The fuzzer will send all kinds of inputs to RPC methods/functions. Using process monitor (procmon), it is possible to gain insights in the system calls being made. The fuzzer generates a unique string for each input (if the method supports a string parameter). By adding a static string infront like incendiumrocks_, we get a result of incendiumrocks_MYRANDOMSTRING. Now you can apply a filter in procmon for incendiumrocks_ and see all calls coming from the fuzzer. A example video is displayed below.
NAME
Import-ProcMonCsv
SYNTAX
Import-ProcMonCsv [[-procmonCsvPath] <string>] [[-Canary] <string> [[-Neo4jHost] <string>] [[-Neo4jUsername] <string>]
OPTIONS
-procmonCsvPath Path to CSV file containing Process Monitor events (can also be piped)
-Canary Canary used to fuzz (default incendiumrocks)
-Neo4jHost IPv4 + Port of the Neo4j host (e.g 192.168.178.89:7474)
-Neo4jUsername Username for the Neo4j database
To specify a custom static string, provide the tool with the -canary parameter:
".\rpcServerData.json" | Invoke-RpcFuzzer -OutPath .\output\ -canary "mytestcanary"By default, it will use "incendiumrocks_" as canary.
Import Process Monitor events (CSV)
Run
Import-DataToNeo4jbefore runningImport-ProcMonCsvto make the connection to the Neo4j database
The fuzzer has the option to import a Process Monitor export (csv) and map it to Neo4j.
# Through pipe
"C:\Path\To\My\Export.csv" | Import-ProcMonCsv -canary "mytestcanary" -Neo4jHost 192.168.178.89:7474 -Neo4jUsername neo4j
[+] Successfully imported Process Monitor events to Neo4j
# Or use -procmonCsvPath
import-procMonCsv -procmonCsvPath "..\Logfile.CSV" -canary "mytestcanary" -Neo4jHost 192.168.178.89:7474 -Neo4jUsername neo4j
[+] Successfully imported Process Monitor events to Neo4j