Not capturing STDOUT/STDERR

[aconite33]

When running certain PE files, the STDOUT/STDERR is not be captured approximately.

RunPE Version: Latest
OS: Windows 10
Build: OS Version: 10.0.19045 N/A Build 19045

Example running Mimikatz (latest):

[...snippet...]

As you can see, the execution of the PE works, however no output is pushed to the redirection pipe handlers.

I am using our C2 to wrap this functionality and when I try to get the output, there is nothing that is returned (https://github.com/nettitude/RunPE/blob/main/RunPE/Program.cs#L107)

I have also tried the CheekyBlinders (https://github.com/br-sn/CheekyBlinder) PE file, which results in the same issue of no output being collected.

[riskydissonance]

Hi @aconite33 , thanks for the issue, however I'm not able to reproduce locally. Are you able to let us know:

• What C2 you are using?
• What version of mimikatz.exe are you using (git hash)
• If you run it directly from the CLI does it work?

E.g.

runpe.exe C:\users\user\Downloads\mimikatz.exe coffee exit gives me

[aconite33]

C2: Private C2 we develop Latest version of Mimikatz CLI has the same output/response when we wrap it into the C2.

@benpturner was able to get it working on his side, so I don't know if this is an 'us' issue, e.g., are we compiling it incorrectly?

[riskydissonance]

I'm also unable to reproduce your issue locally (see my screenshot above) but I'll look into it a bit more, thanks for the quick response!

[riskydissonance]

Just rebuilt latest mimikatz and runpe and still unable to reproduce, may need more details to get any further. I have push a couple of minor changes as well as updating the target framework so maybe double check none of that changed anything? I'm building on Win11 using VS2022.

[aconite33]

@m0rv4i

Just pulled the latest, built on Visual Studio 2022. Target Framework 4.5.1. Built on Windows Professional 10, latest.

Same Result

[aconite33]

Also tried targeting .Net Framework 4.8

[aconite33]

@m0rv4i same with Windows 11 (Enterprise, latest updates) Mimikatz (latest release), Visual Studio 2022.

[aconite33]

Checking in again.

I tried pulling a fresh install Windows 10 Enterprise, latest updates.

Latest Mimikatz. I am still getting STDOUT/ERR issues. Screenshots below.

I am running QEMU Windows 10 Enterprise.

I also tried on a Windows 10 baremetal system and I still am getting the same results.

Is it possible to get a build from your guys end @m0rv4i so I can try to debug if it's on our side for compiling?

[aconite33]

@m0rv4i Well, after a bunch of debugging I built Mimikatz on my own systems and now I get the expected result and execution. The release version of MImikatz (running the exe from GitHub) gets you the same result I have been having. I am unsure what the difference is, but that solves the Mimikatz question.

The still outstanding issue is CheekyBlinders. I am still getting the same result as the release exe of Mimikatz. I'm wondering if there is some underlying config on those .exe's that is causing RunPE not to pick up the output.

I noticed that the standard pipe redirection might be the culprit to why these release versions of Mimikatz and locally compiled CheekyBlinders seem to not pick up on the output redirection.

[aconite33]

#include <iostream>

int main(int argc, char* argv[]) {
    for (int i = 0; i < argc; i++) {
        printf("%d: %s\n", i, argv[i]);
    }

    return 0;
}

Used a simple C program to try and get output to stdout/stderr and this resulted in executing it outside of the capture point in RunPE. I think there is something specific about the redirection of pipes that RunPE isn't able to capture.

[riskydissonance]

This is super useful, thanks @aconite33 - I'm on site atm so not much bandwidth but will investigate when I get time (probably next week)

[aconite33]

This is super useful, thanks @aconite33 - I'm on site atm so not much bandwidth but will investigate when I get time (probably next week)

Sounds good. We are still investigating on our side, if we come up with anything I'll continue this horribly long thread that I started! :smile:

[aconite33]

Anndddd boom goes the dynamite.

Any program you want to run within RunPE needs this changed when compiling with Visual Studio:

Project -> Properties -> C/C++ -> Code Generation -> RunTime Library -> Multi-Threaded Debug

Thanks to @kerrymilan for debugging it.

Here is CheekyBlinders running:

Reason for the fix might be due to static compilation?

https://learn.microsoft.com/en-us/cpp/build/reference/md-mt-ld-use-run-time-library?view=msvc-170

[benpturner]

Nice find, we've definitely seen some of this in the past, e.g. static vs dynamic linking when running in memory. Must have had this configuration our side, i'll check and confirm as well 🙌

[riskydissonance]

Legends

[riskydissonance]

Thanks again all!

[bopin2020]

Test failed, even if change compilation to Multi-Threaded Debug.