Runtime-first privilege escalation and attack surface assessment for Windows thick clients.

Anvil is a runtime-first privilege escalation and attack surface assessment tool for Windows thick client applications. Rather than scanning the filesystem blindly, it pairs Procmon capture with Windows AccessCheck to report only paths that are both observed at runtime and confirmed writable by standard users, eliminating the false positive noise that plagues generic enumeration tools.

• Key Features
• How It Works
• Modules
• Requirements
• Sysinternals Tools
• Installation
• Distribution
• Usage
• Examples
• Output
• Severity Model
• Filters
• Disclaimer

Most thick client assessment tools cover one or two attack classes. Anvil is built around the idea that runtime observation, ACL-verified exploitability, and a wide attack surface should all live in the same targeted run — with a gated pipeline that keeps the output actionable.

Every candidate passes four sequential gates before it is reported.

Hard Gates

• Process integrity must be High or SYSTEM IL
• Path must not be inside System32, SysWOW64, or Program Files
• Directory writable by a standard user — verified via Windows AccessCheck API

Module Logic Gates

• Symlink: disposition flags (Supersede, OverwriteIf, etc.) + cross-user writability guard
• COM: registry CLSID correlated back to a missing or writable DLL path
• Binary: PATH ordering checked — writable entries appearing before System32 only
• Unquoted path: intermediate phantom directories confirmed writable, kernel .sys paths excluded

1. Target Resolution
   The tool resolves the target to an executable path (from --exe, --service, or --pid). If it is a service, ServiceInfo is retrieved with current PID and state.

2. Procmon Capture

   • For a service, Procmon is started, then the service is cleanly restarted (with state‑transition waits). The new PID is captured.
   • For a regular EXE, the process is launched at Medium integrity (using a duplicated Explorer token) to simulate a standard user. The PID is recorded.

   Process integrity level is read immediately after launch (while the process is alive) and stored in the context.

3. Per‑Module Filtered Analysis
   Each module requests a filtered CSV export from Procmon using its own .pmc filter (stored in filters/). The CSV is parsed, and a series of gates are applied:

   • Integrity ≥ High
   • Path not in a protected system directory
   • Directory writable by a standard user (AccessCheck)
   • Additional module‑specific logic (e.g., disposition for symlinks, registry‑to‑file correlation for COM)

4. Static Correlation
   The com module performs an additional static pass — scanning the target binary for embedded CLSIDs and checking each against HKLM and HKCU — to surface hijack opportunities not exercised during the capture window. These are flagged with a [Static Correlation] tag.

5. Reporting
   Findings are printed to the terminal (with colour coding) and optionally written to JSON or a standalone HTML report.

flowchart TB
    %% Phase 1
    subgraph Phase1["Phase 1: Target & Runtime Discovery"]
        TR["Target Resolver<br/>--exe / --service / --pid"] -->
        IL["Integrity Gate<br/>Medium-IL launch / Service restart"] -->
        PM["Procmon Engine<br/>Runtime FS / Reg / Pipe events"]
    end

    %% Phase 2
    subgraph Phase2["Phase 2: Signal Reduction"]
        direction LR
        PF["Per-Module PMC Filters<br/>High-signal traces only"] -->
        CSV["Filtered CSV Export"]
    end

    %% Phase 3
    subgraph Phase3["Phase 3: Exploitability Gates"]
        HG["Hard Gates<br/>High-Integrity target<br/>Not protected path"] -->
        ACL["AccessChk Validation<br/>Writable by standard user"] -->
        LG["Logic Gates<br/>Module-specific rules"]
    end

    %% Phase 4
    subgraph Phase4["Phase 4: Correlation"]
        RT["Runtime Findings"]
        ST["Static Correlation<br/>COM: CLSID binary scan / registry"]
    end

    %% Phase 5
    subgraph Phase5["Phase 5: Reporting"]
        SV["Severity Engine<br/>P1–P5"] --> OUT["Console Output"]
        SV --> JSON["JSON Report"]
        SV --> HTML["HTML Report"]
    end

    %% Cross-phase flow
    PM --> PF
    CSV --> HG
    LG --> RT
    ST -.-> RT
    RT --> SV

    %% Styling
    classDef p1 fill:#0f2a44,stroke:#4cc9f0,color:#e6f1ff
    classDef p2 fill:#2b193d,stroke:#f72585,color:#fde8f3
    classDef p3 fill:#1f2d1c,stroke:#7ae582,color:#eaf7ea
    classDef p4 fill:#3a1f1f,stroke:#ffb703,color:#fff3d6
    classDef p5 fill:#0b2e2a,stroke:#00f5d4,color:#e6fffb

    class Phase1 p1
    class Phase2 p2
    class Phase3 p3
    class Phase4 p4
    class Phase5 p5
    linkStyle default stroke:#9aa4b2,stroke-width:2px

All Procmon-based modules require a matching .pmc filter file in the filters/ directory (see Filters).

• Python 3.8 or later
• Must be run as Administrator
• Windows 10 / Server 2016 or newer

Anvil self-installs its two dependencies on first run. You can also install them manually:

pip install rich pefile

pip install rich>=13.0 pefile>=2023.2.7

Anvil uses three Sysinternals binaries.

On every run, Anvil resolves each tool using the following priority:

1. Explicit flag — --procmon, --handle, or --accesschk (see below)
2. Registry cache — HKCU\Software\Anvil (written on first successful resolution)
3. PATH — standard where-style search
4. Auto-download — fetched from live.sysinternals.com and stored in %LOCALAPPDATA%\Anvil\sysinternals\

Once a tool is resolved via any route, its path is written to the registry cache. Subsequent runs skip steps 1–3 entirely and go straight to the cached path.

If a tool cannot be downloaded (no internet, firewall, or proxy), Anvil prints a structured error and exits immediately. An error message is shown listing the missing tool(s) and the flag to use.

Supply the path to any binary via its flag. Anvil will copy it into %LOCALAPPDATA%\Anvil\sysinternals\ and write the path to the registry cache — the flag never needs to be used again after the first run.

python anvil.py --exe "C:\App\target.exe" --procmon   "D:\Tools\Procmon64.exe" --handle    "D:\Tools\handle.exe" --accesschk "D:\Tools\accesschk.exe"

# Clone the repository
git clone https://github.com/shellkraft/Anvil.git
cd Anvil

# Run — dependencies auto-install on first scan
python.exe anvil.py

Tip: Always launch your terminal with Run as Administrator before running Anvil.

Requires PyInstaller (pip install pyinstaller):

python -m PyInstaller --onefile --console --add-data "filters;filters" --add-data "modules/logo.png;." --icon .\modules\logo.ico --name Anvil anvil.py

The output binary will be at dist\Anvil.exe. No Python installation is required on the target machine.

Note: Windows SmartScreen may block the compiled executable on first run since it is unsigned.

A pre-built Anvil.exe is available on the Releases page — if trusting random binaries from the internet is in your threat model.

SHA-256 can be verified with certutil -hashfile Anvil.exe SHA256 (Windows) or sha256sum Anvil.exe (Linux).

python anvil.py [--exe PATH | --service NAME | --pid PID] [options]

Module names: dll, com, registry, binary, configs, installdir, memory, symlink, unquoted, pesec, pipes

Basic scan of a desktop application:

python anvil.py --exe "C:\Program Files\MyApp\myapp.exe" --report report.html

Longer capture window for a slow-starting app:

python anvil.py --exe "C:\Program Files\MyApp\myapp.exe" --procmon-runtime 60 --scan-install-dir

Target a Windows service:

python anvil.py --service MyAppSvc --modules dll,binary,unquoted,registry

Attach to an already-running process:

python anvil.py --pid 4872 --report report.html --verbose

Run specific modules only:

python anvil.py --exe "C:\App\app.exe" --modules dll,symlink,unquoted

Scan process memory for extra custom strings:

python anvil.py --exe "C:\App\app.exe" --modules memory --memory-strings "InternalSecret,DevPassword"

Air-gapped machine — provide Sysinternals manually (copied once):

python anvil.py --exe "C:\App\app.exe" --procmon "E:\Sysint\Procmon64.exe" --handle "E:\Sysint\handle.exe" --accesschk "E:\Sysint\accesschk.exe"

Colour-coded per severity with optional --verbose detail blocks. Requires the rich package (auto-installed).

Machine-readable array of finding objects:

[
  {
    "severity": "P1",
    "module": "DLL Hijacking",
    "message": "[System→User] Phantom DLL: version.dll",
    "detail": "DLL name   : version.dll\nAttempted  : C:\\ProgramData\\MyApp\\version.dll\n..."
  }
]

Self-contained single-file report with:

• Executive summary and severity breakdown
• Per-module finding tables
• Filtering by severity or vulnerability class
• Full detail on expand
• Scan metadata (target, timestamps, integrity level)

All .pmc filter files are included in the filters/ directory of the repository — no setup required. Procmon-based modules will pick them up automatically.

If a filter file is lost or corrupted, recreate it in Procmon using the rules above: Filter → Filter… to configure the conditions, then File → Export Configuration… and save to filters/<name>.pmc.

Anvil will automatically pick up the .pmc file on the next run for that module.

Anvil is designed for security research, bug bounty hunting, and authorized penetration testing engagements. Use it only on systems you own or have explicit written permission to assess.

Operational notes

• Anvil restarts services during capture — this briefly interrupts the target service on the assessed machine
• The memory module attaches to a live process, ensure this is acceptable in the target environment before running.
• Run as Administrator is required — ensure this aligns with the rules of engagement for the assessment.