Skip to content
This repository has been archived by the owner on Feb 1, 2024. It is now read-only.

Commit

Permalink
Update README
Browse files Browse the repository at this point in the history
  • Loading branch information
@sadreck
sadreck committed Oct 9, 2023
1 parent 6555fb9 commit 9fcce33
Showing 1 changed file with 21 additions and 0 deletions.
21 changes: 21 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ When a process that is vulnerable to DLL Hijacking is asking for a DLL to be loa
* Automatically generate Visual Studio solutions for vulnerable DLLs.
* Able to process large PML files and store all events of interest output into a CSV file. Local benchmark processed a 3GB file with 8 million events in 45 seconds.
* Supports scanning for both DLL and COM hijacking vulnerabilities.
* Supports generating self-signed certificates and signing DLL files.
* By utilising [Ghidra](https://github.com/NationalSecurityAgency/ghidra) functionality, extract export function signatures and execute your payload via individually proxied functions instead of running everything from `DllMain`. This technique was inspired and implemented from the walkthrough described at https://www.redteam.cafe/red-team/dll-sideloading/dll-sideloading-not-by-dllmain, by [Shantanu Khandelwal](https://twitter.com/shantanukhande).
* `[Defence]` Monitoring mode trying to identify running applications proxying calls, as in "DLL Hijacking in progress". This is just to get any low hanging fruit and should not be relied upon.

Expand All @@ -25,6 +26,8 @@ When a process that is vulnerable to DLL Hijacking is asking for a DLL to be loa
* [Usage](#com-hijacking-usage)
* [DLL Proxy Generation](#dll-proxy-generation)
* [Usage](#dll-proxy-generation-usage)
* [Signing DLL Files](#signing-dll-files)
* [Usage](#usage-for-signing-dll-files)
* [DLL Hijacking Detection](#dll-hijacking-detection)
* [Command Line Arguments](#command-line-arguments)
* [Contributions](#contributions)
Expand Down Expand Up @@ -189,6 +192,24 @@ List DLL's exports and check if each function has a pre-generated prototype.
--mode proxy --action exports --dll C:\Windows\System32\version.dll --dll C:\Windows\System32\amsi.dll --prototypes ./Assets/prototypes.csv
```

## Signing DLL Files

Spartacus now supports generating self-signed certificates (while copying attributes from existing files), and signing DLL files.

### Usage for Signing DLL Files

Create a signing certificate, using properties from `C:\Windows\System32\version.dll` (has to be signed DLL).

```
--mode sign --action generate --pfx "C:\Output\certificate.pfx" --password "Welcome1" --not-before "2022-12-31 00:00:55" --not-after "2026-01-01 00:00:01" --copy-from C:\Windows\System32\version.dll --verbose
```

Sign a DLL using an existing/generated certificate.

```
--mode sign --action sign --pfx "C:\Output\certificate.pfx" --password "Welcome1" --path "C:\Input\MyFakeVersion.dll" --algorithm SHA256 --verbose
```

## DLL Hijacking Detection

Spartacus also has a `--detect` mode, which tries to identify active DLL proxying. The logic behind it is:
Expand Down

0 comments on commit 9fcce33

Please sign in to comment.