search

shunf4 / proxychains-windows

Windows and Cygwin port of proxychains, based on MinHook and DLL Injection
GNU General Public License v2.0
967 stars 117 forks source link

An error about proxy for PowerShell function: Invoke-WebRequest #15

Open HUMORCE opened 3 years ago

HUMORCE commented 3 years ago

Powershell

Windows Powershell 5.1.19041.610 (Windows 10 built-in):

$ proxychains powershell -Command 'Invoke-WebRequest example.org'
[PID15676] [I] 2020/12/23 20:26:05 <> localhost:7890
[PID15676] [I] 2020/12/23 20:26:05 Ws2_32.dll connect(2772 224.134.186.179:80 16) -> example.org:80 PROXY

StatusCode        : 200
StatusDescription : OK
Content           : <!doctype html>
                    <html>
                    <head>
                        <title>Example Domain</title>

                        <meta charset="utf-8" />
                        <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
                        <meta name="viewport" conten...
RawContent        : HTTP/1.1 200 OK
                    Age: 534623
                    Vary: Accept-Encoding
                    X-Cache: HIT
                    Accept-Ranges: bytes
                    Content-Length: 1256
                    Cache-Control: max-age=604800
                    Content-Type: text/html; charset=UTF-8
                    Date: Wed, 23 Dec ...
Forms             : {}
Headers           : {[Age, 534623], [Vary, Accept-Encoding], [X-Cache, HIT], [Accept-Ranges, bytes]...}
Images            : {}
InputFields       : {}
Links             : {@{innerHTML=More information...; innerText=More information...; outerHTML=<A
                    href="https://www.iana.org/domains/example">More information...</A>; outerText=More
                    information...; tagName=A; href=https://www.iana.org/domains/example}}
ParsedHtml        : mshtml.HTMLDocumentClass
RawContentLength  : 1256

[I] 2020/12/23 20:26:06 All Windows descendant process exited.
[I] 2020/12/23 20:26:06 Master exiting

Powershell Core 7.1.0 (same results for x64/x86 versions) :

$ proxychains pwsh -Command 'Invoke-WebRequest example.org'
[PID 3600] [W] 2020/12/23 20:26:55 connect() error: No connection could be made because the target machine actively refused it.(10061)
[PID 3600] [W] 2020/12/23 20:26:55 Mswsock.dll (FP)ConnectEx(2208 [::ffff:93.184.216.34]:80 28) PROXY ret: 0, wsa last error: No connection could be made because the target machine actively refused it.(10061)
Invoke-WebRequest: No connection could be made because the target machine actively refused it.
[I] 2020/12/23 20:26:55 All Windows descendant process exited.
[I] 2020/12/23 20:26:55 Master exiting

What caused PowerShell 7.1 to get the wrong IP format? The proxy server does not support IPv6. IPv6 has been disabled in the network adapter.

Invoke-WebRequest example.org -Proxy $PROXY_URI is work well.

HUMORCE commented 3 years ago 
invoke-webrequest example.org
[PID18724] [D] 2020/12/23 23:59:41 Ws2_32.dll GetAddrInfoExW() called
[PID18724] [D] 2020/12/23 23:59:41 Ws2_32.dll FreeAddrInfoExW() called
[PID18724] [D] 2020/12/23 23:59:41 Mswsock.dll (FP)ConnectEx(2688, [::ffff:93.184.216.34]:80, 28) called
[PID18724] [D] 2020/12/23 23:59:41 Ws2_32_GenericTunnelTo(localhost:5354)
[PID18724] [D] 2020/12/23 23:59:41 Ws2_32_GenericConnectTo(localhost:5354)
[PID18724] [D] 2020/12/23 23:59:41 Ws2_32.dll freeaddrinfo() called
[PID18724] [D] 2020/12/23 23:59:41 Ws2_32_DirectConnect([::1]:5354)
[PID18724] [W] 2020/12/23 23:59:43 connect() error: No connection could be made because the target machine actively refused it.(10061)
[PID18724] [D] 2020/12/23 23:59:43 Ws2_32_GenericTunnelTo(localhost:5354) connect failed!
[PID18724] [W] 2020/12/23 23:59:43 Mswsock.dll (FP)ConnectEx(2688 [::ffff:93.184.216.34]:80 28) PROXY ret: 0, wsa last error: No connection could be made because the target machine actively refused it.(10061)
Invoke-WebRequest: No connection could be made because the target machine actively refused it.
[USERNAME@DUST proxychains_0.6.8_win32_x64_debug]$[PID18724] [D] 2020/12/23 23:59:43 (In CreateProcessW) g_pRemoteData->dwDebugDepth = 1
[PID18724] [D] 2020/12/23 23:59:43 CreateProcessW: (null), "C:\Users\USERNAME\scoop\apps\lua\current\lua.exe" C:\Users\USERNAME\scoop\apps\z.lua\current\z.lua --add C:\Users\USERNAME\Desktop\proxychains_0.6.8_win32_x64_debug, lpProcessAttributes: 0x8fbf08d6f0, lpThreadAttributes: 0x8fbf08d6f0, bInheritHandles: 1, dwCreationFlags: 0, lpCurrentDirectory: C:\Users\USERNAME\Desktop\proxychains_0.6.8_win32_x64_debug; Ret: 1 Child winpid 16016, tid 10964
[PID18724] [D] 2020/12/23 23:59:43 Child is an X64 process.
[PID18724] [D] 2020/12/23 23:59:43 C:\Users\USERNAME\Desktop\proxychains_0.6.8_win32_x64_debug\proxychains_hook_x64d.dll
[PID18724] [D] 2020/12/23 23:59:43 pTargetPeb: 000000000031E000, TargetCtx.Rax - Rdx: 0000000000000000 0000000000000000 0000000000401500 000000000031E000.
[PID18724] [D] 2020/12/23 23:59:43 pTargetOriginalEntry: 0000000000401500
[PID16016] [D] 2020/12/23 23:59:43 (In InitHook) g_pRemoteData->dwDebugDepth = 2
[D] 2020/12/23 23:59:43 Child process winpid 16016 created.
[D] 2020/12/23 23:59:43 Registered child pid 16016
[D] 2020/12/23 23:59:43 PerProcessTable:
[D] 2020/12/23 23:59:43
[WINPID18724 PerProcessData]

[D] 2020/12/23 23:59:43
[WINPID16016 PerProcessData]

[PID16016] [D] 2020/12/23 23:59:43 I'm WINPID 16016 Hooked!
[PID18724] [D] 2020/12/23 23:59:43 I've Injected WINPID 16016
[D] 2020/12/23 23:59:43 Child process winpid 16016 exited (0000000000).
[D] 2020/12/23 23:59:43 PerProcessTable:
 [D] 2020/12/23 23:59:43
[WINPID18724 PerProcessData]

output of debug release.

shunf4 commented 3 years ago

2 issues:

shunf4 commented 3 years ago

For a temporary solution, can you try disabling the IPv6 stack on Windows and see whether it works? (Note by this way, name resolving process is not proxified.)

shunf4 commented 3 years ago
  • pwsh 7.1.0 uses an unknown function to resolve names, not intercepted by proxychains.exe

~an unknown function~ GetAddrInfoExW (not intercepted at present)

HUMORCE commented 3 years ago

For a temporary solution, can you try disabling the IPv6 stack on Windows and see whether it works? (Note by this way, name resolving process is not proxified.)

tried, doesn't work.

  • pwsh 7.1.0 uses an unknown function to resolve names, not intercepted by proxychains.exe

~an unknown function~ GetAddrInfoExW (not intercepted at present)

woah, the cat was caught.

HUMORCE commented 3 years ago 
proxychains -l D pwsh -Command 'iwr example.org'
[PID14808] [W] 2021/01/01 11:41:51 GetThreadContext() Failed: The parameter is incorrect.(87)
[PID14808] [E] 2021/01/01 11:41:51 Injecting WINPID 6108 Error: The parameter is incorrect.(87)

StatusCode        : 200
StatusDescription : OK
Content           : <!doctype html>
                    <html>
                    <head>
                        <title>Example Domain</title>

                        <meta charset="utf-8" />
                        <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
                        <meta name="viewport" conten…
RawContent        : HTTP/1.1 200 OK
                    Age: 500383
                    Cache-Control: max-age=604800
                    Date: Fri, 01 Jan 2021 11:41:51 GMT
                    ETag: "3147526947+ident"
                    Server: ECS
                    Server: (sjc/16DD)
                    Vary: Accept-Encoding
                    X-Cache: HIT
                    Conten…
Headers           : {[Age, System.String[]], [Cache-Control, System.String[]], [Date, System.String[]], [ETag,
                    System.String[]]…}
Images            : {}
InputFields       : {}
Links             : {@{outerHTML=<a href="https://www.iana.org/domains/example">More information...</a>; tagName=A;
                    href=https://www.iana.org/domains/example}}
RawContentLength  : 1256
RelationLink      : {}

[I] 2021/01/01 11:41:52 All Windows descendant process exited.
[I] 2021/01/01 11:41:52 Master exiting

If the issue can't be reproduced, maybe caused by scoop shims.

https://github.com/lukesampson/scoop/issues/3634 https://github.com/lukesampson/scoop/pull/3998

switch to new scoop shim will not solve this issue. the pwsh is not managed by proxychains.

[PID14808] [W] 2021/01/01 11:41:51 GetThreadContext() Failed: The parameter is incorrect.(87)
[PID14808] [E] 2021/01/01 11:41:51 Injecting WINPID 6108 Error: The parameter is incorrect.(87)