pathtofile / sealighter Goto Github PK

View Code? Open in Web Editor NEW

271.0 271.0 43.0 294 KB

Sysmon-Like research tool for ETW

C++ 80.58% C 14.86% Roff 4.05% Python 0.50%

sealighter's Introduction

Pat H

Dad, researcher, and infosec psudo-specialist, posts and thoughts are my own. He/Him.

🌏 Australia
📧 path[at]tofile[dot]dev
🐣 @pathtofile
📘 https://blog.tofile.dev
🏢 https://www.linkedin.com/in/phoganAU/
🗣️ https://blog.tofile.dev/talks/

Latest Blog Posts

My dog Cluedo

sealighter's People

Contributors

Stargazers

Watchers

sealighter's Issues

Dangerous use of printf

Sealighter/sealighter/sealighter_util.cpp

Line 295 in a21de27

printf(message);

The util functions log_messageA and log_messageW pass an arbitrary message string to printf/wprintf as format template.

I noticed this while using the Microsoft-Windows-WinINet provider, which crashes Sealighter when encountering percent-encoded data in an URL.

Issues in recent Windows Version 10.0.19042.746

Sealighter "seems" not to work properly under Windows 10.0.19042.746, tested with Windows vanilla install today.
No Eventchannel for sealighter is beeing created.

Here is the debug data:

Output of sealighter -d

[DEBUG][Korben Dallas] Check requirements
[Korben Dallas] [*] Requirements OK
[DEBUG][Korben Dallas] Get the name of the DLL to hijack
[Korben Dallas] [*] DLL to hijack: EventAggregation.dll
[Korben Dallas] [*] Current user is SYSTEM? -> FALSE
[DEBUG][Korben Dallas] Found a potential Process candidate: PID=744 - Image='winlogon.exe' - User='NT-AUTORIT─T\SYSTEM'
[DEBUG][Korben Dallas] This token is not restricted.
[DEBUG][Korben Dallas] Found 2/2 required privileges in token.
[DEBUG][Korben Dallas] Found a valid Token candidate.
[SYSTEM] [*] Impersonating SYSTEM...
[DEBUG][SYSTEM] Create object directory '\GLOBAL??\KnownDlls'...
[SYSTEM] [*] Created Object Directory: '\GLOBAL??\KnownDlls'
[DEBUG][SYSTEM] Create symbolic link '\GLOBAL??\KnownDlls\EventAggregation.dll'...
[SYSTEM] [*] Created Symbolic link: '\GLOBAL??\KnownDlls\EventAggregation.dll'
[DEBUG][Korben Dallas] Create symbolic link '\??\GLOBALROOT -> \GLOBAL??'...
[Korben Dallas] [*] Created symbolic link: '\??\GLOBALROOT -> \GLOBAL??'
[DEBUG][Korben Dallas] Call DefineDosDevice to create '\KnownDlls\EventAggregation.dll' -> '\KernelObjects\EventAggregation.dll'
[Korben Dallas] [*] DefineDosDevice OK
[DEBUG][Korben Dallas] Impersonate SYSTEM again
[SYSTEM] [*] Impersonating SYSTEM...
[DEBUG][SYSTEM] Check whether the symbolic link was really created in '\KnownDlls\'
[SYSTEM] [+] The symbolic link was successfully created: '\KnownDlls\EventAggregation.dll' -> '\KernelObjects\EventAggregation.dll'
[DEBUG][SYSTEM] Map our DLL to section '\KernelObjects\EventAggregation.dll'
[DEBUG][SYSTEM] Loaded payload DLL, image size: 664576 bytes
[DEBUG][SYSTEM] Found file for transaction: C:\Windows\system32\mfc140.dll
[DEBUG][SYSTEM] Opened file 'C:\Windows\system32\mfc140.dll' for transaction.
[DEBUG][SYSTEM] Wrote 664576 bytes of embedded payload DLL to transacted file.
[SYSTEM] [*] Mapped payload DLL to: '\KernelObjects\EventAggregation.dll'
[DEBUG][SYSTEM] Enable privilege SeAssignPrimaryTokenPrivilege
[DEBUG][SYSTEM] Create a primary token
[DEBUG][SYSTEM] Creating protected process with command line: C:\Windows\system32\services.exe aa34e445-7b2d-4680-85be-576f6af2578 -d
[SYSTEM] [*] Started protected process PID 6312, waiting...
[*] Trace Process started, press ctrl+c to stop...
[DEBUG] (DLL) DllMain (process attach)

after pressing CTRL+C the following output was given

[Korben Dallas] Setting Stop Event
[-] The DLL was successfully loaded into the PPL Process
[DEBUG][SYSTEM] Unmap section '\KernelObjects\EventAggregation.dll'...
[DEBUG][SYSTEM] Process exit code: 0
[+] Trace completed :)

Output of sysinternals DebugView64

00000001	0.00000000	[6312] [DEBUG] (DLL) DllMain (process attach)	
00000002	0.00076680	[6312] [DEBUG] (DLL) DEBUG mode enabled	
00000003	0.00103590	[6312] [DEBUG] (DLL) GUID='aa34e445-7b2d-4680-85be-576f6af2578'	
00000004	0.00140630	[6312] [DEBUG] (DLL) Object to delete: \KnownDlls\EventAggregation.dll	
00000005	0.00167800	[6312] [DEBUG] (DLL) NtOpenSymbolicLinkObject('\KnownDlls\EventAggregation.dll', WRITE_DAC) OK	
00000006	0.00185290	[6312] [DEBUG] (DLL) SetKernelObjectSecurity OK	
00000007	0.00206650	[6312] [DEBUG] (DLL) NtClose OK	
00000008	0.00226410	[6312] [DEBUG] (DLL) NtOpenSymbolicLinkObject('\KnownDlls\EventAggregation.dll', DELETE) OK	
00000009	0.00246180	[6312] [DEBUG] (DLL) NtMakeTemporaryObject OK	
00000010	0.00265990	[6312] [DEBUG] (DLL) [*] KnownDll entry 'EventAggregation.dll' removed.	
00000011	0.00285470	[6312] [DEBUG] (DLL) Hooking Main Entry to EXE	
00000012	0.00440480	[6312] [DEBUG] (DLL) [+] StartTracing: SUCCESS	
00000013	0.00466570	[6312] [DEBUG] (DLL) In hooked entrypoint, starting ETW Trace	
00000014	0.00507830	[6312] Session Name: Sealighter-Trace	
00000015	0.00542880	[6312] Outputs: event_log	
00000016	0.00572280	[6312] [DEBUG] (DLL) DllMain (thread attach)	
00000017	0.00592730	[6312] User Provider: {F4E1897C-BB5D-5668-F1D8-040F4D8DD344}	
00000018	0.00614790	[6312]     Trace Name: Microsoft-Windows-Threat-Intelligence	
00000019	0.00630860	[6312]     Keywords: All	
00000020	0.00667620	[6312]     No event filters	
00000021	0.00710980	[6312] Starting User Trace...	
00000022	0.00712180	[6312] -----------------------------------------	
00000023	0.00748660	[6312] [DEBUG] (DLL) Start Event Watcher Thread	
00000024	9.97445393	[6312] [DEBUG] (DLL) DllMain (thread attach)	
00000025	9.97730446	[6312] [DEBUG] (DLL) Was told to stop ETW Trace	
00000026	9.97807980	[6312] [DEBUG] (DLL) Stopping Sealighter	
00000027	9.97884369	[6312] [DEBUG] (DLL) DllMain (thread detach)	
00000028	9.97974968	[6312] [DEBUG] (DLL) Finished ETW Trace	
00000029	9.98050785	[6312] [DEBUG] (DLL) DllMain (process detach)

Additional notes

Microsoft seems to have patched some bypass flaws in the meanwhile.
But this already happend in 2018, so I should not be the reason for this issue, but I am adding this note anyway, just in case it "may" be relavant after all.

"Status: fixed"

https://bugs.chromium.org/p/project-zero/issues/detail?id=1336

timestamp is a few hours less than the actual time

Call FileTimeToLocalFileTime before calling FileTimeToSystemTime to correct the time zone of FILETIME

std::string convert_filetime_string
(
const FILETIME from
)
{
SYSTEMTIME stime;
FILETIME localFileTime;
FileTimeToLocalFileTime(std::addressof(from), std::addressof(localFileTime));
::FileTimeToSystemTime(std::addressof(localFileTime), std::addressof(stime));
std::string to = convert_systemtime_string(stime);
return to;
}

Sealighter crashes for MOF providers

Hi,
I tried starting a trace session for the Provider "Active Directory Domain Services: Core" (GUID: 1C83B2FC-C04F-11D1-8AFC-00C04FC21914) but Sealighter crashes after printing the session info.

    "user_traces": [
        {
            "trace_name": "test_file_trace",
			"provider_name": "{1C83B2FC-C04F-11D1-8AFC-00C04FC21914}"
        }
   ]

Looks like the same happens for other MOF Providers as well.

Since it's not mentioned directly in the documentation - are MOF-Providers generally not supported?
KrabsETW does support MOF and I was able to start the session and parse the events directly via Krabs.

Also, is there any flag to activate some verbose debugging output for Sealighter?
Thanks!

ETW Provider not generating any event

Hello, I'm trying to use Sealighter to get events (and filter them) from the following provider: {5BBB6C18-AA45-49B1-A15F-085F7ED0AA90} (for NTLM authentication).

So I created this config file:

{ "session_properties": { "session_name": "seatrace", "output_format": "stdout", "output_filename": "C:\\Users\\user\\Downloads\\sealighter\\output-ntlm.json" }, "user_traces": [ { "trace_name": "ntlm_trace", "provider_name": "{5BBB6C18-AA45-49B1-A15F-085F7ED0AA90}", "dump_raw_event": true } ] }

Using other providers everything works well, but with this in particular nothing pops out (only the two events of the start/end of the session).

The activity that should trigger events is, for example:

net use \\192.168.1.4 /user:test

Using logman like this:

logman create trace t -p "{5BBB6C18-AA45-49B1-A15F-085F7ED0AA90}" 0x0FFFFFFFFFFFFFFF 5 -ow out.etl

and doing exactly the same stuff, events are generated without any problem.

Since I have no problems with other providers, I really don't know why this happens.
Any guess?

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.