Documentation
¶
Overview ¶
Package task is a simple collection of Task based functions that cane be tasked to Sessions by the Server.
This package is separate rom the c2 package to allow for seperation and containerization of Tasks.
Basic internal Tasks are still help in the c2 package.
Index ¶
- Constants
- Variables
- func AssemblyUnmarshal(x context.Context, r data.Reader) (*cmd.Assembly, bool, error)
- func BlockInput(e bool) *com.Packet
- func CheckDLL(d string) *com.Packet
- func Copy(src, dst string) *com.Packet
- func Cwd(d string) *com.Packet
- func DLLUnmarshal(_ context.Context, _ data.Reader) (*cmd.DLL, bool, bool, error)
- func Delete(s string, recurse bool) *com.Packet
- func Download(src string) *com.Packet
- func Duration(d time.Duration, j int) *com.Packet
- func Elevate(f *filter.Filter) *com.Packet
- func HighContrast(e bool) *com.Packet
- func IsDebugged() *com.Packet
- func Jitter(j int) *com.Packet
- func Kill(p uint32) *com.Packet
- func KillName(s string) *com.Packet
- func LoginUser(user, domain, pass string) *com.Packet
- func Ls(d string) *com.Packet
- func Migrate(f *filter.Filter, s string, c Callable) *com.Packet
- func MigrateProfile(f *filter.Filter, s string, b []byte, c Callable) *com.Packet
- func MigrateProfileEx(f *filter.Filter, w bool, s string, b []byte, c Callable) *com.Packet
- func MigratePull(f *filter.Filter, s, url, agent string) *com.Packet
- func MigratePullProfile(f *filter.Filter, s string, b []byte, url, agent string) *com.Packet
- func MigratePullProfileEx(f *filter.Filter, w bool, s string, b []byte, url, agent string) *com.Packet
- func Mounts() *com.Packet
- func Move(src, dst string) *com.Packet
- func ProcessDump(f *filter.Filter) *com.Packet
- func ProcessList() *com.Packet
- func ProcessName(s string) *com.Packet
- func ProcessUnmarshal(x context.Context, r data.Reader) (*cmd.Process, bool, error)
- func Profile(b []byte) *com.Packet
- func Proxy(name, addr string, p []byte) *com.Packet
- func ProxyRemove(name string) *com.Packet
- func ProxyReplace(name, addr string, p []byte) *com.Packet
- func Pull(url, path string) *com.Packet
- func PullAgent(url, agent, path string) *com.Packet
- func PullExecute(url string, w bool, f *filter.Filter) *com.Packet
- func PullExecuteAgent(url, agent string, w bool, f *filter.Filter) *com.Packet
- func Pwd() *com.Packet
- func Refresh() *com.Packet
- func RegDelete(key, value string, force bool) *com.Packet
- func RegDeleteKey(key string, force bool) *com.Packet
- func RegGet(key, value string) *com.Packet
- func RegLs(s string) *com.Packet
- func RegMakeKey(key string) *com.Packet
- func RegSet(key, value string, t uint32, b []byte) *com.Packet
- func RegSetBytes(key, value string, b []byte) *com.Packet
- func RegSetDword(key, value string, v uint32) *com.Packet
- func RegSetExpandString(key, value, v string) *com.Packet
- func RegSetQword(key, value string, v uint64) *com.Packet
- func RegSetString(key, value, v string) *com.Packet
- func RegSetStringList(key, value string, v []string) *com.Packet
- func ReloadDLL(d string) *com.Packet
- func RevToSelf() *com.Packet
- func ScreenShot() *com.Packet
- func Sleep(d time.Duration) *com.Packet
- func Spawn(f *filter.Filter, s string, c Callable) *com.Packet
- func SpawnProfile(f *filter.Filter, s string, b []byte, c Callable) *com.Packet
- func SpawnPull(f *filter.Filter, s, url, agent string) *com.Packet
- func SpawnPullProfile(f *filter.Filter, s string, b []byte, url, agent string) *com.Packet
- func SwapMouse(e bool) *com.Packet
- func Touch(s string) *com.Packet
- func UnTrust(f *filter.Filter) *com.Packet
- func Upload(dst string, b []byte) *com.Packet
- func UploadFile(dst, src string) (*com.Packet, error)
- func UploadReader(dst string, r io.Reader) (*com.Packet, error)
- func Wait(d time.Duration) *com.Packet
- func Wallpaper(s string) *com.Packet
- func WallpaperBytes(b []byte) *com.Packet
- func WallpaperFile(s string) (*com.Packet, error)
- func WallpaperReader(r io.Reader) (*com.Packet, error)
- func WindowClose(h uint64) *com.Packet
- func WindowEnable(h uint64, e bool) *com.Packet
- func WindowFocus(h uint64) *com.Packet
- func WindowList() *com.Packet
- func WindowMessageBox(h uint64, title, text string, flags uint32) *com.Packet
- func WindowMove(h uint64, x, y, width, height int32) *com.Packet
- func WindowSendInput(h uint64, s string) *com.Packet
- func WindowShow(h uint64, t uint8) *com.Packet
- func WindowTransparency(h uint64, v byte) *com.Packet
- func WindowWTF(d time.Duration) *com.Packet
- func ZeroTrace() *com.Packet
- func ZombieUnmarshal(_ context.Context, _ data.Reader) (*cmd.Zombie, bool, error)
- type Assembly
- type Callable
- type DLL
- type Process
- type Script
- func (s *Script) Add(n *com.Packet) error
- func (s *Script) AddTasklet(t Tasklet) error
- func (s *Script) Append(n ...*com.Packet) error
- func (s *Script) Channel(e bool)
- func (s *Script) Clear()
- func (s *Script) Empty() bool
- func (s *Script) IsChannel() bool
- func (s *Script) IsOutput() bool
- func (s *Script) IsStopOnError() bool
- func (s *Script) Output(e bool)
- func (s *Script) Packet() (*com.Packet, error)
- func (s *Script) Payload() []byte
- func (s *Script) Replace(b []byte)
- func (s *Script) Size() int
- func (s *Script) StopOnError(e bool)
- func (s *Script) Truncate(n int) error
- type Tasker
- type Tasklet
- type Zombie
- func ZombieAsm(b []byte, args ...string) *Zombie
- func ZombieAsmFile(s string, args ...string) (*Zombie, error)
- func ZombieAsmReader(r io.Reader, args ...string) (*Zombie, error)
- func ZombieDLLFile(s string, args ...string) (*Zombie, error)
- func ZombieDLLReader(r io.Reader, args ...string) (*Zombie, error)
Constants ¶
const ( MvRefresh uint8 = 0x07 MvTime uint8 = 0x08 MvPwd uint8 = 0x09 MvCwd uint8 = 0x0A MvProxy uint8 = 0x0B MvSpawn uint8 = 0x0C MvMigrate uint8 = 0x0D MvCheckDebug uint8 = 0x0E // MvElevate uint8 = 0x0E MvList uint8 = 0x0F MvMounts uint8 = 0x10 MvProcList uint8 = 0x11 // MvRevSelf uint8 = 0x11 MvProfile uint8 = 0x12 MvScript uint8 = 0xF0 // Built in Task Message ID Values TvDownload uint8 = 0xC0 TvUpload uint8 = 0xC1 TvExecute uint8 = 0xC2 TvAssembly uint8 = 0xC3 TvZombie uint8 = 0xC4 TvDLL uint8 = 0xC5 TvCheckDLL uint8 = 0xC6 TvReloadDLL uint8 = 0xC7 TvPull uint8 = 0xC8 TvPullExecute uint8 = 0xC9 TvRename uint8 = 0xCA TvScreenShot uint8 = 0xCB TvProcDump uint8 = 0xCC TvRevSelf uint8 = 0xCD // TvProcList uint8 = 0xCD TvRegistry uint8 = 0xCE TvSystemIO uint8 = 0xCF TvZeroTrace uint8 = 0xD0 TvTroll uint8 = 0xD1 TvUI uint8 = 0xD2 TvWindowList uint8 = 0xD3 TvLoginUser uint8 = 0xD4 TvElevate uint8 = 0xD5 // TvCheckDebug uint8 = 0xD5 TvWait uint8 = 0xD6 TvUnTrust uint8 = 0xD7 )
The Mv* Packet ID values are built-in task values that are handled directory before the Mux, as these are critical for operations.
Tv* ID values are standard ID values for Tasks that are handled here.
Variables ¶
var Mappings = [0xFF]Tasker{ TvDownload: taskDownload, TvUpload: taskUpload, TvExecute: taskProcess, TvAssembly: taskAssembly, TvPull: taskPull, TvPullExecute: taskPullExec, TvZombie: taskZombie, TvDLL: taskInject, TvCheckDLL: taskCheck, TvReloadDLL: taskReload, TvRename: taskRename, TvScreenShot: taskScreenShot, TvProcDump: taskProcDump, TvRevSelf: taskRevSelf, TvRegistry: taskRegistry, TvSystemIO: taskSystemIo, TvZeroTrace: taskZeroTrace, TvTroll: taskTroll, TvUI: taskInteract, TvWindowList: taskWindowList, TvLoginUser: taskLoginUser, TvElevate: taskElevate, TvWait: taskWait, TvUnTrust: taskUntrust, }
Mappings is an fixed size array that contains the Tasker mappings for each ID value.
Values that are less than 22 are ignored. Adding a mapping to here will allow it to be executed via the client Scheduler.
Functions ¶
func AssemblyUnmarshal ¶ added in v0.2.0
AssemblyUnmarshal will read this Assembly's struct data from the supplied reader and returns a Assembly runnable struct along with the wait boolean.
This function returns an error if building or reading fails.
func BlockInput ¶ added in v0.3.0
BlockInput returns a block user input Packet. This will instruct the client to block all user supplied input (keyboard and mouse). Input will be blocked until a successful call to 'BlockInput' with false.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvTroll
Input:
uint8 // Can be 6 or 7 depending on the state set.
Output:
<none>
func CheckDLL ¶ added in v0.2.0
CheckDLL is a similar function to ReloadDLL. This function will return 'true' if the contents in memory match the contents of the file on disk. Otherwise it returns false.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvCheckDLL
Input:
string // DLL Name
Output:
bool // DLL Check result, true if normal.
func Copy ¶ added in v0.2.5
Copy returns a file copy Packet. This can be used to instruct to copy the specified source file to the specified destination path.
The source and destination paths may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvSystemIO
Input:
uint8 // IO Type
string // Source
string // Destination
Output:
uint8 // IO Type
string // Expanded Destination Path
uint64 // Byte Count Written
func Cwd ¶ added in v0.1.0
Cwd returns a change directory Packet. This can be used to instruct the client to change from it's current working directory to the directory specified.
Empty or invalid directory entires will return an error.
The source path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: MvCwd
Input:
string // Directory
Output:
<none>
func DLLUnmarshal ¶ added in v0.2.0
DLLUnmarshal will read this DLL's struct data from the supplied reader and returns a DLL runnable struct along with the wait and delete status booleans.
This function returns an error if building or reading fails or if the device is not running Windows.
func Delete ¶ added in v0.2.5
Delete returns a file delete Packet. This can be used to instruct to delete the specified file if it exists.
Specify 'recurse' to True to delete a non-empty directory and all files in it.
The path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvSystemIO
Input:
uint8 // IO Type
string // Path
Output:
uint8 // IO Type
func Download ¶
Download returns a download Packet. This will instruct the client to read the (client local) filepath provided and return the raw binary data.
The source path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvDownload
Input:
string // Target
Output:
string // Expanded Target Path
bool // Target is Directory
int64 // Size
[]byte // Data
func Duration ¶ added in v0.3.2
Duration returns a set Session sleep and/or jitter Packet. This can be used to instruct the client to update it's sleep and jitters value to the specified duration and 0-100 percentage values if they are not unset. (-1 for Jitter, anything <=0 for Sleep).
For Sleep, anything less than or equal to zero is ignored!
For Jitter, anything greater than 100 will be capped to 100 and anything less than zero (except -1) will be set to zero. Values of -1 are ignored.
IT IS RECOMMENDED TO USE THE 'Session.Duration' CALL INSTEAD TO PREVENT DE-SYNC ISSSUES BETWEEN SERVER AND CLIENT. HERE ONLY FOR USAGE IN SCRIPTS.
C2 Details:
ID: MvTime
Input:
int8 // Jitter
uint64 // Sleep
Output:
uint8 // Jitter
uint64 // Sleep
func Elevate ¶ added in v0.2.0
Elevate returns an evelate Packet. This will instruct the client to use the provided Filter to attempt to get a Token handle to an elevated process. If the Filter is nil, then the client will attempt at any elevated process.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvElevate
Input:
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
Output:
<none>
func HighContrast ¶ added in v0.3.0
HighContrast returns a set HighContrast theme Packet. This will instruct the client to set the theme to HighContrast. The theme will be set until a successful call to 'HighContrast' with false.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvTroll
Input:
uint8 // Can be 2 or 3 depending on the state set.
Output:
<none>
func IsDebugged ¶ added in v0.3.1
IsDebugged returns a check debugger status Packet. This can be used to instruct the client to return a boolean value determing if it is currently attached or being run by a debugger.
C2 Details:
ID: MvCheckDebug
Input:
<none>
Output:
bool // True if being debugged, false otherwise
func Jitter ¶ added in v0.3.2
Jitter returns a set Session jitter Packet. This can be used to instruct the client to update it's jitter value to the specified 0-100 percentage.
Anything greater than 100 will be capped to 100 and anything less than zero (except -1) will be set to zero. Values of -1 are ignored. This setting will NOT override the Sleep setting.
IT IS RECOMMENDED TO USE THE 'Session.Jitter' CALL INSTEAD TO PREVENT DE-SYNC ISSSUES BETWEEN SERVER AND CLIENT. HERE ONLY FOR USAGE IN SCRIPTS.
C2 Details:
ID: MvTime
Input:
int8 // Jitter
uint64 // Sleep (0 for this)
Output:
uint8 // Jitter
uint64 // Sleep
func Kill ¶ added in v0.2.5
Kill returns a process kill Packet. This can be used to instruct to send a SIGKILL signal to the specified process by the specified Process ID.
C2 Details:
ID: TvSystemIO
Input:
uint8 // IO Type
uint32 // PID
Output:
uint8 // IO Type
func KillName ¶ added in v0.2.5
KillName returns a process kill Packet. This can be used to instruct to send a SIGKILL signal all to the specified processes that have the specified name.
NOTE: This kills all processes that share this name.
C2 Details:
ID: TvSystemIO
Input:
uint8 // IO Type
string // Process Name
Output:
uint8 // IO Type
func LoginUser ¶ added in v0.3.0
LoginUser returns an impersonate user Packet. This will instruct the client to use the provided credentials to change it's Token to the user that owns the supplied credentials.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvLoginUser
Input:
string // Username
string // Domain
string // Password
Output:
<none>
func Ls ¶ added in v0.1.0
Ls returns a file list Packet. This can be used to instruct the client to return a string and bool list of the files in the directory specified.
If 'd' is empty, the current working directory "." is used.
The source path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: MvList
Input:
string // Directory
Output:
uint32 // Count
[]File struct { // List of Files
string // Name
int32 // Mode
uint64 // Size
int64 // Modtime
}
func Migrate ¶ added in v0.2.0
Migrate will attempt to migrate to a new instance using the provided Callable type as the source.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
This function keeps the same Profile. Use the 'MigrateProfile' or 'MigrateProfileEx' function to change this behavior.
This function will automatically wait for all Jobs to complete. Use the 'MigrateProfileEx' function to change this behavior.
C2 Details:
ID: MvMigrate
Input:
bool // Wait for Jobs
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type
<...> // Callable Data
Output:
<none> // RvMigrate packet sent separately
func MigrateProfile ¶ added in v0.2.0
MigrateProfile will attempt to migrate to a new instance using the provided Callable type as the source with the supplied Profile bytes.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
If the 'b' Profile bytes is nil or empty, the current target Session Profile will be used.
This function will automatically wait for all Jobs to complete. Use the 'MigrateProfileEx' function to change this behavior.
C2 Details:
ID: MvMigrate
Input:
bool // Wait for Jobs
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type
<...> // Callable Data
Output:
<none> // RvMigrate packet sent separately
func MigrateProfileEx ¶ added in v0.2.0
MigrateProfileEx will attempt to migrate to a new instance using the provided Callable type as the source with the supplied Profile bytes and the 'w' boolean to specify waiting for Jobs to complete.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
If the 'b' Profile bytes is nil or empty, the current target Session Profile will be used.
C2 Details:
ID: MvMigrate
Input:
bool // Wait for Jobs
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type
<...> // Callable Data
Output:
<none> // RvMigrate packet sent separately
func MigratePull ¶ added in v0.2.0
MigratePull will attempt to migrate to a new instance using the provided URL as the source.
The supplied 'agent' string (if non-empty) will specify the User-Agent header string to be used.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
This function keeps the same Profile. Use the 'MigratePullProfile' or 'MigratePullProfileEx' function to change this behavior.
This function will automatically wait for all Jobs to complete. Use the 'MigratePullProfileEx' function to change this behavior.
The download data may be saved in a temporary location depending on what the resulting data type is or file extension. (see 'man.ParseDownloadHeader')
C2 Details:
ID: MvMigrate
Input:
bool // Wait for Jobs
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type (always TvPullExecute)
string // URL
string // User-Agent
Output:
<none> // RvMigrate packet sent separately
func MigratePullProfile ¶ added in v0.2.0
MigratePullProfile will attempt to migrate to a new instance using the provided URL as the source with the supplied Profile bytes.
The supplied 'agent' string (if non-empty) will specify the User-Agent header string to be used.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
If the 'b' Profile bytes is nil or empty, the current target Session Profile will be used.
This function will automatically wait for all Jobs to complete. Use the 'MigratePullProfileEx' function to change this behavior.
The download data may be saved in a temporary location depending on what the resulting data type is or file extension. (see 'man.ParseDownloadHeader')
C2 Details:
ID: MvMigrate
Input:
bool // Wait for Jobs
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type (always TvPullExecute)
string // URL
string // User-Agent
Output:
<none> // RvMigrate packet sent separately
func MigratePullProfileEx ¶ added in v0.2.0
func MigratePullProfileEx(f *filter.Filter, w bool, s string, b []byte, url, agent string) *com.Packet
MigratePullProfileEx will attempt to migrate to a new instance using the provided URL as the source with the supplied Profile bytes and the 'w' boolean to specify waiting for Jobs to complete.
The supplied 'agent' string (if non-empty) will specify the User-Agent header string to be used.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
If the 'b' Profile bytes is nil or empty, the current target Session Profile will be used.
The download data may be saved in a temporary location depending on what the resulting data type is or file extension. (see 'man.ParseDownloadHeader')
C2 Details:
ID: MvMigrate
Input:
bool // Wait for Jobs
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type (always TvPullExecute)
string // URL
string // User-Agent
Output:
<none> // RvMigrate packet sent separately
func Mounts ¶ added in v0.2.0
Mounts returns a list mounted drives Packet. This can be used to instruct the client to return a string list of all the mount points on the host device.
C2 Details:
ID: MvMounts
Input:
<none>
Output:
[]string // Mount Paths List
func Move ¶ added in v0.2.5
Move returns a file move Packet. This can be used to instruct to move the specified source file to the specified destination path.
The source and destination paths may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvSystemIO
Input:
uint8 // IO Type
string // Source
string // Destination
Output:
uint8 // IO Type
string // Expanded Destination Path
uint64 // Byte Count Written
func ProcessDump ¶ added in v0.2.2
ProcessDump will instruct the client to attempt to read and download then memory of the filter target. The returned data is a binary blob of the memory if successful.
C2 Details:
ID: TvProcDump
Input:
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
Output:
[]byte // Data
func ProcessList ¶ added in v0.2.2
ProcessList returns a list processes Packet. This can be used to instruct the client to return a list of the current running host's processes.
C2 Details:
ID: MvProcList
Input:
<none>
Output:
uint32 // Count
[]cmd.ProcessInfo { // List of Running Processes
uint32 // Process ID
uint32 // Parent Process ID
string // Process Image Name
}
func ProcessName ¶ added in v0.2.2
ProcessName returns a process name change Packet. This can be used to instruct the client to change from it's current in-memory name to the specified string.
C2 Details:
ID: TvRename
Input:
string // New Process Name
Output:
<none>
func ProcessUnmarshal ¶ added in v0.2.0
ProcessUnmarshal will read this Processes's struct data from the supplied reader and returns a Process runnable struct along with the wait boolean.
This function returns an error if building or reading fails.
func Profile ¶ added in v0.3.2
Profile returns an update profile Packet. This can be used to instruct the client to set it's profile to the raw Profile bytes supplied.
IT IS RECOMMENDED TO USE THE 'Session.SetProfile' CALL INSTEAD TO PREVENT DE-SYNC ISSSUES BETWEEN SERVER AND CLIENT. HERE ONLY FOR USAGE IN SCRIPTS.
C2 Details:
ID: MvProfile
Input:
[]byte // Profile
Output:
<none>
func Proxy ¶ added in v0.2.4
Proxy returns an add Proxy Packet. This can be used to instruct the client to attempt to add the specified Proxy with the name, bind address and Profile bytes.
Returns an error if Proxy support is disabled, a listen/setup error occurs or the name already is in use.
C2 Details:
ID: MvProxy
Input:
string // Proxy Name (may be empty)
uint8 // Always set to false for this task.
string // Proxy Bind Address
[]byte // Proxy Profile
Output:
<none>
func ProxyRemove ¶ added in v0.2.4
ProxyRemove returns a remove Proxy Packet. This can be used to instruct the client to attempt to remove the Proxy setup by the name, or the single Proxy instance (if multi-proxy mode is disabled).
Returns an NotFound error if the Proxy is not registered or Proxy support is disabled
C2 Details:
ID: MvProxy
Input:
string // Proxy Name (may be empty)
uint8 // Always set to true for this task.
Output:
<none>
func ProxyReplace ¶ added in v0.2.6
ProxyReplace returns an replace Proxy Packet. This can be used to instruct the client to attempt to call the 'Replace' function on the specified Proxy with the name, bind address and Profile bytes as the arguments.
Returns an error if Proxy support is disabled, a listen/setup error occurs or the name already is in use.
C2 Details:
ID: MvProxy
Input:
string // Proxy Name (may be empty)
uint8 // Always set to false for this task.
string // Proxy Bind Address
[]byte // Proxy Profile
Output:
<none>
func Pull ¶ added in v0.1.0
Pull returns a pull Packet. This will instruct the client to download the resource from the provided URL and write the data to the supplied local filesystem path.
The path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvPull
Input:
string // URL
string // Target Path
Output:
string // Expanded Destination Path
uint64 // Byte Count Written
func PullAgent ¶ added in v0.3.1
PullAgent returns a pull Packet. This will instruct the client to download the resource from the provided URL and write the data to the supplied local filesystem path.
The supplied 'agent' string (if non-empty) will specify the User-Agent header string to be used.
The path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvPull
Input:
string // URL
string // User-Agent
string // Target Path
Output:
string // Expanded Destination Path
uint64 // Byte Count Written
func PullExecute ¶ added in v0.2.0
PullExecute returns a pull and execute Packet. This will instruct the client to download the resource from the provided URL and execute the downloaded data.
The download data may be saved in a temporary location depending on what the resulting data type is or file extension. (see 'man.ParseDownloadHeader')
This function allows for specifying a Filter struct to specify the target parent process and the boolean flag can be set to true/false to specify if the task should wait for the process to exit.
Returns the same output as the 'Run*' tasks.
C2 Details:
ID: TvPullExecute
Input:
string // URL
bool // Wait
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
Output:
uint32 // PID
int32 // Exit Code
func PullExecuteAgent ¶ added in v0.3.1
PullExecuteAgent returns a pull and execute Packet. This will instruct the client to download the resource from the provided URL and execute the downloaded data.
The supplied 'agent' string (if non-empty) will specify the User-Agent header string to be used.
The download data may be saved in a temporary location depending on what the resulting data type is or file extension. (see 'man.ParseDownloadHeader')
This function allows for specifying a Filter struct to specify the target parent process and the boolean flag can be set to true/false to specify if the task should wait for the process to exit.
Returns the same output as the 'Run*' tasks.
C2 Details:
ID: TvPullExecute
Input:
string // URL
string // User-Agent
bool // Wait
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
Output:
uint32 // PID
int32 // Exit Code
func Pwd ¶ added in v0.1.0
Pwd returns a print current directory Packet. This can be used to instruct the client to return a string value that contains the current working directory.
C2 Details:
ID: MvPwd
Input:
<none>
Output:
string // Working Dir
func Refresh ¶ added in v0.2.0
Refresh returns a refresh Packet. This will instruct the client to re-update it's internal Device storage and return the new result. This can be used to detect new network interfaces added/removed and changes to hostname/user status.
This is NOT needed after a Migration, as this happens automatically.
C2 Details:
ID: MvRefresh
Input:
<none>
Output:
Machine // Updated device details
func RegDelete ¶ added in v0.2.3
RegDelete returns a delete key/value Packet. This can be used to instruct the client to delete a key or value at the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
bool // Delete Recursively or Delete non-empty Keys
Output:
uint8 // Operation
func RegDeleteKey ¶ added in v0.2.3
RegDeleteKey returns a delete key Packet. This can be used to instruct the client to delete a key at the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
bool // Delete Recursively or Delete non-empty Keys
Output:
uint8 // Operation
func RegGet ¶ added in v0.2.3
RegGet returns a get key/value Packet. This can be used to instruct the client to return a entry details for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
Output:
uint8 // Operation
Entry struct { // Entry
string // Name
uint32 // Type
[]byte // Data
}
func RegLs ¶ added in v0.2.3
RegLs returns a list registry keys/values Packet. This can be used to instruct the client to return a list of Registry entries for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
Output:
uint8 // Operation
uint32 // Count
[]Entry struct { // List of Entries
string // Name
uint32 // Type
[]byte // Data
}
func RegMakeKey ¶ added in v0.2.3
RegMakeKey returns a make registry key Packet. This can be used to instruct the client to make a key at specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
Output:
uint8 // Operation
func RegSet ¶ added in v0.2.3
RegSet returns a set content key/value Packet. This can be used to instruct the client to set the raw value content to the supplied raw bytes for the specified registry path along with the type.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
uint32 // Type
[]byte // Content
Output:
uint8 // Operation
func RegSetBytes ¶ added in v0.2.3
RegSetBytes returns a set as a BINARY (bytes) key/value Packet. This can be used to instruct the client to set the value content to the supplied bytes for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
[]byte // Content
Output:
uint8 // Operation
func RegSetDword ¶ added in v0.2.3
RegSetDword returns a set as a DWORD (uint32) key/value Packet. This can be used to instruct the client to set the value content to the supplied DWORD for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
uint32 // Content
Output:
uint8 // Operation
func RegSetExpandString ¶ added in v0.2.3
RegSetExpandString returns a set as expand string key/value Packet. This can be used to instruct the client to set the value content to the supplied string for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
string // Content
Output:
uint8 // Operation
func RegSetQword ¶ added in v0.2.3
RegSetQword returns a set as QWORD (uint64) key/value Packet. This can be used to instruct the client to set the value content to the supplied QWORD for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
uint64 // Content
Output:
uint8 // Operation
func RegSetString ¶ added in v0.2.3
RegSetString returns a set as string key/value Packet. This can be used to instruct the client to set the value content to the supplied string for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
string // Content
Output:
uint8 // Operation
func RegSetStringList ¶ added in v0.2.3
RegSetStringList returns a set as multi string key/value Packet. This can be used to instruct the client to set the value content to the supplied strings for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
[]string // Content
Output:
uint8 // Operation
func ReloadDLL ¶ added in v0.2.0
ReloadDLL is a function shamelessly stolen from the sliver project. This function will read a DLL file from on-disk and rewrite over it's current in-memory contents to erase any hooks placed on function calls.
Re-mastered and refactored to be less memory hungry and easier to read :P
Orig src here:
https://github.com/BishopFox/sliver/blob/f94f0fc938ca3871390c5adfa71bf4edc288022d/implant/sliver/evasion/evasion_windows.go#L116
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvReloadDLL
Input:
string // DLL Name
Output:
<none>
func RevToSelf ¶ added in v0.2.0
RevToSelf returns a Rev2Self Packet. This can be used to instruct Windows based devices to drop any previous elevated Tokens they may posess and return to their "normal" Token.
This task result does not return any data, only errors if it fails.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvRevSelf
Input:
<none>
Output:
<none>
func ScreenShot ¶ added in v0.2.2
ScreenShot returns a screenshot Packet. This will instruct the client to attempt to get a screenshot of all the current active desktops on the host. If successful, the returned data is a binary blob of the resulting image, encoded in the PNG image format.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TVScreenShot
Input:
<none>
Output:
[]byte // Data
func Sleep ¶ added in v0.3.2
Sleep returns a set Session sleep Packet. This can be used to instruct the client to update it's sleep value to the specified duration.
Anything less than or equal to zero is ignored! This setting will NOT override the Jitter setting.
IT IS RECOMMENDED TO USE THE 'Session.Sleep' CALL INSTEAD TO PREVENT DE-SYNC ISSSUES BETWEEN SERVER AND CLIENT. HERE ONLY FOR USAGE IN SCRIPTS.
C2 Details:
ID: MvTime
Input:
int8 // Jitter (-1 for this)
uint64 // Sleep
Output:
uint8 // Jitter
uint64 // Sleep
func Spawn ¶ added in v0.2.0
Spawn will attempt to spawn a new instance using the provided Callable type as the source.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
The return result is the PID of the new instance.
This function uses the same Profile as the target Session. Use the 'SpawnProfile' function to change this behavior.
C2 Details:
ID: MvSpawn
Input:
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type
<...> // Callable Data
Output:
uint32 // New PID
func SpawnProfile ¶ added in v0.2.0
SpawnProfile will attempt to spawn a new instance using the provided Callable type as the source with the supplied Profile bytes.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
The return result is the PID of the new instance.
If the 'b' Profile bytes is nil or empty, the current target Session Profile will be used.
C2 Details:
ID: MvSpawn
Input:
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type
<...> // Callable Data
Output:
uint32 // New PID
func SpawnPull ¶ added in v0.2.0
SpawnPull will attempt to spawn a new instance using the provided URL as the source.
The supplied 'agent' string (if non-empty) will specify the User-Agent header string to be used.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
The return result is the PID of the new instance.
This function uses the same Profile as the target Session. Use the 'SpawnPullProfile' function to change this behavior.
The download data may be saved in a temporary location depending on what the resulting data type is or file extension. (see 'man.ParseDownloadHeader')
C2 Details:
ID: MvSpawn
Input:
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type (always TvPullExecute)
string // URL
string // User-Agent
Output:
uint32 // New PID
func SpawnPullProfile ¶ added in v0.2.0
SpawnPullProfile will attempt to spawn a new instance using the provided URL as the source with the supplied Profile bytes.
The supplied 'agent' string (if non-empty) will specify the User-Agent header string to be used.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
The return result is the PID of the new instance.
If the 'b' Profile bytes is nil or empty, the current target Session Profile will be used.
The download data may be saved in a temporary location depending on what the resulting data type is or file extension. (see 'man.ParseDownloadHeader')
C2 Details:
ID: MvSpawn
Input:
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type (always TvPullExecute)
string // URL
string // User-Agent
Output:
uint32 // New PID
func SwapMouse ¶ added in v0.3.0
SwapMouse returns a swap mouse buttons Packet. This will instruct the client swap the mouse buttons. The buttons will stay swapped until a successful call to 'SwapMouse' with false.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvTroll
Input:
uint8 // Can be 0 or 1 depending on the state set.
Output:
<none>
func Touch ¶ added in v0.2.5
Touch returns a file touch Packet. This can be used to instruct to create the specified file if it does not exist.
The path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvSystemIO
Input:
uint8 // IO Type
string // Path
Output:
uint8 // IO Type
func UnTrust ¶ added in v0.3.1
UnTrust returns an Untrust Packet. This will instruct the client to use the provided Filter to attempt to "Untrust" the targeted process by removing all of it's permissions and setting it's integrity level to "Untrusted".
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUnTrust
Input:
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
Output:
<none>
func Upload ¶
Upload returns a upload Packet. This will instruct the client to write the provided byte array to the filepath provided. The client will return the number of bytes written and the resulting expanded file path.
The destination path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvUpload
Input:
string // Destination
[]byte // File Data
Output:
string // Expanded Destination Path
uint64 // Byte Count Written
func UploadFile ¶ added in v0.1.0
UploadFile returns a upload Packet. This will instruct the client to write the provided (server local) file content to the filepath provided. The client will return the number of bytes written and the resulting expanded file path.
The destination path may contain environment variables that will be resolved during runtime.
The source path may contain environment variables that will be resolved on server execution.
C2 Details:
ID: TvUpload
Input:
string // Destination
[]byte // File Data
Output:
string // Expanded Destination Path
uint64 // Byte Count Written
func UploadReader ¶ added in v0.1.0
UploadReader returns a upload Packet. This will instruct the client to write the provided reader content to the filepath provided. The client will return the number of bytes written and the resulting file path.
The destination path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvUpload
Input:
string // Destination
[]byte // File Data
Output:
string // Expanded Destination Path
uint64 // Byte Count Written
func Wait ¶ added in v0.3.1
Wait returns a wait -n- sleep Packet. This can be used to instruct to the client to pause processing for the specified duration.
This Task only has an affect during Scripts as most operations are threaded.
If the time is less than or equal to zero, the task will become a NOP.
C2 Details:
ID: TvWait
Input:
uint64 // Wait duration
Output:
<none>
func Wallpaper ¶ added in v0.3.0
Wallpaper returns a change user wallpaper Packet. This will instruct the client to change the current users's wallpaper to the filepath provided.
The destination path may contain environment variables that will be resolved during runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvTroll
Input:
uint8 // Always set to 5 for this task.
string // Destination
Output:
<none>
func WallpaperBytes ¶ added in v0.3.0
WallpaperBytes returns a change user wallpaper Packet. This will instruct the client to change the current users's wallpaper to the data contained in the supplied byte slice. The new file will be written in a temporary location before being used as a wallpaper.
The destination path may contain environment variables that will be resolved during runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvTroll
Input:
uint8 // Always set to 4 for this task.
[]byte // File Data
Output:
<none>
func WallpaperFile ¶ added in v0.3.0
WallpaperFile returns a change user wallpaper Packet. This will instruct the client to change the current users's wallpaper to the supplied (server local) file. The new file will be written in a temporary location before being used as a wallpaper.
The destination path may contain environment variables that will be resolved during runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvTroll
Input:
uint8 // Always set to 4 for this task.
[]byte // File Data
Output:
<none>
func WallpaperReader ¶ added in v0.3.0
WallpaperReader returns a change user wallpaper Packet. This will instruct the client to change the current users's wallpaper to the data contained in the supplied reader. The new file will be written in a temporary location before being used as a wallpaper.
The destination path may contain environment variables that will be resolved during runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvTroll
Input:
uint8 // Always set to 4 for this task.
[]byte // File Data
Output:
<none>
func WindowClose ¶ added in v0.3.2
WindowClose returns a close window Packet. This will instruct the client to close the target window.
Using the value "0" for the handle will select all open windows that exist during client runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Always 4 for this task.
uint64 // Handle
Output:
<none>
func WindowEnable ¶ added in v0.3.0
WindowEnable returns a enable/disable window Packet. This will instruct the client to block all user supplied input (keyboard and mouse) to the specified window handle. Input will be blocked and the window will not be usable until a successful call to 'WindowEnable' with the handle and false.
Using the value "0" for the handle will select all open windows that exist during client runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Can be 0 or 1 depending on the state set.
uint64 // Handle
Output:
<none>
func WindowFocus ¶ added in v0.3.2
WindowFocus returns a activate/focus window Packet. This will instruct the client to focus the target window and show it to the user.
Using the value "0" for the handle will select all open windows that exist during client runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Always 7 for this task.
uint64 // Handle
Output:
<none>
func WindowList ¶ added in v0.3.0
WindowList returns a list active Windows Packet. This will instruct the client to return a list of the current open Windows with detailed information.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvWindowList
Input:
<none>
Output:
uint32 // Count
[]Window { // List of open Windows
uint64 // Handle
string // Title
uint32 // Position X
uint32 // Position Y
uint32 // Width
uint32 // Height
}
func WindowMessageBox ¶ added in v0.3.2
WindowMessageBox returns a MessageBox Packet. This will instruct the client to create a MessageBox with the supplied parent and message options.
Using the value "0" for the handle will create a MessageBox without a parent window.
If the handle 'h' is '-1', or "^uintptr(0)", this will attempt to target the Desktop window, which will fallback to '0' if it fails.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Always 5 for this task.
uint64 // Handle
string // Title
string // Text
uint32 // Flags
Output:
<none>
func WindowMove ¶ added in v0.3.2
WindowMove returns a move/resize window Packet. This will instruct the client to move and/or resize the targeted window with the supplied options.
The value '-1' may be used in either the 'X' and 'Y' or the 'Width' and 'Height' values to keep the current values instead of changing them.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Always 6 for this task.
uint64 // Handle
uint32 // X
uint32 // Y
uint32 // Width
uint32 // Hight
Output:
<none>
func WindowSendInput ¶ added in v0.3.2
WindowSendInput returns a type input Packet. This will instruct the client to use input events to type out the provied string. The client will first attempt to bring the window supplied to the foreground (if non-zero) before typing.
The window value is optional and may be set to zero.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Always 8 for this task.
uint64 // Handle
string // Text
Output:
<none>
func WindowShow ¶ added in v0.3.2
WindowShow returns a show window Packet. This will instruct the client to change the window's active show state.
Using the value "0" for the handle will select all open windows that exist during client runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Always 3 for this task.
uint64 // Handle
uint8 // Sw* Constant
Output:
<none>
func WindowTransparency ¶ added in v0.3.0
WindowTransparency returns a set window transparency Packet. This will instruct the client to set the window with the supplied handle with the specified transparency value. This value ranges from 0 (transparent) to 255 (opaque).
Using the value "0" for the handle will select all open windows that exist during client runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Always 2 for this task.
uint64 // Handle
Output:
<none>
func WindowWTF ¶ added in v0.3.2
WindowWTF returns a window WTF mode Packet. This will instruct the client to do some crazy things with the active windows for the supplied duration.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Always 8 for this task.
int64 // Duration
Output:
<none>
func ZeroTrace ¶ added in v0.3.0
ZeroTrace will create a Tasklet that will instruct the client to attempt to patch the function calls for logging events on Windows systems.
This willreturn an error if it fails.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvZeroTrace
Input:
<none>
Output:
<none>
func ZombieUnmarshal ¶ added in v0.2.0
ZombieUnmarshal will read this Zombies's struct data from the supplied reader and returns a Zombie runnable struct along with the wait and delete status booleans.
This function returns an error if building or reading fails or if the device is not running Windows.
Types ¶
type Assembly ¶ added in v0.1.0
Assembly is a Tasklet that is similar to the 'cmd.Assembly' struct.
This struct is used to Task a Client with running shellcode on devices. It has many of the functionallies matching the 'cmd.Assembly' struct.
This can be directly used in the Session 'Tasklet' function instead of directly creating a Task.
The 'SetParent' function will attempt to set the target that runs the shellcode. If none are specified, the shellcode will be injected into the client process.
C2 Details:
ID: TvAssembly
Input:
Assembly struct {
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Assembly Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
func AssemblyFile ¶ added in v0.2.0
AssemblyFile will create a Tasklet that will instruct the client to run shellcode from a file source on the local (server - the one calling this function) machine.
This will attempt to read the file and will return an error if it fails.
C2 Details:
ID: TvAssembly
Input:
Assembly struct {
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Assembly Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
func AssemblyReader ¶ added in v0.2.0
AssemblyReader will create a Tasklet that will instruct the client to run shellcode from the contents of the supplied Reader.
This will attempt to read from the Reader and will return an error if it fails.
C2 Details:
ID: TvAssembly
Input:
Assembly struct {
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Assembly Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
func (Assembly) MarshalStream ¶ added in v0.1.0
MarshalStream writes the data for this Code thread to the supplied Writer.
func (Assembly) Packet ¶ added in v0.2.0
Packet will take the configured Assembly options and will return a Packet and any errors that may occur during building.
This allows the Assembly struct to fulfil the 'Tasklet' interface.
C2 Details:
ID: TvAssembly
Input:
Assembly struct {
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Assembly Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
type Callable ¶ added in v0.2.0
type Callable interface {
MarshalStream(data.Writer) error
// contains filtered or unexported methods
}
Callable is an internal interface used to specify a wide range of Runnabale types that can be Marshaled into a Packet.
Currently the DLL, Zombie, Assembly and Process instances are supported.
type DLL ¶ added in v0.2.0
DLL is a Tasklet that is similar to the 'cmd.DLL' struct. This is used to Task a Client with loading a DLL.
The Path parameter is the path (on the client) where the DLL is located. This may be omitted and Data can be filled instead with the raw binary data to send and load a remote DLL instead. (THIS WILL MAKE A WRITE TO DISK!)
To prevent writes to disk, use the 'cmd.DLLToASM' function on the server (or any non 'implant' tagged build) to build a shellcode DLL+loader using SRDi and launch as Assembly instead.
This can be directly used in the Session 'Tasklet' function instead of directly creating a Task.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: TvDLL
Input:
DLL struct {
string // Path
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Raw DLL Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
func DLLFile ¶ added in v0.2.0
DLLFile will create a Tasklet that will instruct the client to local a DLL from the specified local (server - the one calling this function) file source. (THIS WILL MAKE A WRITE TO DISK!)
To prevent writes to disk, use the 'cmd.DLLToASM' function on the server (or any non 'implant' tagged build) to build a shellcode DLL+loader using SRDi and launch as Assembly instead.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvInjectDLL
Input:
DLL struct {
string // Path
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Raw DLL Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
func DLLReader ¶ added in v0.2.0
DLLReader will create a Tasklet that will instruct the client to local a DLL from the specified reader source. (THIS WILL MAKE A WRITE TO DISK!)
To prevent writes to disk, use the 'cmd.DLLToASM' function on the server (or any non 'implant' tagged build) to build a shellcode DLL+loader using SRDi and launch as Assembly instead.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvInjectDLL
Input:
DLL struct {
string // Path
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Raw DLL Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
func (DLL) MarshalStream ¶ added in v0.2.0
MarshalStream writes the data for this DLL task to the supplied Writer.
func (DLL) Packet ¶ added in v0.2.0
Packet will take the configured DLL options and will return a Packet and any errors that may occur during building.
This allows the DLL struct to fulfil the 'Tasklet' interface.
C2 Details:
ID: TvDLL
Input:
DLL struct {
string // Path
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Raw DLL Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
type Process ¶
type Process struct {
Filter *filter.Filter
Dir string
User, Domain, Pass string
Env, Args []string
Stdin []byte
Timeout time.Duration
Flags uint32
Wait, Hide bool
}
Process is a Tasklet that is similar to the 'cmd.Process' struct. This is used to Task a Client with running a specified command.
This can be directly used in the Session 'Tasklet' function instead of directly creating a Task.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: TvExecute
Input:
Process struct {
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Hide
string // Username
string // Domain
string // Password
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func Run ¶
Run will create a Tasklet that will instruct the client to run a command. This command will parsed using the 'cmd.Split' function.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
The response to this task will return the PID, ExitCode and Stdout/Stderr data.
C2 Details:
ID: TvExecute
Input:
Process struct {
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func Shell ¶ added in v0.2.0
Shell will create a Task that will instruct the client to run a shell command. The command will be passed as an argument to the default shell found on the device.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
The response to this task will return the PID, ExitCode and Stdout/Stderr data.
C2 Details:
ID: TvExecute
Input:
Process struct {
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func (Process) MarshalStream ¶
MarshalStream writes the data for this Process to the supplied Writer.
func (Process) Packet ¶ added in v0.2.0
Packet will take the configured Process options and will return a Packet and any errors that may occur during building.
This allows Process to fulfil the 'Tasklet' interface.
C2 Details:
ID: TvAssembly
Input:
Process struct {
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Hide
string // Username
string // Domain
string // Password
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
type Script ¶ added in v0.3.1
type Script struct {
// contains filtered or unexported fields
}
Script is a Tasklet type that allows for chaining the results of multiple Tasks in a single instance to be run as one.
All script tasks will be run in the same thread and will execute in order until all tasks are complete.
Each Script has two boolean options, 'Output' (default: true), which determines if the Script result should be returned and 'StopOnError' (default: false), which will determine the action taken if an error occurs in one of the Script tasks.
func NewScript ¶ added in v0.3.1
NewScript returns a new Script instance with the Settings for 'stop on error' and 'return output' set to the values specified.
Non intalized Scripts can be used instead of calling this function directly.
func (*Script) Add ¶ added in v0.3.1
Add will add the supplied Task (in Packet form), to the Script. If this Script was not initalized, it will be initalized with the default options first.
This function will return an error if the Packet supplied is invalid for Script usage.
An invalid Script Packet is one of the following: - Any fragmented Packet - Any Packet with control (error/oneshot/proxy/multi/frag) Flags set - Any NoP Packet - Any Packet with a System ID - Any Script
func (*Script) AddTasklet ¶ added in v0.3.2
AddTasklet will add the supplied Tasklet result, to the Script. If this Script was not initalized, it will be initalized with the default options first.
This function will return an error if the Packet supplied is invalid for Script usage or the Tasklet action returned an error or is invalid.
An invalid Script Packet is one of the following: - Any fragmented Packet - Any Packet with control (error/oneshot/proxy/multi/frag) Flags set - Any NoP Packet - Any Packet with a System ID - Any Script
func (*Script) Append ¶ added in v0.3.1
Append will add the supplied Tasks (in Packet form), to the Script. If this Script was not initalized, it will be initalized with the default options first.
This function is like 'Add' but takes a vardict of multiple Packets to be added in as single call.
This function will return an error if any of the Packets supplied are invalid for Script usage.
An invalid Script Packet is one of the following: - Any fragmented Packet - Any Packet with control (error/oneshot/proxy/multi/frag) Flags set - Any NoP Packet - Any Packet with a System ID
func (*Script) Channel ¶ added in v0.3.2
Channel (if true) will set this Script payload to enable Channeling mode (if supported) before running.
NOTE: There is not a way to Scripts to disable channeling themselves.
func (*Script) Clear ¶ added in v0.3.1
func (s *Script) Clear()
Clear will reset the Script and empty it's contents.
This does not remove the error and output settings.
func (*Script) Empty ¶ added in v0.3.2
Empty returns true if this Scripts's backing buffer is empty.
func (*Script) IsChannel ¶ added in v0.3.2
IsChannel returns true if the 'channel' setting is set to true.
func (*Script) IsOutput ¶ added in v0.3.2
IsOutput returns true if the 'return output' setting is set to true.
func (*Script) IsStopOnError ¶ added in v0.3.2
IsStopOnError returns true if the 'stop on error' setting is set to true.
func (*Script) Output ¶ added in v0.3.1
Output controls the 'return output' setting for this Script.
If set to True (the default), the results of all executed Tasks in this script will return their resulting output (if applicable and with no errors). Otherwise, False will disable output and all Task output will be ignored, unless errors occur.
func (*Script) Packet ¶ added in v0.3.1
Packet will take the configured Script options/data and will return a Packet and any errors that may occur during building.
This allows the Script struct to fulfil the 'Tasklet' interface.
C2 Details:
ID: MvScript
Input:
bool // Option 'output'
bool // Option 'stop on error'
...uint8 // Packet ID
...[]byte // Packet Data
Output:
...uint8 // Result Packet ID
...bool // Result is not error
...[]byte // Result Data
func (*Script) Payload ¶ added in v0.3.2
Payload returns the raw, underlying bytes in this Script. If this script is empty the return will be empty.
func (*Script) Replace ¶ added in v0.3.2
Replace will clear the Script data and replace it with the supplied byte array.
It is the callers responsibility to ensure that the first type bytes are correct values for error and output.
func (*Script) Size ¶ added in v0.3.2
Size returns the internal size of the backing Script buffer, similar to len(s).
func (*Script) StopOnError ¶ added in v0.3.1
StopOnError controls the 'stop on error' setting for this Script.
If set to True, the Script will STOP processing if one of the Tasks returns an error during runtime. Otherwise False (the default), will report the error in the chain and will keep going.
type Tasker ¶
Tasker is an function alias that will be tasked with executing a Job and will return an error or write the results to the supplied Writer. Associated data can be read from the supplied Reader.
This function is NOT responsible with writing any error codes, the parent caller will handle that.
type Tasklet ¶ added in v0.2.0
Tasklet is an interface that allows for Sessions to be directly tasked without creating the underlying Packet.
The 'Packet' function should return a Packet that has the Task data or any errors that may have occurred during Packet generation.
This function should be able to be called multiple times.
type Zombie ¶ added in v0.2.0
type Zombie struct {
Filter *filter.Filter
Dir string
Data []byte
Env, Args []string
User, Domain, Pass string
Stdin []byte
Timeout time.Duration
Flags uint32
Wait, Hide bool
}
Zombie is a Tasklet that is similar to the 'cmd.Zombie' struct. This is used to Task a Client with running a specified zombie command.
This can be directly used in the Session 'Tasklet' function instead of directly creating a Task.
The Filter attribute will attempt to set the target that runs the Zombie Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
[]byte // Data
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Hide
string // Username
string // Domain
string // Password
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func ZombieAsm ¶ added in v0.2.0
ZombieAsm will create a Zombie Tasklet that can be used to run the supplied Assembly in a Zombie process that uses the specified command line arguments.
The Filter attribute will attempt to set the target that runs the zombie Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
[]byte // Data
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func ZombieAsmFile ¶ added in v0.2.0
ZombieAsmFile will create a Zombie Tasklet that can be used to run the supplied Assembly from the specified local (server) file source in a Zombie process that uses the specified command line arguments.
The Filter attribute will attempt to set the target that runs the zombie Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
[]byte // Data
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func ZombieAsmReader ¶ added in v0.2.0
ZombieAsmReader will create a Zombie Tasklet that can be used to run the supplied Assembly from the specified reader source in a Zombie process that uses the specified command line arguments.
The Filter attribute will attempt to set the target that runs the zombie Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
[]byte // Data
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func ZombieDLLFile ¶ added in v0.2.0
ZombieDLLFile will create a Zombie Tasklet that can be used to run the supplied DLL from the specified local (server) file source in a Zombie process that uses the specified command line arguments.
The Filter attribute will attempt to set the target that runs the zombie Process. If none are specified, the Process will be ran under the client process.
NOTE: This converts the DLL to Assembly.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
[]byte // Data
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func ZombieDLLReader ¶ added in v0.2.0
ZombieDLLReader will create a Zombie Tasklet that can be used to run the supplied DLL from the specified reader source in a Zombie process that uses the specified command line arguments.
The Filter attribute will attempt to set the target that runs the zombie Process. If none are specified, the Process will be ran under the client process.
NOTE: This converts the DLL to Assembly.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
[]byte // Data
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func (Zombie) MarshalStream ¶ added in v0.2.0
MarshalStream writes the data for this Zombie to the supplied Writer.
func (Zombie) Packet ¶ added in v0.2.0
Packet will take the configured Zombie options and will return a Packet and any errors that may occur during building.
This allows Zombie to fulfil the 'Tasklet' interface.
C2 Details:
ID: WvZombie
Input:
Process struct {
[]byte // Data
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Hide
string // Username
string // Domain
string // Password
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
Source Files
Directories