Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tasklist BOF wasn't updated with latest WMI_Connect revision #100

Closed
Octoberfest7 opened this issue May 16, 2023 · 1 comment
Closed

Tasklist BOF wasn't updated with latest WMI_Connect revision #100

Octoberfest7 opened this issue May 16, 2023 · 1 comment

Comments

@Octoberfest7
Copy link

A recent update to WMI.c (which fixed token impersonation, thanks for that!) changed the parameters that the WMI_Connect function requires; the Tasklist BOF uses WMI to perform it's actions and was not updated to reflect these changes, which causes it to fail when compiling.

The relevant code from src/SA/tasklist/entry.c:

HRESULT task_list(
	LPWSTR pwszServer
)
{
	HRESULT	hr = S_OK;
	WMI		m_WMI;
	size_t	ullQuerySize = 0;
	LPWSTR	lpwszQuery = NULL;
	BSTR**	ppbstrResults = NULL;
	DWORD	dwRowCount = 0;
	DWORD	dwColumnCount = 0;
	DWORD	dwCurrentRowIndex = 0;
	DWORD	dwCurrentColumnIndex = 0;

	// Initialize COM
	hr = Wmi_Initialize(&m_WMI);
	if (FAILED(hr))
	{
		BeaconPrintf(CALLBACK_ERROR, "Wmi_Initialize failed: 0x%08lx", hr);
		goto fail;
	}

	// Connect to WMI on host
	hr = Wmi_Connect(&m_WMI, pwszServer, NULL);
	if (FAILED(hr))
	{
		BeaconPrintf(CALLBACK_ERROR, "Wmi_Connect failed: 0x%08lx", hr);
		goto fail;
	}

should be:

HRESULT task_list(
	LPWSTR pwszResource
)
{
	HRESULT	hr = S_OK;
	WMI		m_WMI;
	size_t	ullQuerySize = 0;
	LPWSTR	lpwszQuery = NULL;
	BSTR**	ppbstrResults = NULL;
	DWORD	dwRowCount = 0;
	DWORD	dwColumnCount = 0;
	DWORD	dwCurrentRowIndex = 0;
	DWORD	dwCurrentColumnIndex = 0;

	// Initialize COM
	hr = Wmi_Initialize(&m_WMI);
	if (FAILED(hr))
	{
		BeaconPrintf(CALLBACK_ERROR, "Wmi_Initialize failed: 0x%08lx", hr);
		goto fail;
	}

	// Connect to WMI on host
	hr = Wmi_Connect(&m_WMI, pwszResource);
	if (FAILED(hr))
	{
		BeaconPrintf(CALLBACK_ERROR, "Wmi_Connect failed: 0x%08lx", hr);
		goto fail;
	}

I also changed SA.cna to use the resource model that wmi_query now does:

alias tasklist{
	local('$args $resource')

	$resource = "";

	if ((size(@_) < 1) || (size(@_) > 2))
	{
		berror($1, beacon_command_detail("tasklist"));
		berror($1, "Invalid number of arguments");
		return;
	}
	$resource = iff(-istrue $2, "\\\\$2\\root\\cimv2", "\\\\.\\root\\cimv2");
	$args = bof_pack($1, "Z", $resource);
	beacon_inline_execute($1, readbof($1, "tasklist", "Connecting to $resource and retrieving list of currently running processes", "T1057"), "go", $args);
}
@freefirex
Copy link
Collaborator

Thanks for the catch!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@freefirex @Octoberfest7