Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PowerShell Agent Unexpected Crashes: Issue with "Read" Method #147

Open
whydee86 opened this issue Mar 30, 2024 · 4 comments
Open

PowerShell Agent Unexpected Crashes: Issue with "Read" Method #147

whydee86 opened this issue Mar 30, 2024 · 4 comments

Comments

@whydee86
Copy link

Description

The PowerShell agent generally operates smoothly, but I have encountered an issue where it unexpectedly crashes during execution. The crash is associated with an exception thrown when attempting to call the "Read" method with three arguments.

Steps to Reproduce

  1. Run the PowerShell agent under normal operation conditions.(Include amsi bypass, for sure it's not a defender problem)
  2. During its execution, the agent occasionally crashes with the above exception.

(Note: The issue appears to occur at random intervals, possibly influenced by network stability or remote server responses.)

Expected Behavior

The agent should handle network interruptions or reconnect attempts gracefully without crashing, possibly by implementing retry mechanisms or more robust error handling around the "Read" operation.

Actual Behavior

The agent crashes, leading to an abrupt termination of its execution. This disrupts workflows and requires manual intervention to restart the agent.

Looking forward to your support in resolving this issue. Thank you!

image
@charbelmhanna
Copy link

Based on the error I see it seems that the remote host as closed the connection mean that it stopped listening to the port. Also it could be a connection issues. Make the connection your connecting to "Victim" there no connection timeout ....

@t3l3machus
Copy link
Owner

@whydee86, thanks a lot for the detailed issue description. Looks like one of the 3 arguments when calling read is null:
$stream.Read($bytes, 0, $bytes.Length)
Possibly the initialization of the $bytes byte array from the previous command did not complete in time, so when it gets to read it errors out? I'm kind of speculating for now. If that's true, then you can probably append this line (or similar) before the "read" command: while ($? -ne $true){sleep 0.5};.

I will have a closer look and get back to you.

Cheers

@whydee86
Copy link
Author

whydee86 commented Apr 2, 2024

@whydee86, thanks a lot for the detailed issue description. Looks like one of the 3 arguments when calling read is null: $stream.Read($bytes, 0, $bytes.Length) Possibly the initialization of the $bytes byte array from the previous command did not complete in time, so when it gets to read it errors out? I'm kind of speculating for now. If that's true, then you can probably append this line (or similar) before the "read" command: while ($? -ne $true){sleep 0.5};.

I will have a closer look and get back to you.

Cheers

Great, if I can help with something or provide more information, please let me know. We should also add to the agent reconnect mechanism in case of network failure. For example, try stopping the server for 5 seconds and then start it again.

@t3l3machus
Copy link
Owner

@whydee86 by the way, you can probably use nishang as an agent to connect to Villain via tcp which is more sophisticated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@whydee86 @charbelmhanna @t3l3machus