If you have seen the film Spartacus from 1960, you will remember the scene where the Romans are asking for Spartacus to give himself up. The moment the real Spartacus stood up, a lot of others stood up as well and claimed to be him using the "I AM SPARTACUS" phrase.
When a process that is vulnerable to DLL Hijacking is asking for a DLL to be loaded, it's kind of asking "WHO IS VERSION.DLL?" and random directories start claiming "I AM VERSION.DLL" and "NO, I AM VERSION.DLL". And thus, Spartacus.
Did you really make yet another DLL Hijacking discovery tool?
Table of Contents
Export DLL Functions
Command Line Arguments
|Location (file) to store the ProcMon event log file. If the file exists, it will be overwritten. When used with |
|Define a custom ProcMon (PMC) file to use. This file will not be modified and will be used as is.|
|Location (file) to store the CSV output of the execution. This file will include only the DLLs that were marked as NAME_NOT_FOUND, PATH_NOT_FOUND, and were in user-writable locations (it excludes anything in the |
|Define process names (comma separated) that you want to track, helpful when you are interested only in a specific process.|
|Location (folder) in which all the proxy DLL files will be saved. Proxy DLL files will only be generated if this argument is used.|
|Location (file) of the SysInternals Process Monitor |
|Define a DLL template to use for generating the proxy DLL files. Only relevant when |
|Switch to indicate that Spartacus should process an existing ProcMon event log file (PML). To indicate the event log file use |
|By default any DLLs in the Windows or Program Files directories will be skipped. Use this to include those directories in the output.|
|Try to identify DLLs that are proxying calls (like 'DLL Hijacking in progress'). This isn't a feature to be relied upon, it's there to get the low hanging fruit.|
|Enable verbose output.|
|Enable debug output.|
|Switch to indicate that Spartacus will be creating proxy functions for all identified export functions.|
|Used only with --generate-proxy. Absolute path to Ghidra's 'analyzeHeadless.bat' file.|
|Used only with --generate-proxy. Absolute path to the DLL you want to proxy.|
|Used only with --generate-proxy. Absolute path to the directory where the solution of the proxy will be stored. This directory should not exist, and will be auto-created.|
|Used only with --generate-proxy. Comma separated string to indicate functions to clone. Such as 'WTSFreeMemory,WTSFreeMemoryExA,WTSSetUserConfigA'|