malleable

package module
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 14, 2023 License: MIT Imports: 7 Imported by: 1

README

goMalleable

PkgGoDev Go Report Card Test CodeQL

🔎🪲 Malleable C2 profiles parser and assembler library written in golang

Latest supported CobaltStrike version: 4.9.1

Table of Contents

  1. WARNING
  2. Installation
  3. Usage
    1. Parse
    2. Assembly
  4. Examples
  5. TODO

WARNING

goMalleable treats you as a consenting adult and assumes you know how to write Malleable C2 Profiles. It's able to detect syntax errors, however there are no runtime checks implemented. It'll gladly generate profiles that don't actually work in production if instructed to do so. Always run the generated profiles through c2lint before using them in production!

Installation

Package can be installed with:

go get github.com/D00Movenok/goMalleable@v1

Usage

Parse

Function Parse parses Malleable profile string to easy-to-read structure. Full example Link.

package main

import (
    "os"
    malleable "github.com/D00Movenok/goMalleable"
)

func main() {
    ...
    data, _ := os.Open("example.profile")
    parsed, _ := malleable.Parse(data)
    ...
}

Full definition of structure can be found here.

Assembly

You may print this structure as string to get Malleable profile file. Full example: Link.

fmt.Println(parsed)

Output:

...

set host_stage "false";
set jitter "33";
set tcp_frame_header "";
set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36";

https-certificate {
    set CN "whatever.com";
    set L "California";
    set O "whatever LLC.";
    set OU "local.org";
    set ST "CA";
    set validity "365";
    set C "US";
}

...

Examples

Link Description
Link Example of profile parsing
Link Example of profile creation

TODO

  • Use map[Name]Type instead of []Type with Name field

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Boolean 

type Boolean bool

NOTE: created because github.com/alecthomas/participle/v2 parses default bool type as true if something is found.

func (*Boolean) Capture 

func (b *Boolean) Capture(values []string) error

type CodeSigner 

type CodeSigner struct {
	Keystore        string  `parser:"( \"set\" \"keystore\" @String \";\""`
	Password        string  `parser:"| \"set\" \"password\" @String \";\""`
	Alias           string  `parser:"| \"set\" \"alias\" @String \";\""`
	DigestAlgorithm string  `parser:"| \"set\" \"digest_algorithm\" @String \";\""`
	Timestamp       Boolean `parser:"| \"set\" \"timestamp\" @String \";\""`
	TimestampURL    string  `parser:"| \"set\" \"timestamp_url\" @String \";\" )*"`
}

func (CodeSigner) String 

func (b CodeSigner) String() string

type CommaSeparatedList 

type CommaSeparatedList []string

NOTE: default comma-separated string list parser and stringer, e.g. curl*,lynx*,wget*.

func (*CommaSeparatedList) Capture 

func (l *CommaSeparatedList) Capture(values []string) error

func (CommaSeparatedList) String 

func (l CommaSeparatedList) String() string

type DNSBeacon 

type DNSBeacon struct {
	Name string `parser:"@String? \"{\""`

	DNSIdle          string `parser:"( \"set\" \"dns_idle\" @String \";\""`
	DNSMaxTXT        int    `parser:"| \"set\" \"dns_max_txt\" @String \";\""`
	DNSSleep         int    `parser:"| \"set\" \"dns_sleep\" @String \";\""`
	DNSTTL           int    `parser:"| \"set\" \"dns_ttl\" @String \";\""`
	MaxDNS           int    `parser:"| \"set\" \"maxdns\" @String \";\""`
	DNSStagerPrepend string `parser:"| \"set\" \"dns_stager_prepend\" @String \";\""`
	DNSStagerSubhost string `parser:"| \"set\" \"dns_stager_subhost\" @String \";\""`
	Beacon           string `parser:"| \"set\" \"beacon\" @String \";\""`
	GetA             string `parser:"| \"set\" \"get_A\" @String \";\""`
	GetAAAA          string `parser:"| \"set\" \"get_AAAA\" @String \";\""`
	GetTXT           string `parser:"| \"set\" \"get_TXT\" @String \";\""`
	PutMetadata      string `parser:"| \"set\" \"put_metadata\" @String \";\""`
	PutOutput        string `parser:"| \"set\" \"put_output\" @String \";\""`
	NSResponse       string `parser:"| \"set\" \"ns_response\" @String \";\")* \"}\""`
}

func (DNSBeacon) String 

func (b DNSBeacon) String() string

type Data 

type Data string

NOTE: parser and stringer for "data" function.

func (Data) String 

func (s Data) String() string

type Function 

type Function struct {
	Func string   `parser:"@Ident"`
	Args []string `parser:"@String* \";\""`
}

NOTE: parser and stringer for function sequences, e.g. http-get output, transforms in post-ex, etc.

func (Function) String 

func (f Function) String() string

type HTTPBeacon added in v1.1.0 

type HTTPBeacon struct {
	Name string `parser:"@String? \"{\""`

	Library string `parser:"( \"set\" \"library\" @String \";\")* \"}\""`
}

func (HTTPBeacon) String added in v1.1.0 

func (b HTTPBeacon) String() string

type HTTPConfig 

type HTTPConfig struct {
	HeadersOrder       CommaSeparatedList `parser:"( \"set\" \"headers\" @String \";\""`
	Headers            []Header           `parser:"| \"header\" @@ \";\""`
	TrustXForwardedFor Boolean            `parser:"| \"set\" \"trust_x_forwarded_for\" @String \";\""`
	BlockUserAgents    CommaSeparatedList `parser:"| \"set\" \"block_useragents\" @String \";\""`
	AllowUserAgents    CommaSeparatedList `parser:"| \"set\" \"allow_useragents\" @String \";\")*"`
}

func (HTTPConfig) String 

func (b HTTPConfig) String() string

type HTTPGet 

type HTTPGet struct {
	Name string `parser:"@String? \"{\""`

	Verb   string             `parser:"( \"set\" \"verb\" @String \";\""`
	URI    SpaceSeparatedList `parser:"| \"set\" \"uri\" @String \";\""`
	Client HTTPGetClient      `parser:"| \"client\" \"{\" @@ \"}\""`
	Server HTTPServer         `parser:"| \"server\" \"{\" @@ \"}\" )* \"}\""`
}

func (HTTPGet) String 

func (b HTTPGet) String() string

type HTTPGetClient 

type HTTPGetClient struct {
	Headers    []Header    `parser:"( \"header\" @@ \";\""`
	Parameters []Parameter `parser:"| \"parameter\" @@ \";\""`
	Metadata   []Function  `parser:"| \"metadata\" \"{\" @@* \"}\" )*"`
}

func (HTTPGetClient) String 

func (b HTTPGetClient) String() string

type HTTPPost 

type HTTPPost struct {
	Name string `parser:"@String? \"{\""`

	Verb   string             `parser:"( \"set\" \"verb\" @String \";\""`
	URI    SpaceSeparatedList `parser:"| \"set\" \"uri\" @String \";\""`
	Client HTTPPostClient     `parser:"| \"client\" \"{\" @@ \"}\""`
	Server HTTPServer         `parser:"| \"server\" \"{\" @@ \"}\" )* \"}\""`
}

func (HTTPPost) String 

func (b HTTPPost) String() string

type HTTPPostClient 

type HTTPPostClient struct {
	Headers    []Header    `parser:"( \"header\" @@ \";\""`
	Parameters []Parameter `parser:"| \"parameter\" @@ \";\""`
	Output     []Function  `parser:"| \"output\" \"{\" @@* \"}\""`
	ID         []Function  `parser:"| \"id\" \"{\" @@* \"}\" )*"`
}

func (HTTPPostClient) String 

func (b HTTPPostClient) String() string

type HTTPSCertificate 

type HTTPSCertificate struct {
	Name string `parser:"@String? \"{\""`

	Keystore string `parser:"( \"set\" \"keystore\" @String \";\""`
	Password string `parser:"| \"set\" \"password\" @String \";\""`

	C        string `parser:"| \"set\" \"C\" @String \";\""`
	CN       string `parser:"| \"set\" \"CN\" @String \";\""`
	L        string `parser:"| \"set\" \"L\" @String \";\""`
	O        string `parser:"| \"set\" \"O\" @String \";\""`
	OU       string `parser:"| \"set\" \"OU\" @String \";\""`
	ST       string `parser:"| \"set\" \"ST\" @String \";\""`
	Validity int    `parser:"| \"set\" \"validity\" @String \";\")* \"}\""`
}

func (HTTPSCertificate) String 

func (b HTTPSCertificate) String() string

type HTTPServer 

type HTTPServer struct {
	Headers []Header   `parser:"( \"header\" @@ \";\""`
	Output  []Function `parser:"| \"output\" \"{\" @@* \"}\" )*"`
}

func (HTTPServer) String 

func (b HTTPServer) String() string

type HTTPStager 

type HTTPStager struct {
	Name string `parser:"@String? \"{\""`

	URIx86 SpaceSeparatedList `parser:"( \"set\" \"uri_x86\" @String \";\""`
	URIx64 SpaceSeparatedList `parser:"| \"set\" \"uri_x64\" @String \";\""`
	Client HTTPStagerClient   `parser:"| \"client\" \"{\" @@ \"}\""`
	Server HTTPServer         `parser:"| \"server\" \"{\" @@ \"}\" )* \"}\""`
}

func (HTTPStager) String 

func (b HTTPStager) String() string

type HTTPStagerClient 

type HTTPStagerClient struct {
	Headers    []Header    `parser:"( \"header\" @@ \";\""`
	Parameters []Parameter `parser:"| \"parameter\" @@ \";\" )*"`
}

func (HTTPStagerClient) String 

func (b HTTPStagerClient) String() string
type Header struct {
	Name  string `parser:"@String"`
	Value string `parser:"@String"`
}

NOTE: key-value type with "header" prefix, used for headers parsing and (mostly) stringer, e.g. header "Accept-Encoding" "gzip, deflate";.

func (Header) String 

func (h Header) String() string

type Parameter 

type Parameter struct {
	Name  string `parser:"@String"`
	Value string `parser:"@String"`
}

NOTE: key-value type with "parameter" prefix, used for parameters parsing and (mostly) stringer, e.g. parameter "param_name" "param_value";.

func (Parameter) String 

func (p Parameter) String() string

type PostEx 

type PostEx struct {
	SpawnToX86  string  `parser:"( \"set\" \"spawnto_x86\" @String \";\""`
	SpawnToX64  string  `parser:"| \"set\" \"spawnto_x64\" @String \";\""`
	Obfuscate   Boolean `parser:"| \"set\" \"obfuscate\" @String \";\""`
	SmartInject Boolean `parser:"| \"set\" \"smartinject\" @String \";\""`
	AmsiDisable Boolean `parser:"| \"set\" \"amsi_disable\" @String \";\""`
	Cleanup     Boolean `parser:"| \"set\" \"cleanup\" @String \";\""`
	ThreadHint  string  `parser:"| \"set\" \"thread_hint\" @String \";\""`
	PipeName    string  `parser:"| \"set\" \"pipename\" @String \";\""`
	Keylogger   string  `parser:"| \"set\" \"keylogger\" @String \";\""`

	TransformX86 []Function `parser:"| \"transform-x86\" \"{\" @@* \"}\""`
	TransformX64 []Function `parser:"| \"transform-x64\" \"{\" @@* \"}\" )*"`
}

func (PostEx) String 

func (b PostEx) String() string

type ProcessInject 

type ProcessInject struct {
	Allocator      string  `parser:"( \"set\" \"allocator\" @String \";\""`
	BOFAllocator   string  `parser:"| \"set\" \"bof_allocator\" @String \";\""`
	BOFReuseMemory Boolean `parser:"| \"set\" \"bof_reuse_memory\" @String \";\""`
	MinAlloc       int     `parser:"| \"set\" \"min_alloc\" @String \";\""`
	UseRWX         Boolean `parser:"| \"set\" \"userwx\" @String \";\""`
	StartRWX       Boolean `parser:"| \"set\" \"startrwx\" @String \";\""`

	TransformX86 []Function `parser:"| \"transform-x86\" \"{\" @@* \"}\""`
	TransformX64 []Function `parser:"| \"transform-x64\" \"{\" @@* \"}\""`

	Execute []Function `parser:"| \"execute\" \"{\" @@* \"}\" )*"`
}

func (ProcessInject) String 

func (b ProcessInject) String() string

type Profile 

type Profile struct {
	SampleName           string             `parser:"( \"set\" \"sample_name\" @String \";\""`
	SleepTime            int                `parser:"| \"set\" \"sleeptime\" @String \";\""`
	Jitter               int                `parser:"| \"set\" \"jitter\" @String \";\""`
	UserAgent            string             `parser:"| \"set\" \"useragent\" @String \";\""`
	DataJitter           int                `parser:"| \"set\" \"data_jitter\" @String \";\""`
	HostStage            Boolean            `parser:"| \"set\" \"host_stage\" @String \";\""`
	Pipename             string             `parser:"| \"set\" \"pipename\" @String \";\""`
	PipenameStager       string             `parser:"| \"set\" \"pipename_stager\" @String \";\""`
	SMBFrameHeader       string             `parser:"| \"set\" \"smb_frame_header\" @String \";\""`
	TCPPort              int                `parser:"| \"set\" \"tcp_port\" @String \";\""`
	TCPFrameHeader       string             `parser:"| \"set\" \"tcp_frame_header\" @String \";\""`
	SSHBanner            string             `parser:"| \"set\" \"ssh_banner\" @String \";\""`
	SSHPipename          string             `parser:"| \"set\" \"ssh_pipename\" @String \";\""`
	StealTokenAccessMask int                `parser:"| \"set\" \"steal_token_access_mask\" @String \";\""`
	TasksMaxSize         int                `parser:"| \"set\" \"tasks_max_size\" @String \";\""`
	TasksProxyMaxSize    int                `parser:"| \"set\" \"tasks_proxy_max_size\" @String \";\""`
	TasksDNSProxyMaxSize int                `parser:"| \"set\" \"tasks_dns_proxy_max_size\" @String \";\""`
	HeadersRemove        CommaSeparatedList `parser:"| \"set\" \"headers_remove\" @String \";\""`

	DNSBeacon        []DNSBeacon        `parser:"| \"dns-beacon\" @@"`
	HTTPBeacon       []HTTPBeacon       `parser:"| \"http-beacon\" @@"`
	HTTPSCertificate []HTTPSCertificate `parser:"| \"https-certificate\" @@"`
	CodeSigner       CodeSigner         `parser:"| \"code-signer\" \"{\" @@ \"}\""`
	HTTPConfig       HTTPConfig         `parser:"| \"http-config\" \"{\" @@ \"}\""`
	HTTPGet          []HTTPGet          `parser:"| \"http-get\" @@"`
	HTTPPost         []HTTPPost         `parser:"| \"http-post\" @@"`
	HTTPStager       []HTTPStager       `parser:"| \"http-stager\" @@"`
	Stage            Stage              `parser:"| \"stage\" \"{\" @@ \"}\""`
	ProcessInject    ProcessInject      `parser:"| \"process-inject\" \"{\" @@ \"}\""`
	PostEx           PostEx             `parser:"| \"post-ex\" \"{\" @@ \"}\" )*"`
}

func Parse 

func Parse(data io.Reader) (*Profile, error)

Parse Cobalt-Strike MalleableC2 profile.

func (Profile) String 

func (d Profile) String() string

type SpaceSeparatedList added in v1.1.0 

type SpaceSeparatedList []string

NOTE: default space-separated string list parser and stringer, e.g. /jquery-3.3.1.min.js /jquery-1.3.3.7.min.js /someotherurl.

func (*SpaceSeparatedList) Capture added in v1.1.0 

func (l *SpaceSeparatedList) Capture(values []string) error

func (SpaceSeparatedList) String added in v1.1.0 

func (l SpaceSeparatedList) String() string

type Stage 

type Stage struct {
	Checksum      int     `parser:"( \"set\" \"checksum\" @String \";\""`
	CompileTime   string  `parser:"| \"set\" \"compile_time\" @String \";\""`
	EntryPoint    int     `parser:"| \"set\" \"entry_point\" @String \";\""`
	ImageSizeX86  int     `parser:"| \"set\" \"image_size_x86\" @String \";\""`
	ImageSizeX64  int     `parser:"| \"set\" \"image_size_x64\" @String \";\""`
	Name          string  `parser:"| \"set\" \"name\" @String \";\""`
	RichHeader    string  `parser:"| \"set\" \"rich_header\" @String \";\""`
	UseRWX        Boolean `parser:"| \"set\" \"userwx\" @String \";\""`
	Cleanup       Boolean `parser:"| \"set\" \"cleanup\" @String \";\""`
	SleepMask     Boolean `parser:"| \"set\" \"sleep_mask\" @String \";\""`
	StompPE       Boolean `parser:"| \"set\" \"stomppe\" @String \";\""`
	Obfuscate     Boolean `parser:"| \"set\" \"obfuscate\" @String \";\""`
	Allocator     string  `parser:"| \"set\" \"allocator\" @String \";\""`
	MagicMZX86    string  `parser:"| \"set\" \"magic_mz_x86\" @String \";\""`
	MagicMZX64    string  `parser:"| \"set\" \"magic_mz_x64\" @String \";\""`
	MagicPE       string  `parser:"| \"set\" \"magic_pe\" @String \";\""`
	SmartInject   Boolean `parser:"| \"set\" \"smartinject\" @String \";\""`
	ModuleX86     string  `parser:"| \"set\" \"module_x86\" @String \";\""`
	ModuleX64     string  `parser:"| \"set\" \"module_x64\" @String \";\""`
	SyscallMethod string  `parser:"| \"set\" \"syscall_method\" @String \";\""`

	TransformX86 []Function `parser:"| \"transform-x86\" \"{\" @@* \"}\""`
	TransformX64 []Function `parser:"| \"transform-x64\" \"{\" @@* \"}\""`

	Data      []Data    `parser:"| \"data\" @String \";\""`
	Strings   []String  `parser:"| \"string\" @String \";\""`
	SwtringsW []StringW `parser:"| \"stringw\" @String \";\" )*"`
}

func (Stage) String 

func (b Stage) String() string

type String 

type String string

NOTE: parser and stringer for "string" function.

func (String) String 

func (s String) String() string

type StringW 

type StringW string

NOTE: parser and stringer for "stringw" function.

func (StringW) String 

func (s StringW) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.