time you run the program until the program is removed from the list of applications in appverifier. you can run programs repeatedly while working out problems.

 

 

The biggest headache of "bug" is the type of access conflicts that involve wild pointers, invalid handles, and many other Windows kernels. They are difficult to find, difficult to debug, and difficult to locate. However, appverifier is a tool to solve these problems. In fact, Major Windows software developers, headed by Microsoft, are using this software for auxiliary testing. I recommend it here because it is not only good at grasping these kernel-level and underlying bugs, but also made by Microsoft. It can be used for free and is very simple because of several other factors.

Objective Description of appverifier

Appverifier can be downloaded for free. It is used to detect and debug Memory Corruption, dangerous security vulnerabilities, and restricted user account privileges. Appverifier helps you create reliable and secure applications by monitoring applications and Microsoft? Windows? Operating system interaction, and configure the objects, registries, file systems, and Win32 APIs used by the application (including heap, handle, and lock ). Appverifier also includes a check to predict the application's execution in a non-Administrator environment.

The above is the original description of Microsoft msdn. Msdn recommends it in "C ++ security best practices" to verify software security. Msdn even advocates the use of the software throughout the development lifecycle: "During the entire software development lifecycle, appverifier can save development costs, because it can easily identify problems in the early stage, it is easier and less costly to fix errors in the early stage."

Appverifier can identify other problems

Appverifier helps determine: (copy on msdn)
? When the application correctly uses the API:
? Insecure terminatethread API.
? Correctly Use the Thread Local Storage (TLS) API.
? Correct use of virtual space operations (such as virtualalloc and mapviewoffile ).
? Whether the application uses a structured exception to handle hidden access conflicts.
? Whether the application tries to use an invalid handle.
? Whether memory corruption or memory problems exist in the heap.
? Whether the application uses up the memory when the resources are insufficient.
? Whether the critical section is correctly used.
? Whether applications running in the administrator environment can run well in environments with lower privileges.
? Whether the application runs as a restricted user has potential problems.
? In the context of a thread, whether there will be uninitialized variables in future function calls.

Use of appverifier

Next we will introduce how to use it in combination with our own applications (very simple ).
1. Download appverifier
Download and install software on the Microsoft website
Http://www.microsoft.com/downloads/details.aspx? Familyid = bd02c19c-1250-433c-8c1b-2619bd93b3a2 & displaylang = en

2. Run appverifier
Add the application to be verified in the appverifier. for developers, directly select the debug version executable file output in the project. You can add multiple files or dynamic library DLL.

3. Configure the project to be verified
Appverifier can roughly verify 18 risks (version 3.3), including exceptions, handles, stacks, memory, and uninitialized parameters. Select the project to be tested and save the settings.

4. Debug Programs in IDE
These are the same as before, but during the debugging process, appverifier will report the problems it has detected to you, in an abnormal way, or output the information to the output box. Generally, the program is not far from where the problem occurs.

5. Cancel Verification
Cancel the program to be verified in the appverifier. Otherwise, the verification code will remain in the program.

Well, let's try the software on hand first. There were no errors in the past. Now, there are a lot of exceptions, so let's take a look ....

Another software in the same series as it is: Driver Verifier, specifically designed to test driver security.

References:

If you are interested, Google "application verifier" to see the Introduction.
To learn, read the msdn:
Application validators in the software development lifecycle
Http://www.microsoft.com/china/MSDN/library/enterprisedevelopment/softwaredev/WDdnclinicscripting.mspx? MFR = true

How to use the application verification program to troubleshoot program problems in Windows XP
Http://support.microsoft.com/default.aspx/kb/286568/zh-cn

C ++ best security practices
Http://msdn2.microsoft.com/zh-cn/library/k3a3hzw7 (vs.80). aspx