Closed senzee1984 closed 1 year ago
The issue also applies to aliases.
The execute-assembly command supports -M option, which patches ETW. However, it does not actually patch ETW for the forked process.
These flags (-M
and -E
) are only used in conjunction of the --in-process
flag, as per the help execute-assembly
command:
Usage:
======
execute-assembly [flags] filepath [arguments...]
Args:
=====
filepath string path the assembly file
arguments string list arguments to pass to the assembly entrypoint (default: [])
Flags:
======
-M, --amsi-bypass Bypass AMSI on Windows (only supported when used with --in-process)
-E, --etw-bypass Bypass ETW on Windows (only supported when used with --in-process)
-i, --in-process Run in the current sliver process
...
When not using the --in-process
flag, the Sliver server will convert the assembly to shellcode using go-donut, and instruct the Donut loader to try to patch AMSI/ETW, but continue on failure.
When using the --in-process
flag, we're manually patching the implant's process instead.
@rkervella should we add a warning when the flags are used incorrectly?
Yes, it will help avoid some confusion.
Describe the bug The
execute-assembly
command supports-M
option, which patches ETW. However, it does not actually patch ETW for the forked process.To Reproduce Steps to reproduce the behavior:
execute-assembly -M -E -p gpupdate.exe sharpup.exe audit
.NET assmeblies
tab, still can see sharpupExpected behavior In
.NET assemblies
tab, the output should beUnable to start the event tracing session: This operation returned beacause the timeout period expired.
Screenshots
Desktop (please complete the following information):
Additional context If use in-process execute-assembly, the issue does not exist.