From 319811be34350a1b1dc9820ec933fd47f3b2d715 Mon Sep 17 00:00:00 2001 From: Pavel Tsakalidis Date: Fri, 13 Jan 2023 13:02:48 +0000 Subject: [PATCH] Update documentation for v1.1.0 --- CHANGELOG.md | 9 +++++++++ README.md | 19 +++++++++++++++++++ Spartacus/Program.cs | 16 ++++++++++++++++ 3 files changed, 44 insertions(+) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..6fd0a4c --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,9 @@ +# Spartacus Changelog + +## v1.1.0 + +* `[New]` Implement new functionality to create proxies for functions other than DllMain, as described here: https://www.redteam.cafe/red-team/dll-sideloading/dll-sideloading-not-by-dllmain + +## v1.0.0 + +* `[New]` Public Release. diff --git a/README.md b/README.md index 3fb38d5..07721d3 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ When a process that is vulnerable to DLL Hijacking is asking for a DLL to be loa * Spartacus will create proxy DLLs for all missing DLLs that were identified. For instance, if an application is vulnerable to DLL Hijacking via `version.dll`, Spartacus will create a `version.dll.cpp` file for you with all the exports included in it. Then you can insert your payload/execution technique and compile. * Able to process large PML files and store all DLLs of interest in an output CSV file. Local benchmark processed a 3GB file with 8 million events in 45 seconds. * `[Defence]` Monitoring mode trying to identify running applications proxying calls, as in "DLL Hijacking in progress". This is just to get any low hanging fruit and should not be relied upon. +* Able to create proxies for export functions in order to avoid using `DllMain`. This technique was inspired and implemented from the walkthrough described at https://www.redteam.cafe/red-team/dll-sideloading/dll-sideloading-not-by-dllmain, by [Shantanu Khandelwal](https://twitter.com/shantanukhande). For this to work [Ghidra](https://github.com/NationalSecurityAgency/ghidra) is required. # Table of Contents @@ -84,6 +85,11 @@ When a process that is vulnerable to DLL Hijacking is asking for a DLL to be loa | `--detect` | Try to identify DLLs that are proxying calls (like 'DLL Hijacking in progress'). This isn't a feature to be relied upon, it's there to get the low hanging fruit. | | `--verbose` | Enable verbose output. | | `--debug` | Enable debug output. | +| `--generate-proxy` | Switch to indicate that Spartacus will be creating proxy functions for all identified export functions. | +| `--ghidra` | Used only with --generate-proxy. Absolute path to Ghidra's 'analyzeHeadless.bat' file. | +| `--dll` | Used only with --generate-proxy. Absolute path to the DLL you want to proxy. | +| `--output-dir` | Used only with --generate-proxy. Absolute path to the directory where the solution of the proxy will be stored. This directory should not exist, and will be auto-created. | +| `--only-proxy` | Used only with --generate-proxy. Comma separated string to indicate functions to clone. Such as 'WTSFreeMemory,WTSFreeMemoryExA,WTSSetUserConfigA' | ## Examples @@ -123,6 +129,18 @@ Run in monitoring mode and try to detect any applications that is proxying DLL c --detect ``` +Create proxies for all identified export functions. + +``` +--generate-proxy --ghidra C:\ghidra\support\analyzeHeadless.bat --dll C:\Windows\System32\userenv.dll --output-dir C:\Projects\spartacus-wtsapi32 --verbose +``` + +Create a proxy only for a specific export function. + +``` +--generate-proxy --ghidra C:\ghidra\support\analyzeHeadless.bat --dll C:\Windows\System32\userenv.dll --output-dir C:\Projects\spartacus-wtsapi32 --verbose --only-proxy "ExpandEnvironmentStringsForUserW" +``` + ## Proxy DLL Template Below is the template that is used when generating proxy DLLs, the generated `#pragma` statements are inserted by replacing the `%_PRAGMA_COMMENTS_%` string. @@ -170,3 +188,4 @@ Whether it's a typo, a bug, or a new feature, Spartacus is very open to contribu # Credits * https://github.com/eronnen/procmon-parser/ +* https://www.redteam.cafe/red-team/dll-sideloading/dll-sideloading-not-by-dllmain \ No newline at end of file diff --git a/Spartacus/Program.cs b/Spartacus/Program.cs index afcad9f..5dcde82 100644 --- a/Spartacus/Program.cs +++ b/Spartacus/Program.cs @@ -47,6 +47,14 @@ log file (PML). To indicate the event log file use --pml, useful when you Use this to include those directories in the output. --detect Try to identify DLLs that are proxying calls (like 'DLL Hijacking in progress'). This isn't a feature to be relied upon, it's there to get the low hanging fruit. +--generate-proxy Switch to indicate that Spartacus will be creating proxy functions for all identified + export functions. +--ghidra Used only with --generate-proxy. Absolute path to Ghidra's 'analyzeHeadless.bat' file. +--dll Used only with --generate-proxy. Absolute path to the DLL you want to proxy. +--output-dir Used only with --generate-proxy. Absolute path to the directory where the solution of + the proxy will be stored. This directory should not exist, and will be auto-created. +--only-proxy Used only with --generate-proxy. Comma separated string to indicate functions to + clone. Such as 'WTSFreeMemory,WTSFreeMemoryExA,WTSSetUserConfigA' --verbose Enable verbose output. --debug Enable debug output. @@ -75,6 +83,14 @@ Use this to include those directories in the output. Run in monitoring mode and try to detect any applications that is proxying DLL calls. --detect + +Create proxies for all identified export functions. + + --generate-proxy --ghidra C:\ghidra\support\analyzeHeadless.bat --dll C:\Windows\System32\userenv.dll --output-dir C:\Projects\spartacus-wtsapi32 --verbose + +Create a proxy only for a specific export function. + + --generate-proxy --ghidra C:\ghidra\support\analyzeHeadless.bat --dll C:\Windows\System32\userenv.dll --output-dir C:\Projects\spartacus-wtsapi32 --verbose --only-proxy ""ExpandEnvironmentStringsForUserW"" "; Logger.Info(help, true, false);