BugFix: PsExec method does not cleanup some files from target

Lifars · Apr 21, 2020 · d7fe1d1 · d7fe1d1
1 parent 42e4922
commit d7fe1d1
Show file tree

Hide file tree

Showing 6 changed files with 89 additions and 27 deletions.
diff --git a/src/arg_parser.rs b/src/arg_parser.rs
@@ -92,7 +92,7 @@ pub struct Opts {
     #[clap(
     long = "wmi",
     help = "Acquire evidence from Windows machine using WMI. \
-    Requires WMImplant.ps1 in the current directory or in the path and PowerShell 3.0+ on the host machine.\
+    Requires WMImplant.ps1 in the current directory or in the path and PowerShell 3.0+ on the host machine. \
     Note: It is necessary to disable Windows Defender real-time protection (other AVs not tested)."
     )]
     pub wmi: bool,

diff --git a/src/command_runner.rs b/src/command_runner.rs
@@ -1,4 +1,4 @@
-use crate::remote::{Computer, Connector, Command, PsExec, Local, PsRemote, Ssh, Rdp, Wmi};
+use crate::remote::{Computer, Connector, Command, PsExec, PsRemote, Ssh, Rdp, Wmi};
 use std::path::{Path, PathBuf};
 use std::fs::File;
 use crate::command_utils::parse_command;
@@ -35,15 +35,15 @@ impl<'a> CommandRunner<'a> {
         }
     }
 
-    pub fn local(
-        local_store_directory: &'a Path,
-    ) -> CommandRunner<'a> {
-        CommandRunner {
-            local_store_directory,
-            connector: Box::new(Local::new()),
-            run_implicit: true,
-        }
-    }
+    // pub fn local(
+    //     local_store_directory: &'a Path,
+    // ) -> CommandRunner<'a> {
+    //     CommandRunner {
+    //         local_store_directory,
+    //         connector: Box::new(Local::new()),
+    //         run_implicit: true,
+    //     }
+    // }
 
     pub fn psremote(
         remote_computer: Computer,

diff --git a/src/evidence_acquirer.rs b/src/evidence_acquirer.rs
@@ -1,5 +1,5 @@
 use std::path::{Path, PathBuf};
-use crate::remote::{Computer, Connector, Command, PsExec, PsRemote, Local, Ssh, Rdp, Wmi};
+use crate::remote::{Computer, Connector, Command, PsExec, PsRemote, Ssh, Rdp, Wmi};
 
 pub struct EvidenceAcquirer<'a> {
     store_directory: &'a Path,
@@ -67,14 +67,14 @@ impl<'a> EvidenceAcquirer<'a> {
         )
     }
 
-    pub fn local(
-        store_directory: &'a Path,
-    ) -> EvidenceAcquirer<'a> {
-        EvidenceAcquirer::new_standard_acquirer(
-            store_directory,
-            Box::new(Local::new()),
-        )
-    }
+    // pub fn local(
+    //     store_directory: &'a Path,
+    // ) -> EvidenceAcquirer<'a> {
+    //     EvidenceAcquirer::new_standard_acquirer(
+    //         store_directory,
+    //         Box::new(Local::new()),
+    //     )
+    // }
 
     pub fn wmi(
         remote_computer: Computer,

diff --git a/src/memory_acquirer.rs b/src/memory_acquirer.rs
@@ -94,7 +94,7 @@ impl<'a> MemoryAcquirer<'a> {
             self.connector.remote_temp_storage(),
             "mem-image",
             self.connector.connect_method_name(),
-            ".aff4"
+            "aff4"
         );
         let connection = Command {
             command: vec![

diff --git a/src/remote/copier.rs b/src/remote/copier.rs
@@ -89,7 +89,6 @@ pub trait RemoteFileCopier {
     }
 }
 
-/// Use factory mathods to properly initialize the struct.
 pub struct WindowsRemoteFileHandler {
     computer: Computer,
     copier_impl: Box<dyn FileCopier>,
@@ -133,6 +132,26 @@ impl WindowsRemoteFileHandler {
         ));
         WindowsRemoteFileHandler { computer, copier_impl }
     }
+
+    fn open_connection(
+        &self
+    ) {
+        let mut args = vec![
+            "USE".to_string(),
+            format!("\\\\{}", self.computer.address),
+        ];
+        let username = self.computer.domain_username();
+        args.push(format!("/u:{}", username));
+        if let Some(password) = &self.computer.password {
+            args.push(password.clone());
+        }
+        run_process_blocking(
+            "NET",
+            &args,
+        ).expect(&format!(
+            "Cannot establish connection using \"net use\" to {}", &self.computer.address
+        ));
+    }
 }
 
 impl RemoteFileCopier for WindowsRemoteFileHandler {
@@ -148,6 +167,7 @@ impl RemoteFileCopier for WindowsRemoteFileHandler {
         &self,
         path: &Path,
     ) -> PathBuf {
+        self.open_connection();
         PathBuf::from(format!(
             "\\\\{}\\{}",
             self.remote_computer().address,

diff --git a/src/remote/psexec.rs b/src/remote/psexec.rs
@@ -1,11 +1,12 @@
-use crate::remote::{Connector, Computer, Command, RemoteFileCopier, Cmd, WindowsRemoteFileHandler};
+use crate::remote::{Connector, Computer, Command, RemoteFileCopier, Cmd, WindowsRemoteFileHandler, FileCopier};
 use std::time::Duration;
 use std::io::Error;
 use std::path::{PathBuf, Path};
+use std::io;
 
 pub struct PsExec {
     computer: Computer,
-    copier: WindowsRemoteFileHandler,
+    copier_impl: WindowsRemoteFileHandler,
     psexec_name: String,
     remote_temp_storage: PathBuf
 }
@@ -14,7 +15,7 @@ impl PsExec {
     pub fn paexec(computer: Computer, remote_temp_storage: PathBuf) -> PsExec {
         PsExec {
             computer: computer.clone(),
-            copier: WindowsRemoteFileHandler::new(computer, Box::new(Cmd {})),
+            copier_impl: WindowsRemoteFileHandler::new(computer, Box::new(Cmd {})),
             psexec_name: "paexec.exe".to_string(),
             remote_temp_storage
         }
@@ -23,7 +24,7 @@ impl PsExec {
     pub fn psexec(computer: Computer, remote_temp_storage: PathBuf) -> PsExec {
         PsExec {
             computer: computer.clone(),
-            copier: WindowsRemoteFileHandler::new(computer, Box::new(Cmd {})),
+            copier_impl: WindowsRemoteFileHandler::new(computer, Box::new(Cmd {})),
             psexec_name: "PsExec64.exe".to_string(),
             remote_temp_storage
         }
@@ -40,7 +41,7 @@ impl Connector for PsExec {
     }
 
     fn copier(&self) -> &dyn RemoteFileCopier {
-        &self.copier
+        self as &dyn RemoteFileCopier
     }
 
     fn remote_temp_storage(&self) -> &Path {
@@ -93,3 +94,44 @@ impl Connector for PsExec {
         }
     }
 }
+
+impl RemoteFileCopier for PsExec {
+    fn remote_computer(&self) -> &Computer {
+        self.computer()
+    }
+
+    fn copier_impl(&self) -> &dyn FileCopier {
+        self.copier_impl.copier_impl()
+    }
+
+    fn path_to_remote_form(&self, path: &Path) -> PathBuf {
+        self.copier_impl.path_to_remote_form(path)
+    }
+
+    fn copy_to_remote(&self, source: &Path, target: &Path) -> io::Result<()> {
+        self.copier_impl.copy_from_remote(source, target)
+    }
+
+    fn delete_remote_file(&self, target: &Path) -> io::Result<()> {
+       self.connect_and_run_command(
+           Command{
+               command: vec![
+                   "cmd".to_string(),
+                   "/c".to_string(),
+                   "del".to_string(),
+                   "/F".to_string(),
+                   "/Q".to_string(),
+                   target.to_string_lossy().to_string(),
+               ],
+               report_store_directory: None,
+               report_filename_prefix: "",
+               elevated: false
+           },
+           None
+       )
+    }
+
+    fn copy_from_remote(&self, source: &Path, target: &Path) -> io::Result<()> {
+        self.copier_impl.copy_from_remote(source, target)
+    }
+}