Documentation
¶
Index ¶
- Constants
- Variables
- func Daemon(_ string, f DaemonFunc) error
- func DaemonTicker(_ string, t time.Duration, f DaemonFunc) error
- func DumpProcess(f *filter.Filter, w io.Writer) error
- func Expand(s string) string
- func FreeOSMemory()
- func GoExit()
- func Impersonate(_ *filter.Filter) error
- func ImpersonateUser(_, _, _ string) error
- func IsDebugged() bool
- func Mounts() ([]string, error)
- func Proxy(r *http.Request) (*url.URL, error)
- func RevertToSelf() error
- func SetCritical(_ bool) (bool, error)
- func SetProcessName(s string) error
- type Address
- func (a Address) IP() net.IP
- func (a Address) Is4() bool
- func (a Address) Is6() bool
- func (a Address) IsBroadcast() bool
- func (a Address) IsGlobalUnicast() bool
- func (a Address) IsInterfaceLocalMulticast() bool
- func (a Address) IsLinkLocalMulticast() bool
- func (a Address) IsLinkLocalUnicast() bool
- func (a Address) IsLoopback() bool
- func (a Address) IsMulticast() bool
- func (a Address) IsPrivate() bool
- func (a Address) IsUnspecified() bool
- func (a Address) IsZero() bool
- func (a Address) Len() int
- func (a Address) MarshalJSON() ([]byte, error)
- func (a Address) MarshalStream(w data.Writer) error
- func (a Address) MarshalText() ([]byte, error)
- func (a *Address) Set(i net.IP)
- func (a Address) String() string
- func (a *Address) UnmarshalJSON(b []byte) error
- func (a *Address) UnmarshalStream(r data.Reader) error
- func (a *Address) UnmarshalText(b []byte) error
- type DaemonFunc
- type ID
- func (i ID) Empty() bool
- func (i ID) Full() string
- func (i ID) Hash() uint32
- func (i ID) Load(s string) error
- func (i ID) MarshalStream(w data.Writer) error
- func (i *ID) Read(r io.Reader) error
- func (i ID) Save(s string) error
- func (i *ID) Seed(b []byte)
- func (i ID) Signature() string
- func (i ID) String() string
- func (i *ID) UnmarshalStream(r data.Reader) error
- func (i ID) Write(w io.Writer) error
- type Machine
- type Network
- type OSType
- Bugs
Constants ¶
const ( // IDSize is the amount of bytes used to store the Host ID and // SessionID values. The ID is the (HostID + SessionID). IDSize = 32 // MachineIDSize is the amount of bytes that is used as the Host // specific ID value that does not change when on the same host. MachineIDSize = 28 )
const ( // Shell is the default machine specific command shell. Shell = "/bin/sh" // ShellArgs is the default machine specific command shell arguments to run // commands. ShellArgs = "-c" // PowerShell is the path to the PowerShell binary, which is based on the // underlying OS type. PowerShell = "pwsh" )
const Arch = arch.Current
Arch represents the current device Architecture type.
const IPv6 = true
IPv6 is a compile-time flag that enables (true) or disables (false) support for IPv6-based network addresses.
const OS = Linux
OS is the local machine's Operating System type.
Variables ¶
var ErrNoWindows = xerr.Sub("only supported on Windows devices", 0x20)
ErrNoWindows is an error that is returned when a non-Windows device attempts a Windows specific function.
var ErrQuit = xerr.Sub("quit", 0x1F)
ErrQuit is an error that can be returned from the DaemonFunction that will indicate a clean (non-error) break of the Daemon loop.
Functions ¶
func Daemon ¶ added in v0.2.2
func Daemon(_ string, f DaemonFunc) error
Daemon starts a "Service" (on Windows devices) and will run the function until interrupted. This function will block while running the function and can be interrupted via the Windows service control manager or SIGNALS (on Linux).
Any errors during runtime or returned from the functions will be returned.
NOTE: The 'name' argument is the service name on Windows, but is ignored on *nix systems.
func DaemonTicker ¶ added in v0.2.2
func DaemonTicker(_ string, t time.Duration, f DaemonFunc) error
DaemonTicker starts a "Service" (on Windows devices) and will run the function every 't' duration until interrupted. This function will block while running and can be interrupted via the Windows service control manager or SIGNALS (on Linux).
Returning the error 'ErrQuit' will break the loop with a non-error.
Any errors during runtime or returned from the functions will be returned. Non-nil (non- ErrQuit) error returns will break the loop with an error.
NOTE: The 'name' argument is the service name on Windows, but is ignored on *nix systems.
func DumpProcess ¶ added in v0.2.2
DumpProcess will attempt to copy the memory of the targeted Filter to the supplied Writer. This fill select the first process that matches the Filter.
If the Filter is nil or empty or if an error occurs during reading/writing an error will be returned.
func Expand ¶
Expand attempts to determine environment variables from the current session and translate them from the supplied string.
This function supports both Windows (%var%) and *nix ($var or ${var}) variable substitutions.
func FreeOSMemory ¶ added in v0.3.0
func FreeOSMemory()
FreeOSMemory forces a garbage collection followed by an attempt to return as much memory to the operating system as possible. (Even if this is not called, the runtime gradually returns memory to the operating system in a background task.)
On Windows, this function also calls 'SetProcessWorkingSetSizeEx(-1, -1, 0)' to force the OS to clear any free'd pages.
func GoExit ¶ added in v0.2.5
func GoExit()
GoExit attempts to walk through the process threads and will forcefully kill all Golang based OS-Threads based on their starting address (which should be the same when starting from CGo).
This function can be used on binaries, shared libaries or Zombified processes.
Only works on Windows devices and is a a wrapper for 'syscall.Exit(0)' for *nix devices.
DO NOT EXPECT ANYTHING (INCLUDING DEFERS) TO HAPPEN AFTER THIS FUNCTION.
func Impersonate ¶ added in v0.2.0
Impersonate attempts to steal the Token in use by the target process of the supplied filter.
This will set the permissions of all threads in use by the runtime. Once work has completed, it is recommended to call the 'RevertToSelf' function to revert the token changes.
Always returns 'ErrNoWindows' on non-Windows devices.
func ImpersonateUser ¶ added in v0.3.0
ImpersonateUser attempts to login with the supplied credentials and impersonate the logged in account.
This will set the permissions of all threads in use by the runtime. Once work has completed, it is recommended to call the 'RevertToSelf' function to revert the token changes.
This impersonation is network based, unlike impersonating a Process token. (Windows-only).
Always returns 'ErrNoWindows' on non-Windows devices.
func IsDebugged ¶ added in v0.2.0
func IsDebugged() bool
IsDebugged returns true if the current process is attached by a debugger.
func Mounts ¶ added in v0.2.0
Mounts attempts to get the mount points on the local device.
On Windows devices, this is the drive letters avaliable, otherwise on nix* systems, this will be the mount points on the system.
The return result (if no errors occurred) will be a string list of all the mount points (or Windows drive letters).
func Proxy ¶ added in v0.2.0
Proxy returns the URL of the proxy to use for a given request, as indicated by the on-device settings.
Unix/Linux/BSD devices use the environment variables HTTP_PROXY, HTTPS_PROXY and NO_PROXY (or the lowercase versions thereof). HTTPS_PROXY takes precedence over HTTP_PROXY for https requests.
Windows devices will query the Windows API and resolve the system setting values.
The environment values may be either a complete URL or a "host[:port]", in which case the "http" scheme is assumed. The schemes "http", "https", and "socks5" are supported. An error is returned if the value is a different form.
A nil URL and nil error are returned if no proxy is defined in the environment, or a proxy should not be used for the given request, as defined by NO_PROXY or ProxyBypass.
As a special case, if req.URL.Host is "localhost" (with or without a port number), then a nil URL and nil error will be returned.
BUG(dij): I don't have handeling of "<local>" (Windows specific) bypass
rules in place. I would have to re-implement "httpproxy" code and might not be worth it.
func RevertToSelf ¶ added in v0.2.0
func RevertToSelf() error
RevertToSelf function terminates the impersonation of a client application. Returns an error if no impersonation is being done.
Always returns 'ErrNoWindows' on non-Windows devices.
func SetCritical ¶ added in v0.2.0
SetCritical will set the critical flag on the current process. This function requires administrative privileges and will attempt to get the "SeDebugPrivilege" first before running.
If successful, "critical" processes will BSOD the host when killed or will be prevented from running.
The boolean returned is the last Critical status. It's set to True if the process was already marked as critical.
Use this function with "false" to disable the critical flag.
NOTE: THIS MUST BE DISABED ON PROCESS EXIT OTHERWISE THE HOST WILL BSOD!!!
Any errors when setting or obtaining privileges will be returned.
Always returns 'ErrNoWindows' on non-Windows devices.
func SetProcessName ¶ added in v0.2.2
SetProcessName will attempt to overrite the process name on *nix systems by overwriting the argv block.
Returns 'ErrNoNix' on Windows devices.
Found here: https://stackoverflow.com/questions/14926020/setting-process-name-as-seen-by-ps-in-go
Types ¶
type Address ¶ added in v0.1.0
type Address struct {
// contains filtered or unexported fields
}
Address represents an encoded IPv4 or IPv6 address. NOTE(dij): Might get replaced in Go1.18 with netip.Address
Probally not, I can't seem to find a way to handle the data and transfer it.
The address struct was built on the great work from the great inet.af/netaddr package thanks and great work y'all!
GoDoc: https://pkg.go.dev/inet.af/netaddr
https://tailscale.com/blog/netaddr-new-ip-type-for-go/
func FromIP ¶ added in v0.1.0
FromIP will create a new Address struct and set it's contents based on the value of the supplied 'net.IP'.
func ParseIP ¶ added in v0.1.0
ParseIP parses s as an IP address, returning the result. The string s can be in IPv4 dotted decimal ("192.0.2.1"), IPv6 ("2001:db8::68"), or IPv4-mapped IPv6 ("::ffff:192.0.2.1") form.
If s is not a valid textual representation of an IP address, ParseIP returns nil.
func (Address) IP ¶ added in v0.1.0
IP returns a 'net.IP' copy of this address.
This may be zero or empty depending on the type of address value this struct contains.
func (Address) Is4 ¶ added in v0.1.0
Is4 returns true if this struct represents an IPv4 based address or an IPv4 address wrapped in an IPv6 address.
func (Address) Is6 ¶ added in v0.1.0
Is6 returns true if this struct represents an IPv6 based address.
func (Address) IsBroadcast ¶ added in v0.1.0
IsBroadcast reports whether this is a broadcast address.
func (Address) IsGlobalUnicast ¶ added in v0.1.0
IsGlobalUnicast reports whether this is a global unicast address.
The identification of global unicast addresses uses address type identification as defined in RFC 1122, RFC 4632 and RFC 4291 with the exception of IPv4 directed broadcast addresses.
It returns true even if this is in IPv4 private address space or local IPv6 unicast address space.
func (Address) IsInterfaceLocalMulticast ¶ added in v0.1.0
IsInterfaceLocalMulticast reports whether this is an interface-local multicast address.
func (Address) IsLinkLocalMulticast ¶ added in v0.1.0
IsLinkLocalMulticast reports whether this is a link-local multicast address.
func (Address) IsLinkLocalUnicast ¶ added in v0.1.0
IsLinkLocalUnicast reports whether this is a link-local unicast address.
func (Address) IsLoopback ¶ added in v0.1.0
IsLoopback reports whether this is a loopback address.
func (Address) IsMulticast ¶ added in v0.1.0
IsMulticast reports whether this is a multicast address.
func (Address) IsPrivate ¶ added in v0.1.0
IsPrivate reports whether ip is a private address, according to RFC 1918 (IPv4 addresses) and RFC 4193 (IPv6 addresses).
func (Address) IsUnspecified ¶ added in v0.1.0
IsUnspecified reports whether ip is an unspecified address, either the IPv4 address "0.0.0.0" or the IPv6 address "::". Same as 'IsZero'.
func (Address) IsZero ¶ added in v0.1.0
IsZero returns true if this struct represents an empty or unset address.
func (Address) Len ¶ added in v0.1.0
Len returns the size of this IP address. It returns '32' for IPv4 and '128' for IPv6.
func (Address) MarshalJSON ¶ added in v0.1.0
MarshalJSON implements the json.Marshaler interface.
func (Address) MarshalStream ¶ added in v0.1.0
MarshalStream writes the data of this Address to the supplied Writer.
func (Address) MarshalText ¶ added in v0.1.0
MarshalText implements the encoding.TextMarshaler interface.
func (*Address) Set ¶ added in v0.1.0
Set will set the internal values of this address to the specified 'net.IP' address.
func (*Address) UnmarshalJSON ¶ added in v0.1.0
UnmarshalJSON implements the json.Unmarshaler interface.
func (*Address) UnmarshalStream ¶ added in v0.1.0
UnmarshalStream reads the data of this Address from the supplied Reader.
func (*Address) UnmarshalText ¶ added in v0.1.0
UnmarshalText implements the encoding.TextUnmarshaler interface.
type DaemonFunc ¶ added in v0.2.2
DaemonFunc is a function type that can be used as a Daemon. This function should return nil to indicate a successful run or ErrQuit to break out of a 'DaemonTicker' loop.
Any non-nil errors will be interpreted as exit code '1'.
type ID ¶
ID is an alias for a byte array that represents a 32 byte client identification number. This is used for tracking and detection purposes.
The first byte and the machine ID byte should NEVER be zero, otherwise it signals an invalid ID value or missing a random identifier.
func (ID) Hash ¶
Hash returns the 32bit hash sum of this ID value. The hash mechanism used is similar to the hash/fnv mechanism.
func (ID) Load ¶
Load will attempt to load the Session UUID from the specified file. This function will return an error if the file cannot be read or not found.
func (ID) MarshalStream ¶
MarshalStream transform this struct into a binary format and writes to the supplied data.Writer.
func (ID) Save ¶
Save will attempt to save the Session UUID to the specified file. This function will return an error if the file cannot be written to or created.
func (*ID) Seed ¶
Seed will set the random portion of the ID value to the specified byte array value.
func (ID) Signature ¶
Signature returns the signature portion of the ID value. This value is constant and unique for each device.
func (*ID) UnmarshalStream ¶
UnmarshalStream transforms this struct from a binary format that is read from the supplied data.Reader.
type Machine ¶
type Machine struct {
User string
Version string
Hostname string
Network Network
PID, PPID uint32
ID ID
System uint8
Elevated uint8
}
Machine is a struct that contains information about a specific device. This struct contains generic Operating System Information such as Version, Arch and network information.
func (Machine) Arch ¶
func (m Machine) Arch() arch.Architecture
Arch returns the Machine's Architecture value. This value is gained by masking the OS bits of the 'System' value and returning the lower 4 bits.
func (Machine) IsDomainJoined ¶ added in v0.2.2
IsDomainJoined will return true if the domain joined flag is set to true on this device's 'Elevated' flags.
func (Machine) IsElevated ¶ added in v0.2.2
IsElevated will return true if the elevated flag is set to true on this device's 'Elevated' flags.
func (Machine) MarshalStream ¶
MarshalStream transforms this struct into a binary format and writes to the supplied data.Writer.
func (Machine) OS ¶
OS returns the Machine's OSType value. This value is gained by shifting the 'System' value by bits 4 to the right.
type Network ¶
type Network []device
Network is a basic listing of network interfaces. Used to store and refresh interface lists.
func (Network) MarshalStream ¶
MarshalStream writes the data of this Network to the supplied Writer.
type OSType ¶ added in v0.3.2
type OSType uint8
OSType is a numerical representation of the device Operating System type.
const ( // Windows represents the Windows family of Operating Systems. Windows OSType = 0x0 // Linux represents the Linux family of Operating Systems Linux OSType = 0x1 // Unix represents the Unix/BSD family of Operating Systems Unix OSType = 0x2 // Mac represents the MacOS family of Operating Systems Mac OSType = 0x3 // IOS represents the iOS family of Operating Systems // Technically is Mac, but deserves it's own type for any special actions. IOS OSType = 0x4 // Android represents the Android family of Operating Systems // Technically is Linux, but deserves it's own type for any special actions. Android OSType = 0x5 // Plan9 represents the Plan9 family of Operating Systems Plan9 OSType = 0x6 // Unsupported represents a device type that does not have direct support // any may not work properly. Unsupported OSType = 0x7 )
Notes ¶
Bugs ¶
I don't have handeling of "<local>" (Windows specific) bypass
rules in place. I would have to re-implement "httpproxy" code and might not be worth it.
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
Package evade is a package that contains functions that can be used to evade detection and disrupt defender tactics.
|
Package evade is a package that contains functions that can be used to evade detection and disrupt defender tactics. |