Accenture/Spartacus

Question: Switching 'Process Monitor' for a third-party tool

michaellrowley opened this issue · 2 comments

Hello!

I'm currently looking into discovering DLL sideloading vulnerabilities with a similar technique to the one that Spartacus uses. The tool that I ended up making works a bit differently to Process Monitor (tracing child processes, logging LoadLibrary[A/W] instead of CreateFile calls, and noting which exports are actually called from DLLs without generating a custom-built DLL) and was interested in integrating something like this tool into a workflow to rapidly prototype the generation of DLLs with matching exports to the ones being loaded.

Given how Spartacus looks to be pretty closely tied to the Process Monitor log format, is there any modularity in the way that parsing is accomplished so that I could write some wrapper code to integrate output from a third-party tool into Spartacus' generation flow?
If it helps, here's the format of the logs that I'd be parsing:

INITIALIZED(Base='0x...', State='NON-ADMIN', Path='Z:\\...\x64\x64dbg.exe')
HOOKED(Library='KERNEL32.dll', Function='GetProcAddress', Address='...')
HOOKED(Library='KERNEL32.dll', Function='LoadLibraryA', Address='...')
HOOKED(Library='KERNEL32.dll', Function='CreateFileW', Address='...')
LoadLibrary(Filename='dbghelp.dll', Path='Z:\\...\x64\dbghelp.dll', SDDL='O:S-1-5-21-1004336348-1177238915-682003330-512D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-1004336348-1177238915-682003330-512)')
GetProcAddress(Library='dbghelp.dll', Function='MiniDumpWriteDump')
GetProcAddress(Library='UNKNOWN', Function='SetProcessUserModeExceptionPolicy')
GetProcAddress(Library='UNKNOWN', Function='GetProcessUserModeExceptionPolicy')

I'd greatly appreciate any pointers in where might be a good starting point for something like this or if it would be better to develop a separate tool for what I'm looking for.

Hi Michael,

At the moment there isn't a way to switch parsers as it's quite tightly build around ProcMon (tbh I don't think that will be changing in v2).

But I think what you can use is the --generate-proxy feature to create proxies to whichever functions you like?

--generate-proxy --ghidra C:\ghidra\support\analyzeHeadless.bat --dll C:\Windows\System32\userenv.dll --output-dir C:\Projects\spartacus-wtsapi32 --verbose --only-proxy "ExpandEnvironmentStringsForUserW"

The above will generate a proxy only for ExpandEnvironmentStringsForUserW and redirect all other functions to the legitimate one.

If I misunderstood your end goal and this suggestion doesn't work for you, please let me know!

Thanks,
Pavel

Hi Pavel,

That's perfect, the --generate-proxy argument looks like it should do what I need as long as my tool calls it correctly.

Thanks!