Documentation
¶
Overview ¶
Package task is a simple collection of Task based functions that cane be tasked to Sessions by the Server.
THis package is separate rom the c2 package to allow for seperation and containerization of Tasks.
Basic internal Tasks are still help in the c2 package.
Index ¶
- Constants
- Variables
- func AssemblyUnmarshal(x context.Context, r data.Reader) (*cmd.Assembly, bool, error)
- func CheckDLL(d string) *com.Packet
- func Cwd(d string) *com.Packet
- func DLLUnmarshal(_ context.Context, _ data.Reader) (*cmd.DLL, bool, bool, error)
- func Download(src string) *com.Packet
- func Elevate(f *filter.Filter) *com.Packet
- func Ls(d string) *com.Packet
- func Migrate(f *filter.Filter, s string, c Callable) *com.Packet
- func MigrateProfile(f *filter.Filter, s string, b []byte, c Callable) *com.Packet
- func MigrateProfileEx(f *filter.Filter, w bool, s string, b []byte, c Callable) *com.Packet
- func MigratePull(f *filter.Filter, s, url string) *com.Packet
- func MigratePullProfile(f *filter.Filter, s string, b []byte, url string) *com.Packet
- func MigratePullProfileEx(f *filter.Filter, w bool, s string, b []byte, url string) *com.Packet
- func Mounts() *com.Packet
- func ProcessDump(f *filter.Filter) *com.Packet
- func ProcessList() *com.Packet
- func ProcessName(s string) *com.Packet
- func ProcessUnmarshal(x context.Context, r data.Reader) (*cmd.Process, bool, error)
- func Pull(url, path string) *com.Packet
- func PullExecute(url string, w bool, f *filter.Filter) *com.Packet
- func Pwd() *com.Packet
- func Refresh() *com.Packet
- func RegDelete(key, value string, force bool) *com.Packet
- func RegDeleteKey(key string, force bool) *com.Packet
- func RegGet(key, value string) *com.Packet
- func RegLs(s string) *com.Packet
- func RegMakeKey(key string) *com.Packet
- func RegSet(key, value string, t uint32, b []byte) *com.Packet
- func RegSetBytes(key, value string, b []byte) *com.Packet
- func RegSetDword(key, value string, v uint32) *com.Packet
- func RegSetExpandString(key, value, v string) *com.Packet
- func RegSetQword(key, value string, v uint64) *com.Packet
- func RegSetString(key, value, v string) *com.Packet
- func RegSetStringList(key, value string, v []string) *com.Packet
- func RegisterEngine(i uint8, s Engine) error
- func ReloadDLL(d string) *com.Packet
- func RevToSelf() *com.Packet
- func ScreenShot() *com.Packet
- func Spawn(f *filter.Filter, s string, c Callable) *com.Packet
- func SpawnProfile(f *filter.Filter, s string, b []byte, c Callable) *com.Packet
- func SpawnPull(f *filter.Filter, s, url string) *com.Packet
- func SpawnPullProfile(f *filter.Filter, s string, b []byte, url string) *com.Packet
- func Upload(dst string, b []byte) *com.Packet
- func UploadFile(dst, src string) (*com.Packet, error)
- func UploadReader(dst string, r io.Reader) (*com.Packet, error)
- func WebResource(x context.Context, w data.Writer, z bool, u string) (cmd.Runnable, string, error)
- func ZombieUnmarshal(_ context.Context, _ data.Reader) (*cmd.Zombie, bool, bool, error)
- type Assembly
- type Callable
- type DLL
- type Engine
- type Process
- type Tasker
- type Tasklet
- type Zombie
- func ZombieAsm(b []byte, args ...string) *Zombie
- func ZombieAsmFile(s string, args ...string) (*Zombie, error)
- func ZombieAsmReader(r io.Reader, args ...string) (*Zombie, error)
- func ZombieDLL(dll string, args ...string) *Zombie
- func ZombieDLLFile(s string, args ...string) (*Zombie, error)
- func ZombieDLLReader(r io.Reader, args ...string) (*Zombie, error)
Constants ¶
const ( MvRefresh uint8 = 0x07 MvTime uint8 = 0x08 MvPwd uint8 = 0x09 MvCwd uint8 = 0x0A MvProxy uint8 = 0x0B // TODO(dij): setup MvSpawn uint8 = 0x0C MvMigrate uint8 = 0x0D MvElevate uint8 = 0x0E MvList uint8 = 0x0F MvMounts uint8 = 0x10 MvRevSelf uint8 = 0x11 MvProfile uint8 = 0x12 MvScript uint8 = 0xF0 // TODO(dij): setup // Built in Task Message ID Values // Supported by 'DefaultClientMux' TvDownload uint8 = 0xC0 TvUpload uint8 = 0xC1 TvExecute uint8 = 0xC2 TvAssembly uint8 = 0xC3 TvZombie uint8 = 0xC4 TvDLL uint8 = 0xC5 TvCheckDLL uint8 = 0xC6 TvReloadDLL uint8 = 0xC7 TvPull uint8 = 0xC8 TvPullExecute uint8 = 0xC9 TvRename uint8 = 0xCA TvScreenShot uint8 = 0xCB TvProcDump uint8 = 0xCC TvProcList uint8 = 0xCD TvRegistry uint8 = 0xCE )
The Mv* Packet ID values are built-in task values that are handled directory before the Mux, as these are critical for operations.
Tv* ID values are standard ID values for Tasks that are handled here.
Variables ¶
var Mappings = [0xFF]Tasker{ TvDownload: taskDownload, TvUpload: taskUpload, TvExecute: taskProcess, TvAssembly: taskAssembly, TvPull: taskPull, TvPullExecute: taskPullExec, TvZombie: taskZombie, TvDLL: taskInject, TvCheckDLL: taskCheck, TvReloadDLL: taskReload, TvRename: taskRename, TvScreenShot: taskScreenShot, TvProcDump: taskProcDump, TvProcList: taskProcList, TvRegistry: taskRegistry, }
Mappings is an fixed size array that contains the Tasker mappings for each ID value.
Values that are less than 22 are ignored. Adding a mapping to here will allow it to be executed via the client Scheduler.
Functions ¶
func AssemblyUnmarshal ¶ added in v0.2.0
AssemblyUnmarshal will read this Assembly's struct data from the supplied reader and returns a Assembly runnable struct along with the wait boolean.
This function returns an error if building or reading fails.
func CheckDLL ¶ added in v0.2.0
CheckDLL is a similar function to ReloadDLL. This function will return 'true' if the contents in memory match the contents of the file on disk. Otherwise it returns false.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvCheckDLL
Input:
string // DLL Name
Output:
bool // DLL Check result, true if normal.
C2 Client Command:
dll_check <name>
func Cwd ¶ added in v0.1.0
Cwd returns a change directory Packet. This can be used to instruct the client to change from it's current working directory to the directory specified.
Empty or invalid directory entires will return an error.
The source path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: MvCwd
Input:
string // Directory
Output:
<none>
C2 Client Command:
cd <path>
func DLLUnmarshal ¶ added in v0.2.0
DLLUnmarshal will read this DLL's struct data from the supplied reader and returns a DLL runnable struct along with the wait and delete status booleans.
This function returns an error if building or reading fails or if the device is not running Windows.
func Download ¶
Download returns a download Packet. This will instruct the client to read the (client local) filepath provided and return the raw binary data.
The source path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvDownload
Input:
string // Target
Output:
string // Expanded Target Path
bool // Target is Directory
int64 // Size
[]byte // Data
C2 Client Command:
download <src> [dest]
func Elevate ¶ added in v0.2.0
Elevate returns an evelate Packet. This will instruct the client to use the provided Filter to attempt to get a Token handle to an elevated process. If the Filter is nil, then the client will attempt at any elevated process.
C2 Details:
ID: MvElevate
Input:
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
Output:
<none>
C2 Client Command:
elevate [target]
func Ls ¶ added in v0.1.0
Ls returns a file list Packet. This can be used to instruct the client to return a string and bool list of the files in the directory specified.
If 'd' is empty, the current working directory "." is used.
The source path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: MvList
Input:
string // Directory
Output:
uint32 // Count
[]File struct { // List of Files
string // Name
int32 // Mode
uint64 // Size
int64 // Modtime
}
C2 Client Command:
ls [path] dir [path]
func MigrateProfile ¶ added in v0.2.0
MigrateProfile -
func MigrateProfileEx ¶ added in v0.2.0
MigrateProfileEx -
func MigratePull ¶ added in v0.2.0
MigratePull -
func MigratePullProfile ¶ added in v0.2.0
MigratePullProfile -
func MigratePullProfileEx ¶ added in v0.2.0
MigratePullProfileEx -
func Mounts ¶ added in v0.2.0
Mounts returns a list mounted drives Packet. This can be used to instruct the client to return a string list of all the mount points on the host device.
C2 Details:
ID: MvMounts
Input:
<none>
Output:
[]string // Mount Paths List
C2 Client Command:
mounts
func ProcessDump ¶ added in v0.2.2
ProcessDump will instruct the client to attempt to read and download then memory of the filter target. The returned data is a binary blob of the memory if successful.
C2 Details:
ID: TvProcDump
Input:
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
Output:
[]byte // Data
C2 Client Command:
dump <target>
func ProcessList ¶ added in v0.2.2
ProcessList returns a list processes Packet. This can be used to instruct the client to return a list of the current running host's processes.
C2 Details:
ID: TvProcList
Input:
<none>
Output:
uint32 // Count
[]cmd.ProcessInfo { // List of Running Processes
uint32 // Process ID
uint32 // Parent Process ID
string // Process Image Name
}
C2 Client Command:
ps
func ProcessName ¶ added in v0.2.2
ProcessName returns a process name change Packet. This can be used to instruct the client to change from it's current in-memory name to the specified string.
C2 Details:
ID: TvRename
Input:
string // New Process Name
Output:
<none>
C2 Client Command:
proc-name <name>
func ProcessUnmarshal ¶ added in v0.2.0
ProcessUnmarshal will read this Processes's struct data from the supplied reader and returns a Process runnable struct along with the wait boolean.
This function returns an error if building or reading fails.
func Pull ¶ added in v0.1.0
Pull returns a pull Packet. This will instruct the client to download the resource from the provided URL and write the data to the supplied local filesystem path.
The path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvPull
Input:
string // URL
string // Target Path
Output:
string // Expanded Destination Path
uint64 // Byte Count Written
C2 Client Command:
pull <url> <dest>
func PullExecute ¶ added in v0.2.0
PullExecute returns a pull and execute Packet. This will instruct the client to download the resource from the provided URL and execute the downloaded data.
The download data may be saved in a temporary location depending on what the resulting data type is or file extension. (see 'man.ParseDownloadHeader')
This function allows for specifying a Filter struct to specify the target parent process and the boolean flag can be set to true/false to specify if the task should wait for the process to exit.
Returns the same output as the 'Run*' tasks.
C2 Details:
ID: TvPullExecute
Input:
string // URL
bool // Wait
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
Output:
uint32 // PID
int32 // Exit Code
C2 Client Command:
pull-exec <url> [wait]
func Pwd ¶ added in v0.1.0
Pwd returns a print current directory Packet. This can be used to instruct the client to return a string value that contains the current working directory.
C2 Details:
ID: MvPwd
Input:
<none>
Output:
string // Working Dir
C2 Client Command:
pwd
func Refresh ¶ added in v0.2.0
Refresh returns a refresh Packet. This will instruct the client to re-update it's internal Device storage and return the new result. This can be used to detect new network interfaces added/removed and changes to hostname/user status.
This is NOT needed after a Migration, as this happens automatically.
C2 Details:
ID: MvRefresh
Input:
<none>
Output:
Machine // Updated device details
C2 Client Command:
refresh
func RegDelete ¶ added in v0.2.3
RegDelete returns a delete key/value Packet. This can be used to instruct the client to delete a key or value at the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
bool // Delete Recursively or Delete non-empty Keys
Output:
uint8 // Operation
C2 Client Command:
reg delete [-f] <path> [value] reg del [-f] <path> [value]
func RegDeleteKey ¶ added in v0.2.3
RegDeleteKey returns a delete key Packet. This can be used to instruct the client to delete a key at the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
bool // Delete Recursively or Delete non-empty Keys
Output:
uint8 // Operation
C2 Client Command:
reg delete [-f] <path> reg del [-f] <path>
func RegGet ¶ added in v0.2.3
RegGet returns a get key/value Packet. This can be used to instruct the client to return a entry details for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
Output:
uint8 // Operation
Entry struct { // Entry
string // Name
uint32 // Type
[]byte // Data
}
C2 Client Command:
reg query <path> <value> reg get <path> <value> reg <path> <value>
func RegLs ¶ added in v0.2.3
RegLs returns a list registry keys/values Packet. This can be used to instruct the client to return a list of Registry entries for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
Output:
uint8 // Operation
uint32 // Count
[]Entry struct { // List of Entries
string // Name
uint32 // Type
[]byte // Data
}
C2 Client Command:
reg query <path> reg dir <path> reg ls <path>
func RegMakeKey ¶ added in v0.2.3
RegMakeKey returns a make registry key Packet. This can be used to instruct the client to make a key at specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
Output:
uint8 // Operation
C2 Client Command:
reg mkdir <path> reg mk <path>
func RegSet ¶ added in v0.2.3
RegSet returns a set content key/value Packet. This can be used to instruct the client to set the raw value content to the supplied raw bytes for the specified registry path along with the type.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
uint32 // Type
[]byte // Content
Output:
uint8 // Operation
func RegSetBytes ¶ added in v0.2.3
RegSetBytes returns a set as a BINARY (bytes) key/value Packet. This can be used to instruct the client to set the value content to the supplied bytes for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
[]byte // Content
Output:
uint8 // Operation
C2 Client Command:
reg set <path> <value> binary <content (as base64)> reg set <path> <value> bin <content (as base64)> reg set <path> <value> b <content (as base64)>
func RegSetDword ¶ added in v0.2.3
RegSetDword returns a set as a DWORD (uint32) key/value Packet. This can be used to instruct the client to set the value content to the supplied DWORD for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
uint32 // Content
Output:
uint8 // Operation
C2 Client Command:
reg set <path> <value> dword <content> reg set <path> <value> d <content>
func RegSetExpandString ¶ added in v0.2.3
RegSetExpandString returns a set as expand string key/value Packet. This can be used to instruct the client to set the value content to the supplied string for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
string // Content
Output:
uint8 // Operation
C2 Client Command:
reg set <path> <value> expand <content> reg set <path> <value> e <content>
func RegSetQword ¶ added in v0.2.3
RegSetQword returns a set as QWORD (uint64) key/value Packet. This can be used to instruct the client to set the value content to the supplied QWORD for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
uint64 // Content
Output:
uint8 // Operation
C2 Client Command:
reg set <path> <value> qword <content> reg set <path> <value> q <content>
func RegSetString ¶ added in v0.2.3
RegSetString returns a set as string key/value Packet. This can be used to instruct the client to set the value content to the supplied string for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
string // Content
Output:
uint8 // Operation
C2 Client Command:
reg set <path> <value> string <content> reg set <path> <value> s <content>
func RegSetStringList ¶ added in v0.2.3
RegSetStringList returns a set as multi string key/value Packet. This can be used to instruct the client to set the value content to the supplied strings for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
[]string // Content
Output:
uint8 // Operation
C2 Client Command:
reg set <path> <value> multi <content1,contentN | content1 contentN> reg set <path> <value> m <content1,contentN | content1 contentN>
func RegisterEngine ¶
RegisterEngine is a function that can be used to register a Scripting engine into the XMT client tasking runtime.
Script engines can increase the footprint of the compiled binary, so engines must be registed manually.
See the 'cmd/script' package for scripting engines.
C2 Details:
ID: <Supplied>
Input:
string (script)
Output:
string (output)
func ReloadDLL ¶ added in v0.2.0
ReloadDLL is a function shamelessly stolen from the sliver project. This function will read a DLL file from on-disk and rewrite over it's current in-memory contents to erase any hooks placed on function calls.
Re-mastered and refactored to be less memory hungry and easier to read :P
Orig src here:
https://github.com/BishopFox/sliver/blob/f94f0fc938ca3871390c5adfa71bf4edc288022d/implant/sliver/evasion/evasion_windows.go#L116
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvReloadDLL
Input:
string // DLL Name
Output:
<none>
C2 Client Command:
dll_reload <name>
func RevToSelf ¶ added in v0.2.0
RevToSelf returns a Rev2Self Packet. This can be used to instruct Windows based devices to drop any previous elevated Tokens they may posess and return to their "normal" Token.
This task result does not return any data, only errors if it fails.
C2 Details:
ID: MvRevSelf
Input:
<none>
Output:
<none>
C2 Client Command:
rev2self
func ScreenShot ¶ added in v0.2.2
ScreenShot returns a screenshot Packet. This will instruct the client to attempt to get a screenshot of all the current active desktops on the host. If successful, the returned data is a binary blob of the resulting image, encoded in the PNG image format.
C2 Details:
ID: TVScreenShot
Input:
<none>
Output:
[]byte // Data
C2 Client Command:
screenshot
func SpawnProfile ¶ added in v0.2.0
SpawnProfile -
func SpawnPullProfile ¶ added in v0.2.0
SpawnPullProfile -
func Upload ¶
Upload returns a upload Packet. This will instruct the client to write the provided byte array to the filepath provided. The client will return the number of bytes written and the resulting expanded file path.
The destination path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvUpload
Input:
string // Destination
[]byte // File Data
Output:
string // Expanded Destination Path
uint64 // Byte Count Written
C2 Client Command:
upload <src> <dst>
func UploadFile ¶ added in v0.1.0
UploadFile returns a upload Packet. This will instruct the client to write the provided (server local) file content to the filepath provided. The client will return the number of bytes written and the resulting expanded file path.
The destination path may contain environment variables that will be resolved during runtime.
The source path may contain environment variables that will be resolved on server execution.
C2 Details:
ID: TvUpload
Input:
string // Destination
[]byte // File Data
Output:
string // Expanded Destination Path
uint64 // Byte Count Written
C2 Client Command:
upload <src> <dst>
func UploadReader ¶ added in v0.1.0
UploadReader returns a upload Packet. This will instruct the client to write the provided reader content to the filepath provided. The client will return the number of bytes written and the resulting file path.
The destination path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvUpload
Input:
string // Destination
[]byte // File Data
Output:
string // Expanded Destination Path
uint64 // Byte Count Written
C2 Client Command:
upload <src> <dst>
func WebResource ¶ added in v0.2.0
WebResource will attempt to download the URL target at 'u' and parse the data into a Runnable interface.
The passed Writer will be passed as Stdout/Stderr to certain processes if the 'z' flag is true.
The returned string is the full expanded path if a temporary file is created. It's the callers responsibility to delete this file when not needed.
This function uses the 'man.ParseDownloadHeader' function to assist with determining the executable type.
func ZombieUnmarshal ¶ added in v0.2.0
ZombieUnmarshal will read this Zombies's struct data from the supplied reader and returns a Zombie runnable struct along with the wait and delete status booleans.
This function returns an error if building or reading fails or if the device is not running Windows.
Types ¶
type Assembly ¶ added in v0.1.0
Assembly is a Tasklet that is similar to the 'cmd.Assembly' struct.
This struct is used to Task a Client with running shellcode on devices. It has many of the functionallies matching the 'cmd.Assembly' struct.
This can be directly used in the Session 'Tasklet' function instead of directly creating a Task.
The 'SetParent' function will attempt to set the target that runs the shellcode. If none are specified, the shellcode will be injected into the client process.
C2 Details:
ID: TvAssembly
Input:
Assembly struct {
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Assembly Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
C2 Client Command:
asm <file> assembly <file>
func AssemblyFile ¶ added in v0.2.0
AssemblyFile will create a Tasklet that will instruct the client to run shellcode from a file source on the local (server - the one calling this function) machine.
This will attempt to read the file and will return an error if it fails.
C2 Details:
ID: TvAssembly
Input:
Assembly struct {
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Assembly Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
C2 Client Command:
asm <file> assembly <file>
func AssemblyReader ¶ added in v0.2.0
AssemblyReader will create a Tasklet that will instruct the client to run shellcode from the contents of the supplied Reader.
This will attempt to read from the Reader and will return an error if it fails.
C2 Details:
ID: TvAssembly
Input:
Assembly struct {
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Assembly Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
C2 Client Command:
asm <file> assembly <file>
func (Assembly) MarshalStream ¶ added in v0.1.0
MarshalStream writes the data for this Code thread to the supplied Writer.
func (Assembly) Packet ¶ added in v0.2.0
Packet will take the configured Assembly options and will return a Packet and any errors that may occur during building.
This allows the Assembly struct to fulfil the 'Tasklet' interface.
C2 Details:
ID: TvAssembly
Input:
Assembly struct {
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Assembly Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
C2 Client Command:
asm <file> assembly <file>
type Callable ¶ added in v0.2.0
type Callable interface {
MarshalStream(data.Writer) error
// contains filtered or unexported methods
}
Callable is an internal interface used to specify a wide range of Runnabale types that can be Marshaled into a Packet.
Currently the DLL, Zombie, Assembly and Process instances are supported.
type DLL ¶ added in v0.2.0
DLL is a Tasklet that is similar to the 'cmd.DLL' struct. This is used to Task a Client with loading a DLL.
The Path parameter is the path (on the client) where the DLL is located. This may be omitted and Data can be filled instead with the raw binary data to send and load a remote DLL instead. (THIS WILL MAKE A WRITE TO DISK!)
To prevent writes to disk, use the 'cmd.DLLToASM' function on the server (or any non 'implant' tagged build) to build a shellcode DLL+loader using SRDi and launch as Assembly instead.
This can be directly used in the Session 'Tasklet' function instead of directly creating a Task.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: TvDLL
Input:
DLL struct {
string // Path
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Raw DLL Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
C2 Client Command:
dll <path> dll_local <path>
func DLLFile ¶ added in v0.2.0
DLLFile will create a Tasklet that will instruct the client to local a DLL from the specified local (server - the one calling this function) file source. (THIS WILL MAKE A WRITE TO DISK!)
To prevent writes to disk, use the 'cmd.DLLToASM' function on the server (or any non 'implant' tagged build) to build a shellcode DLL+loader using SRDi and launch as Assembly instead.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvInjectDLL
Input:
DLL struct {
string // Path
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Raw DLL Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
C2 Client Command:
dll_local <path>
func DLLReader ¶ added in v0.2.0
DLLReader will create a Tasklet that will instruct the client to local a DLL from the specified reader source. (THIS WILL MAKE A WRITE TO DISK!)
To prevent writes to disk, use the 'cmd.DLLToASM' function on the server (or any non 'implant' tagged build) to build a shellcode DLL+loader using SRDi and launch as Assembly instead.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvInjectDLL
Input:
DLL struct {
string // Path
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Raw DLL Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
C2 Client Command:
dll_local <path>
func (DLL) MarshalStream ¶ added in v0.2.0
MarshalStream writes the data for this DLL task to the supplied Writer.
func (DLL) Packet ¶ added in v0.2.0
Packet will take the configured DLL options and will return a Packet and any errors that may occur during building.
This allows the DLL struct to fulfil the 'Tasklet' interface.
C2 Details:
ID: TvDLL
Input:
DLL struct {
string // Path
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Raw DLL Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
C2 Client Command:
dll <path> dll_local <path>
type Engine ¶
Engine is an interface that allows for extending XMT with non-compiled code for easy deployability and flexibility.
Each Script interface contains a single function that will take a Context, an environment block and the script code string.
The result of this function will be the output of the script and any errors that may occur.
By default, the 'ID', 'OS', 'PID' 'PPID', 'OSVER' and 'HOSTNAME' variables are built-in to assist with code runtime.
type Process ¶
type Process struct {
Filter *filter.Filter
Dir string
Env, Args []string
Stdin []byte
Timeout time.Duration
Flags uint32
Wait, Hide bool
}
Process is a Tasklet that is similar to the 'cmd.Process' struct. This is used to Task a Client with running a specified command.
This can be directly used in the Session 'Tasklet' function instead of directly creating a Task.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: TvExecute
Input:
Process struct {
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
C2 Client Command:
<command...> run <command...> hup <command...> shell <command...>
func Run ¶
Run will create a Tasklet that will instruct the client to run a command. This command will parsed using the 'cmd.Split' function.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
The response to this task will return the PID, ExitCode and Stdout/Stderr data.
C2 Details:
ID: TvExecute
Input:
Process struct {
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
C2 Client Command:
<command...> run <command...>
func Shell ¶ added in v0.2.0
Shell will create a Task that will instruct the client to run a shell command. The command will be passed as an argument to the default shell found on the device.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
The response to this task will return the PID, ExitCode and Stdout/Stderr data.
C2 Details:
ID: TvExecute
Input:
Process struct {
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
C2 Client Command:
shell <command...>
func (Process) MarshalStream ¶
MarshalStream writes the data for this Process to the supplied Writer.
func (Process) Packet ¶ added in v0.2.0
Packet will take the configured Process options and will return a Packet and any errors that may occur during building.
This allows Process to fulfil the 'Tasklet' interface.
C2 Details:
ID: TvAssembly
Input:
Process struct {
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
C2 Client Command:
<command...> run <command...> hup <command...> shell <command...>
type Tasker ¶
Tasker is an function alias that will be tasked with executing a Job and will return an error or write the results to the supplied Writer. Associated data can be read from the supplied Reader.
This function is NOT responsible with writing any error codes, the parent caller will handle that.
type Tasklet ¶ added in v0.2.0
Tasklet is an interface that allows for Sessions to be directly tasked without creating the underlying Packet.
The 'Packet' function should return a Packet that has the Task data or any errors that may have occurred during Packet generation.
This function should be able to be called multiple times.
type Zombie ¶ added in v0.2.0
type Zombie struct {
Filter *filter.Filter
Path, Dir string
Data []byte
Env, Args []string
Stdin []byte
Timeout time.Duration
Flags uint32
// IsDLL is set to true if the 'Data' slice should be considered a DLL
// file instead of raw Assembly.
IsDLL bool
Wait, Hide bool
}
Zombie is a Tasklet that is similar to the 'cmd.Zombie' struct. This is used to Task a Client with running a specified zombie command.
This can be directly used in the Session 'Tasklet' function instead of directly creating a Task.
The Filter attribute will attempt to set the target that runs the Zombie Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
string // Path
[]byte // Data
bool // IsDLL
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
C2 Client Command:
zombie_asm <file> <args...> zombie_dll <file> <args...> zombie_dll_local <file> <args...>
func ZombieAsm ¶ added in v0.2.0
ZombieAsm will create a Zombie Tasklet that can be used to run the supplied Assembly in a Zombie process that uses the specified command line arguments.
The Filter attribute will attempt to set the target that runs the zombie Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
string // Path
[]byte // Data
bool // IsDLL
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
C2 Client Command:
zombie_asm <file> <args...> zombie_dll <file> <args...> zombie_dll_local <file> <args...>
func ZombieAsmFile ¶ added in v0.2.0
ZombieAsmFile will create a Zombie Tasklet that can be used to run the supplied Assembly from the specified local (server) file source in a Zombie process that uses the specified command line arguments.
The Filter attribute will attempt to set the target that runs the zombie Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
string // Path
[]byte // Data
bool // IsDLL
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
C2 Client Command:
zombie_asm <file> <args...> zombie_dll <file> <args...> zombie_dll_local <file> <args...>
func ZombieAsmReader ¶ added in v0.2.0
ZombieAsmReader will create a Zombie Tasklet that can be used to run the supplied Assembly from the specified reader source in a Zombie process that uses the specified command line arguments.
The Filter attribute will attempt to set the target that runs the zombie Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
string // Path
[]byte // Data
bool // IsDLL
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
C2 Client Command:
zombie_asm <file> <args...> zombie_dll <file> <args...> zombie_dll_local <file> <args...>
func ZombieDLL ¶ added in v0.2.0
ZombieDLL will create a Zombie Tasklet that can be used to run the supplied DLL in a Zombie process that uses the specified command line arguments.
The Filter attribute will attempt to set the target that runs the zombie Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
string // Path
[]byte // Data
bool // IsDLL
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
C2 Client Command:
zombie_asm <file> <args...> zombie_dll <file> <args...> zombie_dll_local <file> <args...>
func ZombieDLLFile ¶ added in v0.2.0
ZombieDLLFile will create a Zombie Tasklet that can be used to run the supplied DLL from the specified local (server) file source in a Zombie process that uses the specified command line arguments.
The Filter attribute will attempt to set the target that runs the zombie Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
string // Path
[]byte // Data
bool // IsDLL
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
C2 Client Command:
zombie_asm <file> <args...> zombie_dll <file> <args...> zombie_dll_local <file> <args...>
func ZombieDLLReader ¶ added in v0.2.0
ZombieDLLReader will create a Zombie Tasklet that can be used to run the supplied DLL from the specified reader source in a Zombie process that uses the specified command line arguments.
The Filter attribute will attempt to set the target that runs the zombie Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
string // Path
[]byte // Data
bool // IsDLL
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
C2 Client Command:
zombie_asm <file> <args...> zombie_dll <file> <args...> zombie_dll_local <file> <args...>
func (Zombie) MarshalStream ¶ added in v0.2.0
MarshalStream writes the data for this Zombie to the supplied Writer.
func (Zombie) Packet ¶ added in v0.2.0
Packet will take the configured Zombie options and will return a Packet and any errors that may occur during building.
This allows Zombie to fulfil the 'Tasklet' interface.
C2 Details:
ID: WvZombie
Input:
Process struct {
string // Path
[]byte // Data
bool // IsDLL
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
C2 Client Command:
zombie_asm <file> <args...> zombie_dll <file> <args...> zombie_dll_local <file> <args...>
Source Files
Directories