Apollo
Apollo copied to clipboard
MythicAgents
ExecutePe no return output.
When i run task with command ExecutePE result is only:
When program console is:
TestExec.exe code is simple:
#include <stdio.h>
#include <stdint.h>
int main() {
printf("Before modification:\n");
return 0;
}
How are you compiling that code? Apollo's execute_pe documentation says:
Execute a statically compiled PE file (e.g., compiled with /MT) with the specified arguments.
Thx, for that tip. My error i doesn't checked documentation of that command.
Run exe from that code with the same compile parameters doesn't give output result.
My compile params:
/permissive- /ifcOutput "x64\Release\" /GS /GL /W3 /Gy /Zc:wchar_t /Zi /Gm- /O2 /sdl /Fd"x64\Release\vc143.pdb" /Zc:inline /fp:precise /D "NDEBUG" /D "_CONSOLE" /D "_UNICODE" /D "UNICODE" /errorReport:prompt /WX- /Zc:forScope /Gd /Oi /MT /FC /Fa"x64\Release\" /EHsc /nologo /Fo"x64\Release\" /Fp"x64\Release\TestExec.pch" /diagnostics:column
#include <windows.h>
#include <stdio.h>
#include <stdint.h>
#include <iostream>
int main() {
std::cout << "Not valid mode" << std::endl;
return 0;
}
But for that code all is OK.
#include <windows.h>
#include <stdio.h>
#include <stdint.h>
int main() {
printf("Before modification:\n");
fprintf(stderr, "Stderr message");
return 0;
}
Hmm I'll have to look into what's going on more, but I can at least confirm what you're seeing. The first code block does not return output to Mythic; however, the second code block does return output.
Ok, I got it to work. I think the issue is that using some of those other libraries in the top C++ code (like the std::cout) are handled a little differently when it comes to compilation. In addition to needing that /MT flag, I had to do a few things:
- Under Configuration Properties --> General, change the "Use of MFC" field to "Use MFC in a Static Library".
- Install the MFC components (https://learn.microsoft.com/en-us/visualstudio/msbuild/errors/msb8041?view=vs-2022)
- Rebuild
Also, make sure you're using the latest Apollo code for the agent and the server.
A fully featured .NET 4.0 compatible training agent. Version: 2.2.24
In Visual Studio 2022 i don't have Configuration Properties --> General, change the "Use of MFC" field to "Use MFC in a Static Library". I tried change vcxproj file and add UseOfMFC.
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Static</UseOfMfc>
</PropertyGroup>
That not give positive result.
C++ support for execute PE may be a little hit or miss. The "Use MFC in a Static Library" option should help in some circumstances.
For debugging, there's an ExecutePE.Standalone project that builds a program which loads an arbitrary executable and executes it using Apollo's PE loader.
Building it requires the .NET Framework 4.5.1 developer pack which can be downloaded here Download .NET Framework 4.5.1.
In the Payload_Type/apollo/apollo/agent_code directory, run this to restore the VS solution.
msbuild -r .\ExecutePE.Standalone\ExecutePE.Standalone.csproj
Then run this to build the program.
msbuild .\ExecutePE.Standalone\ExecutePE.Standalone.csproj
The output .\ExecutePE.Standalone\bin\Debug\net451\ExecutePE.Standalone.exe program can be used to load and run the specified executable with any extra arguments getting passed through to the loaded PE.
.\ExecutePE.Standalone\bin\Debug\net451\ExecutePE.Standalone.exe <executable path> [executable args...]
