pathtofile / sealighter Goto Github PK

View Code? Open in Web Editor NEW

286.0 10.0 41.0 294 KB

Sysmon-Like research tool for ETW

C++ 80.58% C 14.86% Roff 4.05% Python 0.50%

sealighter's People

Contributors

Stargazers

Watchers

Forkers

invokethreatguy fengjixuchui triplekill killvxk crackercat shoppingruan zha0 jilvan1234 5l1v3r1 nishantiwari-iitg jessefmoore codingman chopicalqui gerhobbelt wumn290 tobey123 gmh5225 amit-pathak009 0xsojalsec l0rd-v0ldem0rt jmpoep cvlabsio 0xajstrike tandasat classic130 sasqwatch hnisec alexk1vt dfirence conexioninversa raystyle doytsujin lworld0x00 donfucius kyoya2 guymontagne palaniyappanbala chckm473 havealex cpo-eh

sealighter's Issues

Default config file causes error

Using the provided default config file will raise an exception..

https://github.com/pathtofile/Sealighter/blob/main/docs/CONFIGURATION.md#kernel_traces

{
    "session_properties": {
        "session_name": "My-Process-Trace",
        "output_format": "stdout",
        "buffering_timout_seconds":  10
    },
    "user_traces": [
        {
            "trace_name": "proc_trace",
            "provider_name": "Microsoft-Windows-Kernel-Process",
            "keywords_any": 16
        },
        {
            "trace_name": "guid_trace",
            "provider_name": "{382b5e24-181e-417f-a8d6-2155f749e724}",
            "filters": {
                "any_of": {
                    "opcode_is": [1, 2]
                }
            },
            "buffers": [
                {
                    "event_id": 1,
                    "max_before_buffering": 1,
                    "fields": [
                        "ImageName"
                    ]
                }
            ]
        },
    ],
    "kernel_traces": [
        {
            "trace_name": "kernel_proc_trace",
            "provider_name": "process",
        }
    ]
}

[json.exception.parse_error.101] parse error at line 31, column 5: syntax error while parsing value - unexpected ']'; expected '[', '{', or a literal

Dangerous use of printf

Sealighter/sealighter/sealighter_util.cpp

Line 295 in a21de27

printf(message);

The util functions log_messageA and log_messageW pass an arbitrary message string to printf/wprintf as format template.

I noticed this while using the Microsoft-Windows-WinINet provider, which crashes Sealighter when encountering percent-encoded data in an URL.

timestamp is a few hours less than the actual time

Call FileTimeToLocalFileTime before calling FileTimeToSystemTime to correct the time zone of FILETIME

std::string convert_filetime_string
(
const FILETIME from
)
{
SYSTEMTIME stime;
FILETIME localFileTime;
FileTimeToLocalFileTime(std::addressof(from), std::addressof(localFileTime));
::FileTimeToSystemTime(std::addressof(localFileTime), std::addressof(stime));
std::string to = convert_systemtime_string(stime);
return to;
}

Sealighter crashes for MOF providers

Hi,
I tried starting a trace session for the Provider "Active Directory Domain Services: Core" (GUID: 1C83B2FC-C04F-11D1-8AFC-00C04FC21914) but Sealighter crashes after printing the session info.

    "user_traces": [
        {
            "trace_name": "test_file_trace",
			"provider_name": "{1C83B2FC-C04F-11D1-8AFC-00C04FC21914}"
        }
   ]

Looks like the same happens for other MOF Providers as well.

Since it's not mentioned directly in the documentation - are MOF-Providers generally not supported?
KrabsETW does support MOF and I was able to start the session and parse the events directly via Krabs.

Also, is there any flag to activate some verbose debugging output for Sealighter?
Thanks!

No events for Microsoft-Windows-Security-Auditing

I'm curious to see if you have any ideas why this provider Microsoft-Windows-Security-Auditing aka EventLog-Security aka Security log won't work with sealighter. I don't see any events when running this config

{
"session_properties": {
"session_name": "My-Process-Trace",
"output_format": "event_log",
"buffering_timout_seconds": 10
},
"user_traces": [
{
"trace_name": "mystuff",
"provider_name": "Microsoft-Windows-Security-Auditing"
}
],
"kernel_traces": [ ]
}

I've tried, Microsoft-Windows-Security-Auditing, EventLog-Security, Security and {54849625-5478-4994-a5ba-3e3b0328c30d} none produces events. Suppling EventLog-Security or Security in the provider name just produces a "name provider error in the configuration" message. I'm running sealighter as system and I see the events i'm after fire in the security log, but my sealighter produces zip.

This little example works:
https://github.com/microsoft/krabsetw/blob/master/examples/ManagedExamples/UserTrace005.cs

Anyhow, I know this project isn't active, but I have found your creation very interesting in some of my research. I'm digging in trying to understand how you built sealighter and I just have to say thank you for the work you've done.

Issues in recent Windows Version 10.0.19042.746

Sealighter "seems" not to work properly under Windows 10.0.19042.746, tested with Windows vanilla install today.
No Eventchannel for sealighter is beeing created.

Here is the debug data:

Output of sealighter -d

[DEBUG][Korben Dallas] Check requirements
[Korben Dallas] [*] Requirements OK
[DEBUG][Korben Dallas] Get the name of the DLL to hijack
[Korben Dallas] [*] DLL to hijack: EventAggregation.dll
[Korben Dallas] [*] Current user is SYSTEM? -> FALSE
[DEBUG][Korben Dallas] Found a potential Process candidate: PID=744 - Image='winlogon.exe' - User='NT-AUTORIT─T\SYSTEM'
[DEBUG][Korben Dallas] This token is not restricted.
[DEBUG][Korben Dallas] Found 2/2 required privileges in token.
[DEBUG][Korben Dallas] Found a valid Token candidate.
[SYSTEM] [*] Impersonating SYSTEM...
[DEBUG][SYSTEM] Create object directory '\GLOBAL??\KnownDlls'...
[SYSTEM] [*] Created Object Directory: '\GLOBAL??\KnownDlls'
[DEBUG][SYSTEM] Create symbolic link '\GLOBAL??\KnownDlls\EventAggregation.dll'...
[SYSTEM] [*] Created Symbolic link: '\GLOBAL??\KnownDlls\EventAggregation.dll'
[DEBUG][Korben Dallas] Create symbolic link '\??\GLOBALROOT -> \GLOBAL??'...
[Korben Dallas] [*] Created symbolic link: '\??\GLOBALROOT -> \GLOBAL??'
[DEBUG][Korben Dallas] Call DefineDosDevice to create '\KnownDlls\EventAggregation.dll' -> '\KernelObjects\EventAggregation.dll'
[Korben Dallas] [*] DefineDosDevice OK
[DEBUG][Korben Dallas] Impersonate SYSTEM again
[SYSTEM] [*] Impersonating SYSTEM...
[DEBUG][SYSTEM] Check whether the symbolic link was really created in '\KnownDlls\'
[SYSTEM] [+] The symbolic link was successfully created: '\KnownDlls\EventAggregation.dll' -> '\KernelObjects\EventAggregation.dll'
[DEBUG][SYSTEM] Map our DLL to section '\KernelObjects\EventAggregation.dll'
[DEBUG][SYSTEM] Loaded payload DLL, image size: 664576 bytes
[DEBUG][SYSTEM] Found file for transaction: C:\Windows\system32\mfc140.dll
[DEBUG][SYSTEM] Opened file 'C:\Windows\system32\mfc140.dll' for transaction.
[DEBUG][SYSTEM] Wrote 664576 bytes of embedded payload DLL to transacted file.
[SYSTEM] [*] Mapped payload DLL to: '\KernelObjects\EventAggregation.dll'
[DEBUG][SYSTEM] Enable privilege SeAssignPrimaryTokenPrivilege
[DEBUG][SYSTEM] Create a primary token
[DEBUG][SYSTEM] Creating protected process with command line: C:\Windows\system32\services.exe aa34e445-7b2d-4680-85be-576f6af2578 -d
[SYSTEM] [*] Started protected process PID 6312, waiting...
[*] Trace Process started, press ctrl+c to stop...
[DEBUG] (DLL) DllMain (process attach)

after pressing CTRL+C the following output was given

[Korben Dallas] Setting Stop Event
[-] The DLL was successfully loaded into the PPL Process
[DEBUG][SYSTEM] Unmap section '\KernelObjects\EventAggregation.dll'...
[DEBUG][SYSTEM] Process exit code: 0
[+] Trace completed :)

Output of sysinternals DebugView64

00000001	0.00000000	[6312] [DEBUG] (DLL) DllMain (process attach)	
00000002	0.00076680	[6312] [DEBUG] (DLL) DEBUG mode enabled	
00000003	0.00103590	[6312] [DEBUG] (DLL) GUID='aa34e445-7b2d-4680-85be-576f6af2578'	
00000004	0.00140630	[6312] [DEBUG] (DLL) Object to delete: \KnownDlls\EventAggregation.dll	
00000005	0.00167800	[6312] [DEBUG] (DLL) NtOpenSymbolicLinkObject('\KnownDlls\EventAggregation.dll', WRITE_DAC) OK	
00000006	0.00185290	[6312] [DEBUG] (DLL) SetKernelObjectSecurity OK	
00000007	0.00206650	[6312] [DEBUG] (DLL) NtClose OK	
00000008	0.00226410	[6312] [DEBUG] (DLL) NtOpenSymbolicLinkObject('\KnownDlls\EventAggregation.dll', DELETE) OK	
00000009	0.00246180	[6312] [DEBUG] (DLL) NtMakeTemporaryObject OK	
00000010	0.00265990	[6312] [DEBUG] (DLL) [*] KnownDll entry 'EventAggregation.dll' removed.	
00000011	0.00285470	[6312] [DEBUG] (DLL) Hooking Main Entry to EXE	
00000012	0.00440480	[6312] [DEBUG] (DLL) [+] StartTracing: SUCCESS	
00000013	0.00466570	[6312] [DEBUG] (DLL) In hooked entrypoint, starting ETW Trace	
00000014	0.00507830	[6312] Session Name: Sealighter-Trace	
00000015	0.00542880	[6312] Outputs: event_log	
00000016	0.00572280	[6312] [DEBUG] (DLL) DllMain (thread attach)	
00000017	0.00592730	[6312] User Provider: {F4E1897C-BB5D-5668-F1D8-040F4D8DD344}	
00000018	0.00614790	[6312]     Trace Name: Microsoft-Windows-Threat-Intelligence	
00000019	0.00630860	[6312]     Keywords: All	
00000020	0.00667620	[6312]     No event filters	
00000021	0.00710980	[6312] Starting User Trace...	
00000022	0.00712180	[6312] -----------------------------------------	
00000023	0.00748660	[6312] [DEBUG] (DLL) Start Event Watcher Thread	
00000024	9.97445393	[6312] [DEBUG] (DLL) DllMain (thread attach)	
00000025	9.97730446	[6312] [DEBUG] (DLL) Was told to stop ETW Trace	
00000026	9.97807980	[6312] [DEBUG] (DLL) Stopping Sealighter	
00000027	9.97884369	[6312] [DEBUG] (DLL) DllMain (thread detach)	
00000028	9.97974968	[6312] [DEBUG] (DLL) Finished ETW Trace	
00000029	9.98050785	[6312] [DEBUG] (DLL) DllMain (process detach)

Additional notes

Microsoft seems to have patched some bypass flaws in the meanwhile.
But this already happend in 2018, so I should not be the reason for this issue, but I am adding this note anyway, just in case it "may" be relavant after all.

"Status: fixed"

https://bugs.chromium.org/p/project-zero/issues/detail?id=1336

License

Hi, thank you for this cool project. Just wondering about the license for it, could that be added?

ETW Provider not generating any event

Hello, I'm trying to use Sealighter to get events (and filter them) from the following provider: {5BBB6C18-AA45-49B1-A15F-085F7ED0AA90} (for NTLM authentication).

So I created this config file:

{ "session_properties": { "session_name": "seatrace", "output_format": "stdout", "output_filename": "C:\\Users\\user\\Downloads\\sealighter\\output-ntlm.json" }, "user_traces": [ { "trace_name": "ntlm_trace", "provider_name": "{5BBB6C18-AA45-49B1-A15F-085F7ED0AA90}", "dump_raw_event": true } ] }

Using other providers everything works well, but with this in particular nothing pops out (only the two events of the start/end of the session).

The activity that should trigger events is, for example:

net use \\192.168.1.4 /user:test

Using logman like this:

logman create trace t -p "{5BBB6C18-AA45-49B1-A15F-085F7ED0AA90}" 0x0FFFFFFFFFFFFFFF 5 -ow out.etl

and doing exactly the same stuff, events are generated without any problem.

Since I have no problems with other providers, I really don't know why this happens.
Any guess?