search

vyrus001 / go-mimikatz

A wrapper around a pre-compiled version of the Mimikatz executable for the purpose of anti-virus evasion.
608 stars 104 forks source link

Passing args does not work #2

Closed kernel-sanders closed 4 years ago

kernel-sanders commented 5 years ago

Setting the userdata to argv[] does not actually pass arguments to the exe loaded by memory module. It happens to work in this case because when the exe calls GetCommandLine it gets the args supplied by the user to the go exe.

A simple way to test this is to instead load args from a string array in go, they will not be passed to the exe. 

    exe_path, err := os.Executable()
    args := [2]string{exe_path, "log"}
    var cArgs []*C.char
    for _, goString := range args {
        fmt.Println(goString)
        cArgs = append(cArgs, C.CString(goString))
    }

A more complete solution would be to use the same technique as Invoke-ReflectivePEInjection and overwrite the GetCommandLine function with shellcode to return a pointer to a string array in memory (and while we are at it replace ExitProcess with ExitThread so go execution can continue)

wheelerlaw commented 5 years ago

Perhaps an issue with the upstream memorymodule?

kernel-sanders commented 5 years ago

As memorymodule never claims to handle args for EXEs, I don't think its an issue with memorymodule. The incorrect use in go-mimikatz is the issue. I have tried to get it working by modifying os.Args during run-time, but was unsuccessful.

vyrus001 commented 4 years ago

memory module is now deprecated

kernel-sanders commented 4 years ago

I recently solved this problem in my own project the same way. Cheers!