Closed kernel-sanders closed 4 years ago
Perhaps an issue with the upstream memorymodule?
As memorymodule never claims to handle args for EXEs, I don't think its an issue with memorymodule. The incorrect use in go-mimikatz is the issue. I have tried to get it working by modifying os.Args
during run-time, but was unsuccessful.
memory module is now deprecated
I recently solved this problem in my own project the same way. Cheers!
Setting the userdata to argv[] does not actually pass arguments to the exe loaded by memory module. It happens to work in this case because when the exe calls
GetCommandLine
it gets the args supplied by the user to the go exe.A simple way to test this is to instead load args from a string array in go, they will not be passed to the exe.
A more complete solution would be to use the same technique as Invoke-ReflectivePEInjection and overwrite the
GetCommandLine
function with shellcode to return a pointer to a string array in memory (and while we are at it replaceExitProcess
withExitThread
so go execution can continue)