Giter Site home page Giter Site logo

sealighter's Introduction

sealighter's People

Contributors

pathtofile avatar tandasat avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

sealighter's Issues

Dangerous use of printf

printf(message);

The util functions log_messageA and log_messageW pass an arbitrary message string to printf/wprintf as format template.

I noticed this while using the Microsoft-Windows-WinINet provider, which crashes Sealighter when encountering percent-encoded data in an URL.

Issues in recent Windows Version 10.0.19042.746

Sealighter "seems" not to work properly under Windows 10.0.19042.746, tested with Windows vanilla install today.
No Eventchannel for sealighter is beeing created.

Here is the debug data:

Output of sealighter -d

[DEBUG][Korben Dallas] Check requirements
[Korben Dallas] [*] Requirements OK
[DEBUG][Korben Dallas] Get the name of the DLL to hijack
[Korben Dallas] [*] DLL to hijack: EventAggregation.dll
[Korben Dallas] [*] Current user is SYSTEM? -> FALSE
[DEBUG][Korben Dallas] Found a potential Process candidate: PID=744 - Image='winlogon.exe' - User='NT-AUTORIT─T\SYSTEM'
[DEBUG][Korben Dallas] This token is not restricted.
[DEBUG][Korben Dallas] Found 2/2 required privileges in token.
[DEBUG][Korben Dallas] Found a valid Token candidate.
[SYSTEM] [*] Impersonating SYSTEM...
[DEBUG][SYSTEM] Create object directory '\GLOBAL??\KnownDlls'...
[SYSTEM] [*] Created Object Directory: '\GLOBAL??\KnownDlls'
[DEBUG][SYSTEM] Create symbolic link '\GLOBAL??\KnownDlls\EventAggregation.dll'...
[SYSTEM] [*] Created Symbolic link: '\GLOBAL??\KnownDlls\EventAggregation.dll'
[DEBUG][Korben Dallas] Create symbolic link '\??\GLOBALROOT -> \GLOBAL??'...
[Korben Dallas] [*] Created symbolic link: '\??\GLOBALROOT -> \GLOBAL??'
[DEBUG][Korben Dallas] Call DefineDosDevice to create '\KnownDlls\EventAggregation.dll' -> '\KernelObjects\EventAggregation.dll'
[Korben Dallas] [*] DefineDosDevice OK
[DEBUG][Korben Dallas] Impersonate SYSTEM again
[SYSTEM] [*] Impersonating SYSTEM...
[DEBUG][SYSTEM] Check whether the symbolic link was really created in '\KnownDlls\'
[SYSTEM] [+] The symbolic link was successfully created: '\KnownDlls\EventAggregation.dll' -> '\KernelObjects\EventAggregation.dll'
[DEBUG][SYSTEM] Map our DLL to section '\KernelObjects\EventAggregation.dll'
[DEBUG][SYSTEM] Loaded payload DLL, image size: 664576 bytes
[DEBUG][SYSTEM] Found file for transaction: C:\Windows\system32\mfc140.dll
[DEBUG][SYSTEM] Opened file 'C:\Windows\system32\mfc140.dll' for transaction.
[DEBUG][SYSTEM] Wrote 664576 bytes of embedded payload DLL to transacted file.
[SYSTEM] [*] Mapped payload DLL to: '\KernelObjects\EventAggregation.dll'
[DEBUG][SYSTEM] Enable privilege SeAssignPrimaryTokenPrivilege
[DEBUG][SYSTEM] Create a primary token
[DEBUG][SYSTEM] Creating protected process with command line: C:\Windows\system32\services.exe aa34e445-7b2d-4680-85be-576f6af2578 -d
[SYSTEM] [*] Started protected process PID 6312, waiting...
[*] Trace Process started, press ctrl+c to stop...
[DEBUG] (DLL) DllMain (process attach)

after pressing CTRL+C the following output was given

[Korben Dallas] Setting Stop Event
[-] The DLL was successfully loaded into the PPL Process
[DEBUG][SYSTEM] Unmap section '\KernelObjects\EventAggregation.dll'...
[DEBUG][SYSTEM] Process exit code: 0
[+] Trace completed :)

Output of sysinternals DebugView64

00000001	0.00000000	[6312] [DEBUG] (DLL) DllMain (process attach)	
00000002	0.00076680	[6312] [DEBUG] (DLL) DEBUG mode enabled	
00000003	0.00103590	[6312] [DEBUG] (DLL) GUID='aa34e445-7b2d-4680-85be-576f6af2578'	
00000004	0.00140630	[6312] [DEBUG] (DLL) Object to delete: \KnownDlls\EventAggregation.dll	
00000005	0.00167800	[6312] [DEBUG] (DLL) NtOpenSymbolicLinkObject('\KnownDlls\EventAggregation.dll', WRITE_DAC) OK	
00000006	0.00185290	[6312] [DEBUG] (DLL) SetKernelObjectSecurity OK	
00000007	0.00206650	[6312] [DEBUG] (DLL) NtClose OK	
00000008	0.00226410	[6312] [DEBUG] (DLL) NtOpenSymbolicLinkObject('\KnownDlls\EventAggregation.dll', DELETE) OK	
00000009	0.00246180	[6312] [DEBUG] (DLL) NtMakeTemporaryObject OK	
00000010	0.00265990	[6312] [DEBUG] (DLL) [*] KnownDll entry 'EventAggregation.dll' removed.	
00000011	0.00285470	[6312] [DEBUG] (DLL) Hooking Main Entry to EXE	
00000012	0.00440480	[6312] [DEBUG] (DLL) [+] StartTracing: SUCCESS	
00000013	0.00466570	[6312] [DEBUG] (DLL) In hooked entrypoint, starting ETW Trace	
00000014	0.00507830	[6312] Session Name: Sealighter-Trace	
00000015	0.00542880	[6312] Outputs: event_log	
00000016	0.00572280	[6312] [DEBUG] (DLL) DllMain (thread attach)	
00000017	0.00592730	[6312] User Provider: {F4E1897C-BB5D-5668-F1D8-040F4D8DD344}	
00000018	0.00614790	[6312]     Trace Name: Microsoft-Windows-Threat-Intelligence	
00000019	0.00630860	[6312]     Keywords: All	
00000020	0.00667620	[6312]     No event filters	
00000021	0.00710980	[6312] Starting User Trace...	
00000022	0.00712180	[6312] -----------------------------------------	
00000023	0.00748660	[6312] [DEBUG] (DLL) Start Event Watcher Thread	
00000024	9.97445393	[6312] [DEBUG] (DLL) DllMain (thread attach)	
00000025	9.97730446	[6312] [DEBUG] (DLL) Was told to stop ETW Trace	
00000026	9.97807980	[6312] [DEBUG] (DLL) Stopping Sealighter	
00000027	9.97884369	[6312] [DEBUG] (DLL) DllMain (thread detach)	
00000028	9.97974968	[6312] [DEBUG] (DLL) Finished ETW Trace	
00000029	9.98050785	[6312] [DEBUG] (DLL) DllMain (process detach)	

Additional notes

Microsoft seems to have patched some bypass flaws in the meanwhile.
But this already happend in 2018, so I should not be the reason for this issue, but I am adding this note anyway, just in case it "may" be relavant after all.

"Status: fixed"

https://bugs.chromium.org/p/project-zero/issues/detail?id=1336

timestamp is a few hours less than the actual time

Call FileTimeToLocalFileTime before calling FileTimeToSystemTime to correct the time zone of FILETIME

std::string convert_filetime_string
(
const FILETIME from
)
{
SYSTEMTIME stime;
FILETIME localFileTime;
FileTimeToLocalFileTime(std::addressof(from), std::addressof(localFileTime));
::FileTimeToSystemTime(std::addressof(localFileTime), std::addressof(stime));
std::string to = convert_systemtime_string(stime);
return to;
}

Sealighter crashes for MOF providers

Hi,
I tried starting a trace session for the Provider "Active Directory Domain Services: Core" (GUID: 1C83B2FC-C04F-11D1-8AFC-00C04FC21914) but Sealighter crashes after printing the session info.

    "user_traces": [
        {
            "trace_name": "test_file_trace",
			"provider_name": "{1C83B2FC-C04F-11D1-8AFC-00C04FC21914}"
        }
   ]

Looks like the same happens for other MOF Providers as well.

Since it's not mentioned directly in the documentation - are MOF-Providers generally not supported?
KrabsETW does support MOF and I was able to start the session and parse the events directly via Krabs.

Also, is there any flag to activate some verbose debugging output for Sealighter?
Thanks!

ETW Provider not generating any event

Hello, I'm trying to use Sealighter to get events (and filter them) from the following provider: {5BBB6C18-AA45-49B1-A15F-085F7ED0AA90} (for NTLM authentication).

So I created this config file:

{ "session_properties": { "session_name": "seatrace", "output_format": "stdout", "output_filename": "C:\\Users\\user\\Downloads\\sealighter\\output-ntlm.json" }, "user_traces": [ { "trace_name": "ntlm_trace", "provider_name": "{5BBB6C18-AA45-49B1-A15F-085F7ED0AA90}", "dump_raw_event": true } ] }

Using other providers everything works well, but with this in particular nothing pops out (only the two events of the start/end of the session).

The activity that should trigger events is, for example:

net use \\192.168.1.4 /user:test

Using logman like this:

logman create trace t -p "{5BBB6C18-AA45-49B1-A15F-085F7ED0AA90}" 0x0FFFFFFFFFFFFFFF 5 -ow out.etl

and doing exactly the same stuff, events are generated without any problem.

Since I have no problems with other providers, I really don't know why this happens.
Any guess?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.