accenture / spartacus Goto Github PK

View Code? Open in Web Editor NEW

957.0 21.0 126.0 1.05 MB

Spartacus DLL/COM Hijacking Toolkit

License: MIT License

C# 50.40% Java 0.30% C++ 0.14% C 0.07% HTML 49.09%

accenture-security dll-hijacking procmon proxy-dlls windows com-hijacking dll-proxy-generation skeleton-dll

spartacus's Introduction

Caution

This repo is unmaintained, visit https://github.com/sadreck/Spartacus for the latest version.

Spartacus DLL/COM Hijacking Toolkit

Why "Spartacus"?

If you have seen the film Spartacus from 1960, you will remember the scene where the Romans are asking for Spartacus to give himself up. The moment the real Spartacus stood up, a lot of others stood up as well and claimed to be him using the "I AM SPARTACUS" phrase.

When a process that is vulnerable to DLL Hijacking is asking for a DLL to be loaded, it's kind of asking "WHO IS VERSION.DLL?" and random directories start claiming "I AM VERSION.DLL" and "NO, I AM VERSION.DLL". And thus, Spartacus.

How is this tool different to all the other hijacking tools out there?

Spartacus automates most of the process. It parses raw SysInternals Process Monitor logs, and you can leave ProcMon running for hours and discover 2nd and 3rd level DLL/COM hijacking vulnerabilities (ie an app that loads another DLL that loads yet another DLL when you use a specific feature of the parent app).
Automatically generate Visual Studio solutions for vulnerable DLLs.
Able to process large PML files and store all events of interest output into a CSV file. Local benchmark processed a 3GB file with 8 million events in 45 seconds.
Supports scanning for both DLL and COM hijacking vulnerabilities.
Supports generating self-signed certificates and signing DLL files.
By utilising Ghidra functionality, extract export function signatures and execute your payload via individually proxied functions instead of running everything from DllMain. This technique was inspired and implemented from the walkthrough described at https://www.redteam.cafe/red-team/dll-sideloading/dll-sideloading-not-by-dllmain, by Shantanu Khandelwal.
[Defence] Monitoring mode trying to identify running applications proxying calls, as in "DLL Hijacking in progress". This is just to get any low hanging fruit and should not be relied upon.

Installation
Supported Functionality
Command Line Arguments
Contributions
Credits

Installation

Find and download the latest version of Spartacus under Releases. Otherwise simply clone this repository and build from source.

Supported Functionality

Below is a description of each of the modes that Spartacus supports.

Note: Command line arguments have significantly changed from v1 to v2.

DLL Hijacking

The original functionality of Spartacus was solely finding DLL hijacking vulnerabilities. The way it works is:

Generate a ProcMon (PMC) config file on the fly, based on the arguments passed. The filters that will be set are:
- Operation is CreateFile.
- Path ends with .dll.
- Process name is not procmon.exe or procmon64.exe.
- Enable Drop Filtered Events to ensure minimum PML output size.
- Disable Auto Scroll.
Execute Process Monitor and halt until the user presses ENTER.
User runs/terminates processes, or leave it running for as long as they require.
Terminates Process Monitor upon the user pressing ENTER.
Parses the output Event Log (PML) file.
1. Creates a CSV file with all the NAME_NOT_FOUND and PATH_NOT_FOUND DLLs.
2. Compares the DLLs from above and tries to identify the DLLs that were actually loaded.
3. For every "found" DLL it generates a Visual Studio solution for proxying all of the identified DLL's export functions.

DLL Hijacking Usage

Collect all events and save them into C:\Data\logs.pml. All vulnerable DLLs will be saved as C:\Data\VulnerableDLLFiles.csv and all proxy DLLs solutions in C:\Data\Solutions.

--mode dll --procmon C:\SysInternals\Procmon.exe --pml C:\Data\logs.pml --csv C:\Data\VulnerableDLLFiles.csv --solution C:\Data\Solutions --verbose

Parse an existing PML event log output, save output to CSV, and generate proxy Visual Studio solutions.

--mode dll --existing --pml C:\MyData\SomeBackup.pml --csv C:\Data\VulnerableDLLFiles.csv --solution C:\Data\Solutions --verbose

Screenshots

COM Hijacking

A new functionality of Spartacus is to identify local COM hijacking vulnerabilities. The way it works is:

Generate a ProcMon (PMC) config file on the fly, based on the arguments passed. The filters that will be set are:
- Operation is RegOpenKey.
- Process name is not procmon.exe or procmon64.exe.
- Enable Drop Filtered Events to ensure minimum PML output size.
- Disable Auto Scroll.
Execute Process Monitor and halt until the user presses ENTER.
User runs/terminates processes, or leave it running for as long as they require.
Terminates Process Monitor upon the user pressing ENTER.
Parses the output Event Log (PML) file.
1. Identifies all missing registry keys that end in InprocServer32 and its result is NAME_NOT_FOUND.
2. If the identified key is under HKEY_CURRENT_USER, search for its GUID under HKEY_CLASSES_ROOT and include its details in the export CSV (if found).
3. Create a CSV output with all the gathered information.
Spartacus doesn't automatically create a Visual Studio solution for COM hijacking, however if you need to create a proxy DLL you can use the proxy mode.

For COM hijacking Spartacus also supports scanning the local system for misconfigured COM entries:

Enumerate all of HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, and HKEY_LOCAL_MACHINE.
Look for registry keys that are called InProcServer, InProcServer32, LocalServer, or LocalServer32.
Identify any missing EXE/DLL locations, along with any ACL misconfiguration such as the ability to Modify or Delete the file by the current user.

COM Hijacking Usage

Collect all events and save them into C:\Data\logs.pml. All vulnerable COM information will be saved as C:\Data\VulnerableCOM.csv.

--mode com --procmon C:\SysInternals\Procmon.exe --pml C:\Data\logs.pml --csv C:\Data\VulnerableCOM.csv --verbose

Process an existing PML file to identify vulnerable COM entries.

--mode com --existing --pml C:\Data\logs.pml --csv C:\Data\VulnerableCOM.csv --verbose

Enumerate the local system registry to identify missing/misconfigured COM libraries and executables.

--mode com --acl --csv C:\Data\VulnerableCOM.csv --verbose

Screenshots

DLL Proxy Generation

Spartacus supports generating Visual Studio solutions by creating skeleton projects for you to use, based on the DLL you wish to exploit.

Redirecting all calls by exporting functions back to the legitimate DLL.
- This means that you will have to execute your payload from the DllMain function.
Using Ghidra, extract as many function signatures/definitions as possible from the target DLL, and create proxy functions for these.
- For any function that extracting its signature was not possible, it will be directly redirected to the legitimate function/dll.
- This means you can execute your payload from a function outside of DllMain.
- For instance, if you wish to exploit version.dll you could run your implant from GetFileVersionInfoExW if that function is called by the vulnerable application.

DLL Proxy Generation Usage

Generate a solution that redirects all exports (no function proxying).

--mode proxy --dll C:\Windows\System32\version.dll --solution "C:\data\tmp\refactor-version" --overwrite --verbose --external-resources

It is possible to input multiple DLLs at once.

--mode proxy --dll C:\Windows\System32\version.dll --dll C:\Windows\System32\userenv.dll --solution "C:\data\tmp\dll-collection" --overwrite --verbose --external-resources

Create proxies for as many functions as possible (based on Ghidra's output).

--mode proxy --ghidra C:\ghidra\support\analyzeHeadless.bat --dll C:\Windows\System32\userenv.dll --solution C:\Projects\spartacus-userenv --overwrite --verbose

Same as above, but use external asset files to generate the solution (if you need to modify them).

--mode proxy --ghidra C:\ghidra\support\analyzeHeadless.bat --dll C:\Windows\System32\userenv.dll --solution C:\Projects\spartacus-userenv --overwrite --verbose --external-resources

Utilise pre-generated function prototypes for functions which Ghidra was unable to extract function definitions for.

--mode proxy --ghidra C:\ghidra\support\analyzeHeadless.bat --dll C:\Windows\System32\userenv.dll --solution C:\Projects\spartacus-userenv --overwrite --verbose --external-resources --prototypes C:\data\prototypes.csv

Generate proxies only for functions GetFileVersionInfoExW and GetFileVersionInfoExA.

--mode proxy --ghidra C:\ghidra\support\analyzeHeadless.bat --dll C:\Windows\System32\version.dll --solution C:\Projects\spartacus-version --verbose --overwrite --external-resources --only "GetFileVersionInfoExW, GetFileVersionInfoExA"

Generate a function prototype database from existing *.h files, assisting in generating proxy functions for ones that Ghidra was not able to extract its function definition.

--mode proxy --action prototypes --path "C:\Program Files (x86)\Windows Kits" --csv C:\data\prototypes.csv --verbose

List DLL's exports and check if each function has a pre-generated prototype.

--mode proxy --action exports --dll C:\Windows\System32\version.dll --dll C:\Windows\System32\amsi.dll --prototypes ./Assets/prototypes.csv

Signing DLL Files

Spartacus now supports generating self-signed certificates (while copying attributes from existing files), and signing DLL files.

Usage for Signing DLL Files

Create a signing certificate, using properties from C:\Windows\System32\version.dll (has to be signed DLL).

--mode sign --action generate --pfx "C:\Output\certificate.pfx" --password "Welcome1" --not-before "2022-12-31 00:00:55" --not-after "2026-01-01 00:00:01" --copy-from C:\Windows\System32\version.dll --verbose

Sign a DLL using an existing/generated certificate.

--mode sign --action sign --pfx "C:\Output\certificate.pfx" --password "Welcome1" --path "C:\Input\MyFakeVersion.dll" --algorithm SHA256 --verbose

DLL Hijacking Detection

Spartacus also has a --detect mode, which tries to identify active DLL proxying. The logic behind it is:

Enumerate all processes.
For each process, load the DLLs (modules) it has loaded into memory (assuming you have the right permissions to do so).
If you find a DLL with the same name:
- If both files as in an OS path (ie Windows, System32, Program Files), ignore.
- If only one of the files is in an OS path and the other is in a user-writable location, flag the file.

To use this feature, simply run Spartacus with --detect.

Self-Signing Executables/DLLs

Spartacus supports the --sign mode which allows you to both generate self-signed certificates, but also sign compiled DLLs with them.

Generate a self-signed certificate, copying the Issuer/Subject from an existing file:

--mode sign --action generate --pfx "C:\Output\myCertificate.pfx" --password "Welcome1" --not-before "2023-01-01 00:00:04" --not-after "2025-01-01 00:00:42" --copy-from C:\Windows\System32\version.dll --verbose

And use that certificate to sign your compiled file:

--mode sign --action sign --pfx "C:\Output\myCertificate.pfx" --password "Welcome1" --path "C:\Projects\Spartacus-AMSI\amsi.dll" --algorithm SHA256 --verbose

Command Line Arguments

To make your life easier, use the CommandLineGenerator.html file.

Mode	Argument	Description
	`--mode`	Define the mode to use, one of: `dll`, `proxy`, `com`, and `detect`.
`all`	`--verbose`	Enable verbose output.
`all`	`--debug`	Enable debug output.
`all`	`--external-resources`	By default Spartacus will use embedded resources for generating VS solution files etc. If you need to modify the templates, use this argument to make Spartacus load all files from the `./Assets` folder.
`dll`, `com`	`--procmon`	Location (file) of the SysInternals Process Monitor `procmon.exe` or `procmon64.exe`
`dll`, `com`	`--pml`	Location (file) to store the ProcMon event log file. If the file exists, t will be overwritten. When used with --existing it will indicate the event log file to read from and will not be overwritten.
`dll`, `com`	`--pmc`	Define a custom ProcMon (PMC) file to use. This file will not be modified and will be used as is.
`dll`, `com`	`--csv`	Location (file) to store the CSV output of the execution.
`dll`, `proxy`	`--solution`	Path to the directory where the solutions for the proxy DLLs will be stored.
`dll`, `com`	`--existing`	Switch to indicate that Spartacus should process an existing ProcMon event log file (PML). To indicate the event log file use --pml, useful when you have been running ProcMon for hours or used it in Boot Logging.
`dll`	`--all`	By default any DLLs in the Windows or Program Files directories will be skipped. Use this to include those directories in the output.
`proxy`	`--ghidra`	Path to Ghidra's 'analyzeHeadless.bat' file. Used when you want to proxy specific functions rather than just `DllMain`.
`proxy`	`--dll`	Path to the DLL you want to proxy, and can include multiple instances of this argument. In addition, can also contain wildcards like `C:\Windows\System32\.dll` - however all paths have to end in `.dll`.
`proxy`, `sign`	`--overwrite`	If the `--solution` (proxy) or `--pfx` (sign) file already exists, use this flag to overwrite it.
`proxy`	`--only`	Generate proxy functions only for functions defined in this variable. Values are comma separated like `'WTSFreeMemory,WTSFreeMemoryExA,WTSSetUserConfigA'`.
`proxy`	`--action`	Default action is to generate a VS solution. `--action prototypes`, takes as input a Windows SDK folder and parses *.h files in order to generate a database of function prototypes. `--action exports` displays a DLL's export functions and when complimented with `--prototypes` it will display if the function definition has been pre-generated.
`sign`	`--action`	When using `--action` with the `sign` module, it takes one of two options, `generate` for creating a PFX and `sign` for signing a file.
`proxy`	`--path`	Currently only works with `--action prototypes` and is the location of a Windows SDK directory.
`proxy`	`--prototypes`	Location of prototypes.csv (currently within the `./Assets` folder).
`com`	`--acl`	Enumerate local system for missing/misconfigured COM libraries and executables.
`sign`	`--subject`	Used with `--action generate` to specify the certificate subject.
`sign`	`--issuer`	Used with `--action generate` to specify the certificate's issuer.
`sign`	`--copy-from`	Used with `--action generate` to specify an existing signed file to copy the Issuer and Subject from.
`sign`	`--not-before`	Used with `--action generate` to define the date from when the new certificate will be valid from, format is YYYY-MM-DD HH:MM:SS.
`sign`	`--not-after`	Used with `--action generate` to define the date from when the new certificate will be valid until, format is YYYY-MM-DD HH:MM:SS.
`sign`	`--pfx`	When used with `--action generate` this is where the pfx file will be saved as. When used with `--action sign` this is where the pfx file will be loaded from.
`sign`	`--password`	When used with `--action generate` it defines the password for the `--pfx` file.
`sign`	`--path`	When used with `--action sign` it defines the location of the executable/DLL file to be signed.
`sign`	`--algorithm`	When used with `--action sign` it defines the hashing algorithm that will be used for signing. Options are: MD5, SHA1, SHA256, SHA384, SHA512.
`sign`	`--timestamp`	When used with `--action sign` it defines the Timestamp Server, like http://timestamp.sectigo.com or http://timestamp.digicert.com.

Contributions

Whether it's a typo, a bug, or a new feature, Spartacus is very open to contributions as long as we agree on the following:

You are OK with the MIT license of this project.
Before creating a pull request, create an issue so it could be discussed before doing any work as internal development is not tracked via the public GitHub repository. Otherwise you risk having a pull request rejected if for example we are already working on the same/similar feature, or for any other reason.

Credits

spartacus's People

Contributors

Stargazers

Watchers

Forkers

cyb3r-monk robinfassinamoschiniforks askyeye pdolinic codyjohnston og-sadpanda cybersecops secfb analyticsearch croat79 xcalibure2 zmkeh 0xrobert innovationexploited santisantis go-bi testeruse21 marcin-majewski-sonarsource killvxk startagain2016 nocomp aman1803 beerandgin matt-moses tomfansdwdf 0r3ak skyeyeglobal codechina888 yycunhua redquantum ikpehlivan oakkaya inosec2 wdormann asdyxcyxc cutff gmh5225 timb-machine-mirrors witchfindertr wdnmd-rushb wuyadie sec-fork guanglianniubi zerosum0xo devbox10 humble-desser r0secr01x adriangomez123 hubert3 phylumchordata charnim tobey123 y0d4a v4nyl pmatoso mellonaut msf-ntdll markterlep 3missedcalls sgnls r90tpass jhinxs dooreemii wubonetcn vaginessa gilipat tempaccountnull master-collider c0axial techris45 0xajstrike khugank noorahsmith pingc0y oops4git seahop rvrsh3ll apkc alx-company mushfiqur47 shonker arryboom zha0 dev2x0 nckiwourf isabella232 mgstate cyberfury101 johnnyistrying crisprss h0li3 samy4samy crimsonlabs-io 5l1v3r1 kyleevers kost scriptidiot red-infosec a1swartz joylin1984

spartacus's Issues

Question: Switching 'Process Monitor' for a third-party tool

Hello!

I'm currently looking into discovering DLL sideloading vulnerabilities with a similar technique to the one that Spartacus uses. The tool that I ended up making works a bit differently to Process Monitor (tracing child processes, logging LoadLibrary[A/W] instead of CreateFile calls, and noting which exports are actually called from DLLs without generating a custom-built DLL) and was interested in integrating something like this tool into a workflow to rapidly prototype the generation of DLLs with matching exports to the ones being loaded.

Given how Spartacus looks to be pretty closely tied to the Process Monitor log format, is there any modularity in the way that parsing is accomplished so that I could write some wrapper code to integrate output from a third-party tool into Spartacus' generation flow?
If it helps, here's the format of the logs that I'd be parsing:

INITIALIZED(Base='0x...', State='NON-ADMIN', Path='Z:\\...\x64\x64dbg.exe')
HOOKED(Library='KERNEL32.dll', Function='GetProcAddress', Address='...')
HOOKED(Library='KERNEL32.dll', Function='LoadLibraryA', Address='...')
HOOKED(Library='KERNEL32.dll', Function='CreateFileW', Address='...')
LoadLibrary(Filename='dbghelp.dll', Path='Z:\\...\x64\dbghelp.dll', SDDL='O:S-1-5-21-1004336348-1177238915-682003330-512D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-1004336348-1177238915-682003330-512)')
GetProcAddress(Library='dbghelp.dll', Function='MiniDumpWriteDump')
GetProcAddress(Library='UNKNOWN', Function='SetProcessUserModeExceptionPolicy')
GetProcAddress(Library='UNKNOWN', Function='GetProcessUserModeExceptionPolicy')

I'd greatly appreciate any pointers in where might be a good starting point for something like this or if it would be better to develop a separate tool for what I'm looking for.

What to do next, WITHOUT DLL Proxying?

I read through the article that details how to sideload/proxy a DLL function, which is great, however (as a noob), I'm wondering if there's an article or some steps to follow for NOT proxying a function, and just using MAINDLL?

The steps I followed so far look like this:

Created ProcMon log, parsed using Spartacus, and opened a created VS solution file.
Have a code example that looks like this:

#pragma once

#pragma comment(linker,"/export:ModernColorGetGDILutFromHDC=C:\\Windows\\System32\\coloradapterclient.ModernColorGetGDILutFromHDC,@1")
#pragma comment(linker,"/export:ModernColorSetGDILut=C:\\Windows\\System32\\coloradapterclient.ModernColorSetGDILut,@2")
#pragma comment(linker,"/export:ModernColorSetGDILutFromHDC=C:\\Windows\\System32\\coloradapterclient.ModernColorSetGDILutFromHDC,@3")
#pragma comment(linker,"/export:ModernColorSetLut=C:\\Windows\\System32\\coloradapterclient.ModernColorSetLut,@4")
#pragma comment(linker,"/export:ModernColorSetMatrix=C:\\Windows\\System32\\coloradapterclient.ModernColorSetMatrix,@5")
#pragma comment(linker,"/export:ModernColorSetMatrixFromHDC=C:\\Windows\\System32\\coloradapterclient.ModernColorSetMatrixFromHDC,@6")

#include "windows.h"
#include "ios"
#include "fstream"


//// Remove this line if you aren't proxying any functions.
//HMODULE hModule = LoadLibrary(L"C:\\Windows\\System32\\coloradapterclient.dll");

//// Remove this function if you aren't proxying any functions.
//VOID DebugToFile(LPCSTR szInput)
//{
//    std::ofstream log("spartacus-proxy-coloradapterclient.log", std::ios_base::app | std::ios_base::out);
//    log << szInput;
//    log << "\n";
//}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
		MessageBox(NULL, L"coloradapterclient.dll attached to", L"coloradapterclient.dll", MB_OK); // Sample for testing
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

Compiled the DLL file, and it shows up in the project's "x64 > Debug" folder.

So now what? This is a silly question I know, but it's hard to figure this advanced stuff out as newbie.

The DLL that gets compiled has the same name as the target DLL file, which I assume I don't want to overwrite with the target DLL file, but I assume we need to "link" the target DLL to this compiled DLL somehow, but again with no proxying.

Can I get some direction on how to get my test MessageBox to appear and perform my first DLL hijack!? :) Thanks!

Building Issues/Detail the Build Environment?

Just came across your repo and am eager to get started using it, however I'm a bit of a n00b when it comes to .NET projects, and it seems like every time I try to load and build ANY .NET project in VS, it's just rot with red underlines and version complaints, very frustrating.

That being said, I am currently running Visual Studio Community 2022, latest update was just done today, 17.7.4, on Windows 10.

When I first opened the project, I got these error messages:

After some reading, I discovered that the likely cause was due to my .NET version not being high enough, as denoted from this table:

╔══════════════════╦═════════╦═════════════════════════════╗
║ Target framework ║ version ║ C# language version default ║
╠══════════════════╬═════════╬═════════════════════════════╣
║ .NET             ║ 6.x     ║ C# 10                       ║
║ .NET             ║ 5.x     ║ C# 9.0                      ║
║ .NET Core        ║ 3.x     ║ C# 8.0                      ║
║ .NET Core        ║ 2.x     ║ C# 7.3                      ║
║ .NET Standard    ║ 2.1     ║ C# 8.0                      ║
║ .NET Standard    ║ 2.0     ║ C# 7.3                      ║
║ .NET Standard    ║ 1.x     ║ C# 7.3                      ║
║ .NET Framework   ║ all     ║ C# 7.3                      ║
╚══════════════════╩═════════╩═════════════════════════════╝

I think I had a .NET Framework installed, and not just .NET,

So in the VS Installer, I uninstalled basically everything .NET related to attempt a fresh start. I open the solution file again, and am greeted with this message:

So, I do the Recommended step and update the target .NET Framework 4.8, where I now see this error:

So again, I follow the steps and navigate to https://aka.ms/msbuild/developerpacks, and download the .NET Framework 4.8 Developer Pack, and run the installer.

After reloading the solution file in VS, I get the same group of errors as before:

Wonderful, stuck in a loop!

After reading a few forum posts, one answer suggested to review what was in the right click the project (not solution) in Solution Explorer window > Properties > Build > Advanced button at the bottom right > Language version, which mine shows as:

Following the link on "Why can't I select a different C# version" just takes you to this page just highlighting the map between .NET versions and C# language versions.

On that page, and another forum post, they suggested to change the <LangVersion>' parameter in the .csprojfile of the project to whatever version you want to "target", but that wasn't helpful as the` in Spartacus' file is already set to version 9.0:

They say changing that value from 9.0 to preview or even just getting rid of the line entirely forces it to target the latest language available for your .NET version, but that didn't work either.

So if I had to guess, it seems like I'm somehow "stuck" on C# version 7.3 and have exhausted the resources I've attempted to fix it. Forgive me if this is a simple solution, but as you can see, I've put as much effort in as I know how, and while this isn't a Spartacus issue, I can't help but think it would benefit someone also in my boat in the future to figure this out.

What can I try to get this working?

Enhancement Request: Replicate VERSIONINFO

I request that a feature be added to the project that allows for the automatic extraction of the VERSIONINFO from the original DLL (if found) and the replication of that information into a resource file in the proxy dll project template. This feature would enable the proxy project to retain the original DLL's versioning information.

At present the current proxy template compiles without VERSIONINFO:

After the enhancement is in place, the final proxy dll would compile with the same VERSIONINFO as the original DLL:

Additionally, an option to timestomp the final proxy dll to match the date of the original dll would be a great addition.

To reproduce the intended outcome manually, you can leverage ResourceHacker and timestomp.

Extract VERSIONINFO from original DLL:
rh.exe -open "C:\Windows\System32\version.dll" -save "version.rc" -action extract -mask VERSIONINFO -log CON

Compile .rc to .res
rh.exe -open "version.rc" -save "version.res" -action compile -log CON

Write final proxy dll with cloned VERSIONFINO:
rh.exe -open "version.dll" -save "version_final.dll" -resource "version.res" -action add -mask VERSIONINFO -log CON

Clone MACE with original DLL timestamps via timestomp:
ts.exe -c "c:\windows\system32\version.dll" "version_final.dll"

Ref: http://www.angusj.com/resourcehacker/
Ref: https://github.com/jackson5sec/timestomp

Can't find a way: "!! 0[] System.Array.Empty() ".

Hello, I have encountered a mistake in the process of using, and I have not found a solution for the moment, could you please help me to look at it?

C:\Users\Oadmin\Desktop\Spartacus-v2.2.0-x64>Spartacus.exe --mode dll --existing --pml C:\Users\Oadmin\Desktop\ProcessMonitor\Logfile.PML --csv C:\Users\PublicVulnerableDLLFiles.cs v --solution C:\Users\Public --verbose

Can't find a way: "!! 0[] System.Array.Empty() ".

My system version is

OS Name:                   Microsoft Windows Server 2012 R2 Datacenter
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

accenture / spartacus Goto Github PK

spartacus's Introduction

Spartacus DLL/COM Hijacking Toolkit

Why "Spartacus"?

How is this tool different to all the other hijacking tools out there?

Table of Contents

Installation

Supported Functionality

DLL Hijacking

DLL Hijacking Usage

Screenshots

COM Hijacking

COM Hijacking Usage

Screenshots

DLL Proxy Generation

DLL Proxy Generation Usage

Signing DLL Files

Usage for Signing DLL Files

DLL Hijacking Detection

Self-Signing Executables/DLLs

Command Line Arguments

Contributions

Credits

spartacus's People

Contributors

Stargazers

Watchers

Forkers

spartacus's Issues

Recommend Projects

Recommend Topics

Recommend Org