Skip to content

Commit

Permalink
better handling for stdout in various post-ex jobs
Browse files Browse the repository at this point in the history
  • Loading branch information
its-a-feature committed Nov 12, 2024
1 parent 6f2aa4b commit 820fa89
Show file tree
Hide file tree
Showing 13 changed files with 235 additions and 183 deletions.
9 changes: 9 additions & 0 deletions Payload_Type/apollo/CHANGELOG.MD
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [v2.2.20] - 2024-11-12

### Changed

- Updated powerpick and PowerShellHost to handle output the same way as execute_assembly and execute_pe
- Updated sacrificial process code to only star tasks for reading stdout/stderr for non-fork and run jobs
- Updated `ps` to include `update_deleted` and send all output at once so Mythic can update the process browser properly
- Updated `kill` to also support `process_browser:kill`

## [v2.2.19] - 2024-11-08

### Changed
Expand Down
2 changes: 1 addition & 1 deletion Payload_Type/apollo/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ RUN curl -L -o donut_shellcode-2.0.0.tar.gz https://github.com/MEhrn00/donut/rel

WORKDIR /Mythic/
RUN python3 -m venv /venv
RUN /venv/bin/python -m pip install mythic-container==0.5.9
RUN /venv/bin/python -m pip install mythic-container==0.5.14
RUN /venv/bin/python -m pip install git+https://github.com/MEhrn00/[email protected]
RUN /venv/bin/python -m pip install mslex

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ public MessageType GetTypeCode()
public string CompanyName;
[DataMember(Name = "window_title")]
public string WindowTitle;
[DataMember(Name = "update_deleted")]
public bool UpdateDeleted;
}
//
[DataContract]
Expand Down
35 changes: 24 additions & 11 deletions Payload_Type/apollo/apollo/agent_code/PowerShellHost/Program.cs
Original file line number Diff line number Diff line change
Expand Up @@ -54,12 +54,16 @@ static void Main(string[] args)
_senderEvent,
_cts.Token.WaitHandle
});
if (_senderQueue.TryDequeue(out byte[] result))
while (_senderQueue.TryDequeue(out byte[] message))
{
pipe.BeginWrite(result, 0, result.Length, OnAsyncMessageSent, pipe);
pipe.BeginWrite(message, 0, message.Length, OnAsyncMessageSent, pipe);
}
}
pipe.Flush();
while (_senderQueue.TryDequeue(out byte[] message))
{
pipe.BeginWrite(message, 0, message.Length, OnAsyncMessageSent, pipe);
}
pipe.WaitForPipeDrain();
pipe.Close();
};
_server = new AsyncNamedPipeServer(_namedPipeName, null, 1, IPC.SEND_SIZE, IPC.RECV_SIZE);
Expand All @@ -79,7 +83,7 @@ static void Main(string[] args)
EventableStringWriter stderrSw = new EventableStringWriter();

stdoutSw.BufferWritten += OnBufferWrite;

stderrSw.BufferWritten += OnBufferWrite;

Console.SetOut(stdoutSw);
Console.SetError(stderrSw);
Expand Down Expand Up @@ -113,6 +117,11 @@ static void Main(string[] args)
Console.SetOut(oldStderr);
}
_cts.Cancel();
// Wait for the pipe client comms to finish
while (_clientConnectedTask is ST.Task task && !_clientConnectedTask.IsCompleted)
{
task.Wait(1000);
}
}


Expand All @@ -122,20 +131,24 @@ private static void OnBufferWrite(object sender, ApolloInterop.Classes.Events.St
{
if (e.Data != null)
{
_senderQueue.Enqueue(Encoding.UTF8.GetBytes(e.Data));
_senderEvent.Set();
try
{
_senderQueue.Enqueue(Encoding.UTF8.GetBytes(e.Data));
_senderEvent.Set();
}
catch
{

}

}
}

private static void OnAsyncMessageSent(IAsyncResult result)
{
PipeStream pipe = (PipeStream)result.AsyncState;
pipe.EndWrite(result);
// Potentially delete this since theoretically the sender Task does everything
if (_senderQueue.TryDequeue(out byte[] data))
{
pipe.BeginWrite(data, 0, data.Length, OnAsyncMessageSent, pipe);
}
pipe.Flush();
}

private static void OnAsyncMessageReceived(object sender, NamedPipeMessageArgs args)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -569,6 +569,8 @@ private void PostStartupInitialize()
{
Handle = _processInfo.hProcess;
PID = (uint)_processInfo.dwProcessId;
if (_startSuspended) { return; }
// only start processing stdout/stderr/stdin for non sacrificial jobs
_standardOutput = new StreamReader(new FileStream(hReadOut, FileAccess.Read), Console.OutputEncoding);
_standardError = new StreamReader(new FileStream(hReadErr, FileAccess.Read), Console.OutputEncoding);
_standardInput = new StreamWriter(new FileStream(hWriteIn, FileAccess.Write), Console.InputEncoding);
Expand All @@ -580,14 +582,19 @@ private async void WaitForExitAsync()
{
await Task.Factory.StartNew(() =>
{
var stdOutTask = GetStdOutAsync();
var stdErrTask = GetStdErrAsync();
if (!_startSuspended)
{
var stdOutTask = GetStdOutAsync();
var stdErrTask = GetStdErrAsync();
stdOutTask.Start();
stdErrTask.Start();
}

var waitExitForever = new Task(() =>
{
_pWaitForSingleObject(Handle, 0xFFFFFFFF);
});
stdOutTask.Start();
stdErrTask.Start();

waitExitForever.Start();

try
Expand Down Expand Up @@ -625,7 +632,7 @@ await Task.Factory.StartNew(() =>
private IEnumerable<string> ReadStream(TextReader stream)
{
string output = "";
int szBuffer = 20;
int szBuffer = 4096;
int bytesRead = 0;
char[] tmp;
bool needsBreak = false;
Expand Down
Loading

0 comments on commit 820fa89

Please sign in to comment.