Anvil is a specialized security assessment tool designed for targeted Windows thick client application testing. Unlike generic filesystem scanners, Anvil prioritizes runtime observation by pairing Process Monitor (Procmon) captures with Windows AccessCheck validation. This runtime-first approach ensures that reported vulnerabilities are both reachable during application execution and confirmed writable by standard users, significantly reducing false positives.
The tool simulates a standard user environment by launching executables at Medium integrity or restarting services to capture startup behavior. It processes findings through a gated pipeline that filters out protected system directories and verifies ACLs before flagging a vector as exploitable.
Key Features
- Runtime-verified discovery of DLL, COM, and binary hijacking opportunities.
- Automated Sysinternals integration for Procmon capture and AccessCheck validation.
- False-positive reduction via a four-stage gating pipeline and process integrity checks.
- Static correlation of embedded CLSIDs to identify latent COM hijacking surface.
- Live process memory scanning for credentials, JWTs, and connection strings.
- Analysis of unquoted service paths, insecure registry configurations, and named pipe ACLs.
Use Cases
- Performing deep-dive security assessments on Windows-based thick client applications.
- Identifying local privilege escalation (LPE) vectors during red team engagements.
- Auditing Windows services and installed software for insecure configurations and hijacking vulnerabilities.
- Validating software security mitigations such as ASLR, DEP, and CFG via PE flag analysis.
