run as user

agent/agent_windows.go

@@ -30,6 +30,7 @@ import (
 
 	rmm "github.com/amidaware/rmmagent/shared"
 	ps "github.com/elastic/go-sysinfo"
+	"github.com/fourcorelabs/wintoken"
 	"github.com/go-ole/go-ole"
 	"github.com/go-ole/go-ole/oleutil"
 	"github.com/go-resty/resty/v2"
@@ -81,7 +82,7 @@ func NewAgentConfig() *rmm.AgentConfig {
 	}
 }
 
-func (a *Agent) RunScript(code string, shell string, args []string, timeout int) (stdout, stderr string, exitcode int, e error) {
+func (a *Agent) RunScript(code string, shell string, args []string, timeout int, runasuser bool) (stdout, stderr string, exitcode int, e error) {
 
 	content := []byte(code)
 
@@ -143,8 +144,16 @@ func (a *Agent) RunScript(code string, shell string, args []string, timeout int)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(timeout)*time.Second)
 	defer cancel()
 
-	var timedOut bool = false
+	var timedOut = false
 	cmd := exec.Command(exe, cmdArgs...)
+	if runasuser {
+		token, err := wintoken.GetInteractiveToken(wintoken.TokenLinked)
+		if err != nil {
+			return "", err.Error(), 66, err
+		}
+		defer token.Close()
+		cmd.SysProcAttr = &syscall.SysProcAttr{Token: syscall.Token(token.Token()), HideWindow: true}
+	}
 	cmd.Stdout = &outb
 	cmd.Stderr = &errb
 
@@ -230,7 +239,7 @@ func CMD(exe string, args []string, timeout int, detached bool) (output [2]strin
 	return [2]string{CleanString(outb.String()), CleanString(errb.String())}, nil
 }
 
-func CMDShell(shell string, cmdArgs []string, command string, timeout int, detached bool) (output [2]string, e error) {
+func CMDShell(shell string, cmdArgs []string, command string, timeout int, detached bool, runasuser bool) (output [2]string, e error) {
 	var (
 		outb     bytes.Buffer
 		errb     bytes.Buffer
@@ -241,6 +250,8 @@ func CMDShell(shell string, cmdArgs []string, command string, timeout int, detac
 	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(timeout)*time.Second)
 	defer cancel()
 
+	sysProcAttr := &windows.SysProcAttr{}
+
 	if len(cmdArgs) > 0 && command == "" {
 		switch shell {
 		case "cmd":
@@ -254,9 +265,7 @@ func CMDShell(shell string, cmdArgs []string, command string, timeout int, detac
 		switch shell {
 		case "cmd":
 			cmd = exec.Command("cmd.exe")
-			cmd.SysProcAttr = &windows.SysProcAttr{
-				CmdLine: fmt.Sprintf("cmd.exe /C %s", command),
-			}
+			sysProcAttr.CmdLine = fmt.Sprintf("cmd.exe /C %s", command)
 		case "powershell":
 			cmd = exec.Command("Powershell", "-NonInteractive", "-NoProfile", command)
 		}
@@ -264,10 +273,20 @@ func CMDShell(shell string, cmdArgs []string, command string, timeout int, detac
 
 	// https://docs.microsoft.com/en-us/windows/win32/procthread/process-creation-flags
 	if detached {
-		cmd.SysProcAttr = &windows.SysProcAttr{
-			CreationFlags: windows.DETACHED_PROCESS | windows.CREATE_NEW_PROCESS_GROUP,
-		}
+		sysProcAttr.CreationFlags = windows.DETACHED_PROCESS | windows.CREATE_NEW_PROCESS_GROUP
 	}
+
+	if runasuser {
+		token, err := wintoken.GetInteractiveToken(wintoken.TokenLinked)
+		if err != nil {
+			return [2]string{"", CleanString(err.Error())}, err
+		}
+		defer token.Close()
+		sysProcAttr.Token = syscall.Token(token.Token())
+		sysProcAttr.HideWindow = true
+	}
+
+	cmd.SysProcAttr = sysProcAttr
 	cmd.Stdout = &outb
 	cmd.Stderr = &errb
 	cmd.Start()
@@ -449,7 +468,7 @@ func (a *Agent) PlatVer() (string, error) {
 func EnablePing() {
 	args := make([]string, 0)
 	cmd := `netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow`
-	_, err := CMDShell("cmd", args, cmd, 10, false)
+	_, err := CMDShell("cmd", args, cmd, 10, false, false)
 	if err != nil {
 		fmt.Println(err)
 	}
@@ -470,7 +489,7 @@ func EnableRDP() {
 
 	args := make([]string, 0)
 	cmd := `netsh advfirewall firewall set rule group="remote desktop" new enable=Yes`
-	_, cerr := CMDShell("cmd", args, cmd, 10, false)
+	_, cerr := CMDShell("cmd", args, cmd, 10, false, false)
 	if cerr != nil {
 		fmt.Println(cerr)
 	}
@@ -497,15 +516,15 @@ func DisableSleepHibernate() {
 		wg.Add(1)
 		go func(c string) {
 			defer wg.Done()
-			_, _ = CMDShell("cmd", args, fmt.Sprintf("powercfg /set%svalueindex scheme_current sub_buttons lidaction 0", c), 5, false)
-			_, _ = CMDShell("cmd", args, fmt.Sprintf("powercfg /x -standby-timeout-%s 0", c), 5, false)
-			_, _ = CMDShell("cmd", args, fmt.Sprintf("powercfg /x -hibernate-timeout-%s 0", c), 5, false)
-			_, _ = CMDShell("cmd", args, fmt.Sprintf("powercfg /x -disk-timeout-%s 0", c), 5, false)
-			_, _ = CMDShell("cmd", args, fmt.Sprintf("powercfg /x -monitor-timeout-%s 0", c), 5, false)
+			_, _ = CMDShell("cmd", args, fmt.Sprintf("powercfg /set%svalueindex scheme_current sub_buttons lidaction 0", c), 5, false, false)
+			_, _ = CMDShell("cmd", args, fmt.Sprintf("powercfg /x -standby-timeout-%s 0", c), 5, false, false)
+			_, _ = CMDShell("cmd", args, fmt.Sprintf("powercfg /x -hibernate-timeout-%s 0", c), 5, false, false)
+			_, _ = CMDShell("cmd", args, fmt.Sprintf("powercfg /x -disk-timeout-%s 0", c), 5, false, false)
+			_, _ = CMDShell("cmd", args, fmt.Sprintf("powercfg /x -monitor-timeout-%s 0", c), 5, false, false)
 		}(i)
 	}
 	wg.Wait()
-	_, _ = CMDShell("cmd", args, "powercfg -S SCHEME_CURRENT", 5, false)
+	_, _ = CMDShell("cmd", args, "powercfg -S SCHEME_CURRENT", 5, false, false)
 }
 
 // NewCOMObject creates a new COM object for the specifed ProgramID.
@@ -645,7 +664,7 @@ Add-MpPreference -ExclusionPath 'C:\Windows\Temp\tacticalagent-v*.exe'
 Add-MpPreference -ExclusionPath 'C:\Windows\Temp\trmm\*'
 Add-MpPreference -ExclusionPath 'C:\Program Files\Mesh Agent\*'
 `
-	_, _, _, err := a.RunScript(code, "powershell", []string{}, 20)
+	_, _, _, err := a.RunScript(code, "powershell", []string{}, 20, false)
 	if err != nil {
 		a.Logger.Debugln(err)
 	}