[WIP] Screenshot overhaul (milestone 1)

MythicAgents / Apollo

A .NET Framework 4.0 Windows Agent

BSD 3-Clause "New" or "Revised" License

439 stars 89 forks source link

[WIP] Screenshot overhaul (milestone 1) #16

Closed reznok closed 3 years ago

reznok commented 3 years ago

This PR is to address Milestone 1, Screenshot Overhaul: https://github.com/MythicAgents/Apollo/milestone/1

Screenshot now functions similarly to psinject/assembly_inject. It will:

Inject screenshot functionality into remote process
Open a named pipe
Take screenshots from all screens and send them into the pipe
Apollo screenshot command module will connect to pipe and receive screenshot bytes
Apollo uploads screenshots to Mythic

TODO:

Update documentation in documentation container
Update Mythic to display screenshot previews
Display download progress

djhohnstein commented 3 years ago

The kind of PR people dream about. I'll review today.

djhohnstein commented 3 years ago

Overall, very well done. My main feedback points are:

When creating a new binary formatter, you should create a new IPC message to which the message binder can filter on.
This new IPC message should look somewhat like the following:
```
struct ScreenshotMessage {
public byte[] Capture;
public string ErrorMessage;
}
```
Then in the agent, you know you'll always receive one or more ScreenshotMessages, and if the module unexpectedly errors out, it can communicate that error to the agent.

reznok commented 3 years ago

Error handling and IPC messages/BiunaryFormatter bindings have been added.

Design Changes: As we talked about in Slack, the client has no way of knowing how many screenshot messages it will be receiving. It is currently designed to keep processing screenshot messages until a ScreenshotTerminationMessage is received.