Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

'download-file' seems to lock files after completion #38

Open
jmhickman opened this issue Mar 13, 2019 · 3 comments

Comments

@jmhickman
Copy link
Contributor

commented Mar 13, 2019

Using 4.7, if I run download-file on a file, and then try to delete it from the remote host, I get a locking error from PowerShell

Command issued against implant 23 on host ALPHA 0METALAB (03/13/2019 05:56:36)
rm GUID.txt

Command returned against implant 23 on host 0METALAB\user @ ALPHA (03/13/2019 05:56:37)

rm : Cannot remove item C:\Users\user\GUID.txt: The process cannot access the file 'C:\Users\user\GUID.txt'
because it is being used by another process.
At line:1 char:1
+ rm GUID.txt
+ ~~~~~~~~~~~
    + CategoryInfo          : WriteError: (C:\Users\user\GUID.txt:FileInfo) [Remove-Item], IOException
    + FullyQualifiedErrorId : RemoveFileSystemItemIOError,Microsoft.PowerShell.Commands.RemoveItemCommand

Sometimes I can shake this off by running other PoshC2 commands, but not always.

@jmhickman jmhickman changed the title `download-file` seems to lock files after completion 'download-file' seems to lock files after completion Mar 13, 2019

@m0rv4i

This comment has been minimized.

Copy link
Contributor

commented Apr 30, 2019

Hi @jmhickman, thanks for this one also, do you know if this is still the case on master?

The only thing that springs to mind is if the file is large it is downloaded in chunks, but GUID.txt sounds like a small file...?

@jmhickman

This comment has been minimized.

Copy link
Contributor Author

commented Apr 30, 2019

And yeah, it was a small text file. File size doesn't seem to have any correlation to the issue. The only thing that seemed to remove the lock was to download another file, or sometimes to issue certain types of commands to the Implant, like changing directories.

I'll have a look at master and let you know soon.

@jmhickman

This comment has been minimized.

Copy link
Contributor Author

commented May 1, 2019

I can confirm that this is still the case on master, on Windows 10 Pro hosts running 1803. I tested on a Server 2008 system, and the problem didn't occur.

Windows 10 Pro host:

PS C:\Users\userguytwo> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.17134.590
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17134.590
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Windows Server 2008 host:

Name                           Value
----                           -----
PSVersion                      3.0
WSManStackVersion              3.0
SerializationVersion           1.1.0.1
CLRVersion                     4.0.30319.42000
BuildVersion                   6.2.9200.22199
PSCompatibleVersions           {1.0, 2.0, 3.0}
PSRemotingProtocolVersion      2.2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.