RunPE: Arguments do not get passed

When running a base64 encoded file via command line, arguments are not appropriately passed to the execution of the command of some binaries.

I have used net.exe just fine, however Mimikatz and CheekyBlinders both do not get arguments passed appropriately.

RunPE Version: Latest
OS: Windows 10
Build: OS Version: 10.0.19045 N/A Build 19045

Example running Mimikatz (latest):

image

[…snippet…]

image

As you can see, the execution of the PE works, however the arguments passed are not passed on to the PE.

I am using our C2 to wrap this functionality and passing the arguments, however they do not get executed.

I have also tried the CheekyBlinders (https://github.com/br-sn/CheekyBlinder) PE file, which results in the same issue of arguments not being passed to the PE binary.

You can see executing directly from the file works in both cases

Mimikatz:

image

[…snippet…]

image

Notice the highlighted area, where Mimikatz is being passed the Argument 0 instead of just coffee and exit

CheekyBlinders:

image

[…snippet…]

image

Note CheekyBlinders doesn’t even execute correctly, however this may because again of the argv[0] being passed instead of argv[1]

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 25 (12 by maintainers)

Most upvoted comments

@m0rv4i I can confirm that the behavior is same in our C2 (Not publicly available) as it is in CLI form.

+1
aconite33 on Jan 9, 2023

@benpturner can you provide a build exe that you are using? I just want to make sure it’s not a compiling issue on my side.

+1
aconite33 on Jan 5, 2023
Read more comments on GitHub
← netsuite: NoMethodError: undefined method `results' for false:FalseClass when using NetSuite::Records::InventoryItem.search.results_in_batches
netty: An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception. →