Search the Community

Accenture made a tool called Spartacus, which finds DLL hijacking opportunities on Windows. Using Spartacus as a starting point, we created Crassus to extend Windows privilege escalation finding capabilities beyond simply looking for missing files. The ACLs used by files and directories of privileged processes can find more than just looking for missing files to achieve the goal. Features Parsing ProcMon PML files natively. The log (PML) parser has been implemented by porting partial functionality to C# from [Hidden Content]. You can find the format specification here. Crassus will create source code for proxy DLLs for all missing DLLs that were identified. For instance, if an application is vulnerable to DLL Hijacking via version.dll, Crassus will create version.cpp and version.def files for you with all the exports included in it. By default, the proxy DLLs will launch calc.exe. Build scripts are included to build the DLLs on Visual Studio or MinGW. For other events of interest, such as creating a process or loading a library, the ability for unprivileged users to modify the file or any parts of the path to the file is investigated. Able to process large PML files and store all events of interest in an output CSV file. [hide][Hidden Content]]