Executed PE Files do not return output

[michaelweber]

When we reflectively load another PE file, any hooks we've put in place to capture stdout/stderr go right out the window. The compiled executable will work fine, but if you want to make any decisions based off of the output of invoking the embedded PE file beyond return code this will need another solution.

[cookpoo78]

Same issue

[parzel]

I ran into the same issue. The behavior stems from the no-consolation BOF and how it tries to redirect output. I was able to hotfix it and opened a ticket here with the details.

[michaelweber]

Holy crap - way to go @parzel! Gonna do some testing real quick and if that looks right then I'll build noconsolation with your hotfix and include it here until there's an official fix release.

I was losing my mind trying to run this thing down.

[parzel]

Great. Let me know if it works, I had no issues so far. Here are the argBytes I am using (changed freeing libraries to z as per CNA and do not allocate console):

argBytes, err := lighthouse.PackArgs([]string{
	"Z" + peName, // Unicode PE Name
	"z" + peName, // ANSI PE Name
	"Z" + pePath, // Unicode PE Path
	"b" + hex.EncodeToString(executableBytes), // The actual PE to load
	"z",                                  // for local PE loading, we don't need it
	"i0",                                 // not doing local loading
	"i60",                                // 60 second timeout
	"i0",                                 // no headers
	"Z" + strings.Join(updatedArgs, " "), // Unicode Args
	"z" + strings.Join(updatedArgs, " "), // ANSI Args
	"z",                                  // Invoke default entry point method
	"i0",                                 // not using unicode
	"i0",                                 // we don't want to disable output
	"i0",                                 // allocating a console so we can capture output
	"i0",                                 // don't need to worry about closing handles
	"z",                                  // don't need to worry about freeing libraries
	"i1",                                 // don't need to worry about saving
	"i0",                                 // not listing PEs
	"z",                                  // not unloading any PEs
	"z",                                  // no need for us to have anything as our nick() for now
	"z" + "0",                            // timestamp doesn't matter
	"i0",                                 // linking to PEB
	"i0",                                 // unloading is fine
	"i0",                                 // do load all dependencies
	"z",                                  // load_all_deps_but DLL_A,DLL_B,DLL_C...
	"z",                                  // not using load_deps
	"z",                                  // not using search_paths
	"i1",                                 // running with -inthread
})

[michaelweber]

Confirmed this works - I've pushed the fix. Got delayed because I ran into something stupid where I needed to use go to compress the BOF instead of just running gzip on the .o file - but we're good now.

Thanks again @parzel!

Going to close this issue for now but if anyone has issues with this please comment on it / open a new issue!