Documentation
¶
Overview ¶
Package task is a simple collection of Task based functions that cane be tasked to Sessions by the Server.
This package is separate from the c2 package to allow for separation and containerization of Tasks.
Basic internal Tasks are still help in the c2 package.
Index ¶
- Constants
- Variables
- func AssemblyUnmarshal(x context.Context, r data.Reader) (*cmd.Assembly, bool, error)
- func BlockInput(e bool) *com.Packet
- func CheckDLL(dll string, addr uint32, b []byte) *com.Packet
- func CheckDLLFile(dll string) *com.Packet
- func CheckFunction(dll, name string, b []byte) *com.Packet
- func CheckFunctionFile(dll, name string, b []byte) *com.Packet
- func Copy(src, dst string) *com.Packet
- func Cwd(d string) *com.Packet
- func DLLUnmarshal(_ context.Context, _ data.Reader) (*cmd.DLL, bool, bool, error)
- func Delete(s string, recurse bool) *com.Packet
- func Download(src string) *com.Packet
- func Duration(d time.Duration, j int) *com.Packet
- func Elevate(f *filter.Filter) *com.Packet
- func Evade(f uint8) *com.Packet
- func FuncRemap(name string, b []byte) *com.Packet
- func FuncRemapList() *com.Packet
- func FuncUnmap(name string) *com.Packet
- func FuncUnmapAll() *com.Packet
- func HighContrast(e bool) *com.Packet
- func IsDebugged() *com.Packet
- func Jitter(j int) *com.Packet
- func Kill(p uint32) *com.Packet
- func KillDate(t time.Time) *com.Packet
- func KillName(s string) *com.Packet
- func LoginUser(interactive bool, user, domain, pass string) *com.Packet
- func Ls(d string) *com.Packet
- func Migrate(f *filter.Filter, s string, c Callable) *com.Packet
- func MigrateProfile(f *filter.Filter, s string, b []byte, c Callable) *com.Packet
- func MigrateProfileEx(f *filter.Filter, w bool, s string, b []byte, c Callable) *com.Packet
- func MigratePull(f *filter.Filter, s, url, agent string) *com.Packet
- func MigratePullProfile(f *filter.Filter, s string, b []byte, url, agent string) *com.Packet
- func MigratePullProfileEx(f *filter.Filter, w bool, s string, b []byte, url, agent string) *com.Packet
- func Mounts() *com.Packet
- func Move(src, dst string) *com.Packet
- func Netcat(host string, proto uint8, t time.Duration, read bool, b []byte) *com.Packet
- func PatchDLL(dll string, addr uint32, b []byte) *com.Packet
- func PatchDLLFile(dll string) *com.Packet
- func PatchFunction(dll, name string, b []byte) *com.Packet
- func ProcessDump(f *filter.Filter) *com.Packet
- func ProcessList() *com.Packet
- func ProcessName(s string) *com.Packet
- func ProcessUnmarshal(x context.Context, r data.Reader) (*cmd.Process, bool, error)
- func Profile(b []byte) *com.Packet
- func Proxy(name, addr string, p []byte) *com.Packet
- func ProxyRemove(name string) *com.Packet
- func ProxyReplace(name, addr string, p []byte) *com.Packet
- func Pull(url, path string) *com.Packet
- func PullAgent(url, agent, path string) *com.Packet
- func PullExecute(url string, w bool, f *filter.Filter) *com.Packet
- func PullExecuteAgent(url, agent string, w bool, f *filter.Filter) *com.Packet
- func Pwd() *com.Packet
- func Refresh() *com.Packet
- func RegDelete(key, value string, force bool) *com.Packet
- func RegDeleteKey(key string, force bool) *com.Packet
- func RegGet(key, value string) *com.Packet
- func RegLs(s string) *com.Packet
- func RegMakeKey(key string) *com.Packet
- func RegSet(key, value string, t uint32, b []byte) *com.Packet
- func RegSetBytes(key, value string, b []byte) *com.Packet
- func RegSetDword(key, value string, v uint32) *com.Packet
- func RegSetExpandString(key, value, v string) *com.Packet
- func RegSetQword(key, value string, v uint64) *com.Packet
- func RegSetString(key, value, v string) *com.Packet
- func RegSetStringList(key, value string, v []string) *com.Packet
- func Restart(msg string, sec uint32, force bool, reason uint32) *com.Packet
- func RevToSelf() *com.Packet
- func ScreenShot() *com.Packet
- func Shutdown(msg string, sec uint32, force bool, reason uint32) *com.Packet
- func Sleep(d time.Duration) *com.Packet
- func Spawn(f *filter.Filter, s string, c Callable) *com.Packet
- func SpawnProfile(f *filter.Filter, s string, b []byte, c Callable) *com.Packet
- func SpawnPull(f *filter.Filter, s, url, agent string) *com.Packet
- func SpawnPullProfile(f *filter.Filter, s string, b []byte, url, agent string) *com.Packet
- func SwapMouse(e bool) *com.Packet
- func Touch(s string) *com.Packet
- func UnTrust(f *filter.Filter) *com.Packet
- func Upload(dst string, b []byte) *com.Packet
- func UploadFile(dst, src string) (*com.Packet, error)
- func UploadReader(dst string, r io.Reader) (*com.Packet, error)
- func UserDisconnect(sid int32) *com.Packet
- func UserLogins() *com.Packet
- func UserLogoff(sid int32) *com.Packet
- func UserMessageBox(sid int32, title, text string, flags, secs uint32, wait bool) *com.Packet
- func UserProcesses(sid int32) *com.Packet
- func Wait(d time.Duration) *com.Packet
- func Wallpaper(s string) *com.Packet
- func WallpaperBytes(b []byte) *com.Packet
- func WallpaperFile(s string) (*com.Packet, error)
- func WallpaperReader(r io.Reader) (*com.Packet, error)
- func Whoami() *com.Packet
- func WindowClose(h uint64) *com.Packet
- func WindowEnable(h uint64, e bool) *com.Packet
- func WindowFocus(h uint64) *com.Packet
- func WindowList() *com.Packet
- func WindowMessageBox(h uint64, title, text string, flags uint32) *com.Packet
- func WindowMove(h uint64, x, y, width, height int32) *com.Packet
- func WindowSendInput(h uint64, s string) *com.Packet
- func WindowShow(h uint64, t uint8) *com.Packet
- func WindowTransparency(h uint64, v byte) *com.Packet
- func WindowWTF(d time.Duration) *com.Packet
- func WorkHours(day, startHour, startMin, endHour, endMin uint8) *com.Packet
- func ZombieUnmarshal(_ context.Context, _ data.Reader) (*cmd.Zombie, bool, error)
- type Assembly
- type Callable
- type DLL
- type Process
- type Script
- func (s *Script) Add(n *com.Packet) error
- func (s *Script) AddTasklet(t Tasklet) error
- func (s *Script) Append(n ...*com.Packet) error
- func (s *Script) Channel(e bool)
- func (s *Script) Clear()
- func (s *Script) Empty() bool
- func (s *Script) IsChannel() bool
- func (s *Script) IsOutput() bool
- func (s *Script) IsStopOnError() bool
- func (s *Script) Output(e bool)
- func (s *Script) Packet() (*com.Packet, error)
- func (s *Script) Payload() []byte
- func (s *Script) Replace(b []byte)
- func (s *Script) Size() int
- func (s *Script) StopOnError(e bool)
- func (s *Script) Truncate(n int) error
- type Tasker
- type Tasklet
- type Zombie
- func ZombieAsm(b []byte, args ...string) Zombie
- func ZombieAsmFile(s string, args ...string) (Zombie, error)
- func ZombieAsmReader(r io.Reader, args ...string) (Zombie, error)
- func ZombieDLLFile(s string, args ...string) (Zombie, error)
- func ZombieDLLReader(r io.Reader, args ...string) (Zombie, error)
Constants ¶
const ( NetcatTCP uint8 = 0 NetcatUDP = iota NetcatTLS NetcatTLSInsecure NetcatICMP )
Netcat connection constants
const ( MvRefresh uint8 = 0x07 MvTime uint8 = 0x08 MvPwd uint8 = 0x09 MvCwd uint8 = 0x0A MvProxy uint8 = 0x0B MvSpawn uint8 = 0x0C MvMigrate uint8 = 0x0D MvCheckDebug uint8 = 0x0E // MvElevate uint8 = 0x0E MvList uint8 = 0x0F MvMounts uint8 = 0x10 MvProcList uint8 = 0x11 // MvRevSelf uint8 = 0x11 MvProfile uint8 = 0x12 MvWhoami uint8 = 0x13 MvScript uint8 = 0xF0 // Built in Task Message ID Values TvDownload uint8 = 0xC0 TvUpload uint8 = 0xC1 TvExecute uint8 = 0xC2 TvAssembly uint8 = 0xC3 TvZombie uint8 = 0xC4 TvDLL uint8 = 0xC5 TvCheck uint8 = 0xC6 TvPatch uint8 = 0xC7 TvPull uint8 = 0xC8 TvPullExecute uint8 = 0xC9 TvRename uint8 = 0xCA TvScreenShot uint8 = 0xCB TvProcDump uint8 = 0xCC TvRevSelf uint8 = 0xCD // TvProcList uint8 = 0xCD TvRegistry uint8 = 0xCE TvSystemIO uint8 = 0xCF TvEvade uint8 = 0xD0 TvTroll uint8 = 0xD1 TvUI uint8 = 0xD2 TvWindowList uint8 = 0xD3 TvLoginUser uint8 = 0xD4 TvElevate uint8 = 0xD5 // TvCheckDebug uint8 = 0xD5 TvWait uint8 = 0xD6 TvUnTrust uint8 = 0xD7 TvPower uint8 = 0xD8 TvNetcat uint8 = 0xD9 TvLogins uint8 = 0xDA TvLoginsAct uint8 = 0xDB TvLoginsProc uint8 = 0xDC TvFuncMap uint8 = 0xDD TvFuncMapList uint8 = 0xDE )
The Mv* Packet ID values are built-in task values that are handled directory before the Mux, as these are critical for operations.
Tv* ID values are standard ID values for Tasks that are handled here.
Variables ¶
var Mappings = [0xFF]Tasker{ TvDownload: taskDownload, TvUpload: taskUpload, TvExecute: taskProcess, TvAssembly: taskAssembly, TvPull: taskPull, TvPullExecute: taskPullExec, TvZombie: taskZombie, TvDLL: taskInject, TvCheck: taskCheck, TvPatch: taskPatch, TvRename: taskRename, TvScreenShot: taskScreenShot, TvProcDump: taskProcDump, TvRevSelf: taskRevSelf, TvRegistry: taskRegistry, TvSystemIO: taskSystemIo, TvEvade: taskEvade, TvTroll: taskTroll, TvUI: taskInteract, TvWindowList: taskWindowList, TvLoginUser: taskLoginUser, TvElevate: taskElevate, TvWait: taskWait, TvUnTrust: taskUntrust, TvPower: taskShutdown, TvNetcat: taskNetcat, TvLogins: taskLogins, TvLoginsAct: taskLoginsAct, TvLoginsProc: taskLoginsProc, TvFuncMap: taskFuncMap, TvFuncMapList: taskFuncMapList, }
Mappings is a fixed size array that contains the Tasker mappings for each ID value.
Values that are less than 22 are ignored. Adding a mapping to here will allow it to be executed via the client Scheduler.
Functions ¶
func AssemblyUnmarshal ¶ added in v0.2.0
AssemblyUnmarshal will read this Assembly's struct data from the supplied reader and returns an Assembly runnable struct along with the wait boolean.
This function returns an error if building or reading fails.
func BlockInput ¶ added in v0.3.0
BlockInput returns a block user input Packet. This will instruct the client to block all user supplied input (keyboard and mouse). Input will be blocked until a successful call to 'BlockInput' with false.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvTroll
Input:
uint8 // Can be 6 or 7 depending on the state set.
Output:
<none>
func CheckDLL ¶ added in v0.2.0
CheckDLL returns a DLL integrity verification Packet. This can be used to instruct the client to check the in-memory contents of the DLL name or file path provided to ensure it matches "known-good" values.
This function version will check the DLL contents against the supplied bytes and starting address. The 'winapi.ExtractDLLBase' can suppply these values. If the byte array is nil/empty, this will instead act like the 'CheckDLLFile' function and read from disk.
DLL base names will be expanded on the client to full paths not if already full path names. (Unless it is a known DLL name).
The clients returns true if the DLL is considered valid/unhooked.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvCheck
Input:
string // DLL Name/Path
string // Empty for this function
uint32 // Zero for this function
[]byte // Empty for this function
Output:
bool // True if DLL is clean, false if it is tampered with
func CheckDLLFile ¶ added in v0.4.2
CheckDLLFile returns a DLL integrity verification Packet. This can be used to instruct the client to check the in-memory contents of the DLL name or file path provided to ensure it matches "known-good" values.
This function version will read in the DLL data from the client disk and will verify the entire executable region.
DLL base names will be expanded on the client to full paths not if already full path names. (Unless it is a known DLL name).
The clients returns true if the DLL is considered valid/unhooked.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvCheck
Input:
string // DLL Name/Path
string // Empty for this function
uint32 // Zero for this function
[]byte // Empty for this function
Output:
bool // True if DLL is clean, false if it is tampered with
func CheckFunction ¶ added in v0.4.2
CheckFunction returns a DLL function integrity verification Packet. This can be used to instruct the client to check the in-memory contents of the DLL name or file path provided with the supplied function name to ensure it matches "known-good" values.
This function version will check the function base address against the supplied bytes. If the bytes supplied are nil/empty, this will do a simple long JMP/CALL Assembly check instead.
DLL base names will be expanded on the client to full paths not if already full path names. (Unless it is a known DLL name).
The clients returns true if the DLL function is considered valid/unhooked.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvCheck
Input:
string // DLL Name/Path
string // Function name
uint32 // Zero for this function
[]byte // Function bytes to check against
Output:
bool // True if DLL is clean, false if it is tampered with
func CheckFunctionFile ¶ added in v0.4.2
CheckFunctionFile returns a DLL function integrity verification Packet. This can be used to instruct the client to check the in-memory contents of the DLL name or file path provided with the supplied function name to ensure it matches "known-good" values.
This function version will check the function base address against the supplied bytes. If the bytes supplied are nil/empty, this will pull the bytes for the function from the local DLL source.
DLL base names will be expanded on the client to full paths not if already full path names. (Unless it is a known DLL name).
The clients returns true if the DLL function is considered valid/unhooked.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvCheck
Input:
string // DLL Name/Path
string // Function name
uint32 // Zero for this function
[]byte // Function bytes to check against
Output:
bool // True if DLL is clean, false if it is tampered with
func Copy ¶ added in v0.2.5
Copy returns a file copy Packet. This can be used to instruct to copy the specified source file to the specified destination path.
The source and destination paths may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvSystemIO
Input:
uint8 // IO Type
string // Source
string // Destination
Output:
uint8 // IO Type
string // Expanded Destination Path
uint64 // Byte Count Written
func Cwd ¶ added in v0.1.0
Cwd returns a change directory Packet. This can be used to instruct the client to change from its current working directory to the directory specified.
Empty or invalid directory entries will return an error.
The source path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: MvCwd
Input:
string // Directory
Output:
<none>
func DLLUnmarshal ¶ added in v0.2.0
DLLUnmarshal will read this DLL's struct data from the supplied reader and returns a DLL runnable struct along with the wait and delete status booleans.
This function returns an error if building or reading fails or if the device is not running Windows.
func Delete ¶ added in v0.2.5
Delete returns a file delete Packet. This can be used to instruct to delete the specified file if it exists.
Specify 'recurse' to True to delete a non-empty directory and all files in it.
The path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvSystemIO
Input:
uint8 // IO Type
string // Path
Output:
uint8 // IO Type
func Download ¶
Download returns a download Packet. This will instruct the client to read the (client local) filepath provided and return the raw binary data.
The source path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvDownload
Input:
string // Target
Output:
string // Expanded Target Path
bool // Target is Directory
int64 // Size
[]byte // Data
func Duration ¶ added in v0.3.2
Duration returns a set Session sleep and/or jitter Packet. This can be used to instruct the client to update it's sleep and jitters value to the specified duration and 0-100 percentage values if they are not unset. (-1 for Jitter, anything <=0 for Sleep).
For Sleep, anything less than or equal to zero is ignored!
For Jitter, anything greater than 100 will be capped to 100 and anything less than zero (except -1) will be set to zero. Values of -1 are ignored.
C2 Details:
ID: MvTime
Input:
uint8 // Always 0 for this Task
int8 // Jitter
uint64 // Sleep
Output:
uint8 // Jitter
uint64 // Sleep
uint64 // Kill Date
WorkHours { // Work Hours
uint8 // Day
uint8 // Start Hour
uint8 // Start Min
uint8 // End Hour
uint8 // End Min
}
func Elevate ¶ added in v0.2.0
Elevate returns an elevate Packet. This will instruct the client to use the provided Filter to attempt to get a Token handle to an elevated process. If the Filter is nil, then the client will attempt at any elevated process.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvElevate
Input:
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
Output:
<none>
func Evade ¶ added in v0.4.2
Evade returns a client Evasion Packet. This can be used to instruct the client perform evasion functions dependent on the supplied bitmask value.
Some evasion methods include zero-ing out function calls and disabling Debugger view of functions.
This will return an error if it fails.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvEvade
Input:
uint8 // Evasion Flags
Output:
<none>
func FuncRemap ¶ added in v0.4.4
FuncRemap returns a syscall function mapping Packet. This can be used to instruct the client to upload the bytes to be re-mapped to a new memory address that can be used to override the supplied ntdll.dll function name.
This function only returns an error if it occurred during mapping.
Always returns 'ErrNoWindows' on non-Windows devices. Clients must have the "funcmap" capability or they will return EINVAL.
C2 Details:
ID: TvFuncMap
Input:
uint8 // Always 0 for this
uint32 // FNV Hash of the function name
[]byte // Function bytes to write into memory
Output:
<none>
func FuncRemapList ¶ added in v0.4.4
FuncRemapList returns a syscall function mapping list Packet. This can be used to instruct the client to return details of all of the re-mapped ntdll.dll functions.
The result will be an array of FuncEntries that will indicate the new and original memory addresses of the function the represent.
Always returns 'ErrNoWindows' on non-Windows devices. Clients must have the "funcmap" capability or they will return nil.
C2 Details:
ID: TvFuncMapList
Input:
<none>
Output:
uint32 // Count
[]FuncEntry { // List of open Windows
uint32 // Function hash
uint64 // Function original address
uint64 // Function swapped address
}
func FuncUnmap ¶ added in v0.4.4
FuncUnmap returns a syscall function unmap Packet. This can be used to instruct the client to unmap the re-mapped ntdll.dll function name to it's original address.
This function only returns an error if it occurred during unmapping.
Always returns 'ErrNoWindows' on non-Windows devices. Clients must have the "funcmap" capability or they will return nil.
C2 Details:
ID: TvFuncMap
Input:
uint8 // Always 1 for this
uint32 // FNV Hash of the function name
Output:
<none>
func FuncUnmapAll ¶ added in v0.4.4
FuncUnmapAll returns a syscall function unmap Packet. This can be used to instruct the client to unmap all of the re-mapped ntdll.dll functions to their original addresses.
This function only returns an error if it occurred during unmapping.
Always returns 'ErrNoWindows' on non-Windows devices. Clients must have the "funcmap" capability or they will return nil.
C2 Details:
ID: TvFuncMap
Input:
uint8 // Always 2 for this
Output:
<none>
func HighContrast ¶ added in v0.3.0
HighContrast returns a set HighContrast theme Packet. This will instruct the client to set the theme to HighContrast. The theme will be set until a successful call to 'HighContrast' with false.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvTroll
Input:
uint8 // Can be 2 or 3 depending on the state set.
Output:
<none>
func IsDebugged ¶ added in v0.3.1
IsDebugged returns a check debugger status Packet. This can be used to instruct the client to return a boolean value determine if it is currently attached or being run by a debugger.
C2 Details:
ID: MvCheckDebug
Input:
<none>
Output:
bool // True if being debugged, false otherwise
func Jitter ¶ added in v0.3.2
Jitter returns a set Session jitter Packet. This can be used to instruct the client to update it's jitter value to the specified 0-100 percentage.
Anything greater than 100 will be capped to 100 and anything less than zero (except -1) will be set to zero. Values of -1 are ignored. This setting will NOT override the Sleep setting.
C2 Details:
ID: MvTime
Input:
uint8 // Always 0 for this Task
int8 // Jitter
uint64 // Always 0 for this Task
Output:
uint8 // Jitter
uint64 // Sleep
uint64 // Kill Date
WorkHours { // Work Hours
uint8 // Day
uint8 // Start Hour
uint8 // Start Min
uint8 // End Hour
uint8 // End Min
}
func Kill ¶ added in v0.2.5
Kill returns a process kill Packet. This can be used to instruct to send a SIGKILL signal to the specified process by the specified Process ID.
C2 Details:
ID: TvSystemIO
Input:
uint8 // IO Type
uint32 // PID
Output:
uint8 // IO Type
func KillDate ¶ added in v0.4.4
KillDate returns a set Session kill date Packet. This can be used to instruct the client to update it's kill date to the specified date value.
If the time supplied is the empty time struct, this will clear any Kill Date if it exists.
C2 Details:
ID: MvTime
Input:
uint8 // Always 1 for this Task
uint64 // Unix time
Output:
uint8 // Jitter
uint64 // Sleep
uint64 // Kill Date
WorkHours { // Work Hours
uint8 // Day
uint8 // Start Hour
uint8 // Start Min
uint8 // End Hour
uint8 // End Min
}
func KillName ¶ added in v0.2.5
KillName returns a process kill Packet. This can be used to instruct to send a SIGKILL signal all to the specified processes that have the specified name.
NOTE: This kills all processes that share this name.
C2 Details:
ID: TvSystemIO
Input:
uint8 // IO Type
string // Process Name
Output:
uint8 // IO Type
func LoginUser ¶ added in v0.3.0
LoginUser returns an impersonate user Packet. This will instruct the client to use the provided credentials to change it's Token to the user that owns the supplied credentials.
If the interactive boolen at the start is true, the client will do an interactive login instead. This allows for more access and will change the username, but may prevent access to network resources.
Always returns 'ErrNoWindows' on non-Windows devices. (for now).
C2 Details:
ID: TvLoginUser
Input:
bool // Interactive
string // Username
string // Domain
string // Password
Output:
<none>
func Ls ¶ added in v0.1.0
Ls returns a file list Packet. This can be used to instruct the client to return a string and bool list of the files in the directory specified.
If 'd' is empty, the current working directory "." is used.
The source path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: MvList
Input:
string // Directory
Output:
uint32 // Count
[]File struct { // List of Files
string // Name
int32 // Mode
uint64 // Size
int64 // Modtime
}
func Migrate ¶ added in v0.2.0
Migrate will attempt to migrate to a new instance using the provided Callable type as the source.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
This function keeps the same Profile. Use the 'MigrateProfile' or 'MigrateProfileEx' function to change this behavior.
This function will automatically wait for all Jobs to complete. Use the 'MigrateProfileEx' function to change this behavior.
C2 Details:
ID: MvMigrate
Input:
bool // Wait for Jobs
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type
<...> // Callable Data
Output:
<none> // RvResult packet sent separately
func MigrateProfile ¶ added in v0.2.0
MigrateProfile will attempt to migrate to a new instance using the provided Callable type as the source with the supplied Profile bytes.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
If the 'b' Profile bytes is nil or empty, the current target Session Profile will be used.
This function will automatically wait for all Jobs to complete. Use the 'MigrateProfileEx' function to change this behavior.
C2 Details:
ID: MvMigrate
Input:
bool // Wait for Jobs
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type
<...> // Callable Data
Output:
<none> // RvResult packet sent separately
func MigrateProfileEx ¶ added in v0.2.0
MigrateProfileEx will attempt to migrate to a new instance using the provided Callable type as the source with the supplied Profile bytes and the 'w' boolean to specify waiting for Jobs to complete.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
If the 'b' Profile bytes is nil or empty, the current target Session Profile will be used.
C2 Details:
ID: MvMigrate
Input:
bool // Wait for Jobs
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type
<...> // Callable Data
Output:
<none> // RvResult packet sent separately
func MigratePull ¶ added in v0.2.0
MigratePull will attempt to migrate to a new instance using the provided URL as the source.
The supplied 'agent' string (if non-empty) will specify the User-Agent header string to be used.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
This function keeps the same Profile. Use the 'MigratePullProfile' or 'MigratePullProfileEx' function to change this behavior.
This function will automatically wait for all Jobs to complete. Use the 'MigratePullProfileEx' function to change this behavior.
The download data may be saved in a temporary location depending on what the resulting data type is or file extension. (see 'man.ParseDownloadHeader')
C2 Details:
ID: MvMigrate
Input:
bool // Wait for Jobs
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type (always TvPullExecute)
string // URL
string // User-Agent
Output:
<none> // RvResult packet sent separately
func MigratePullProfile ¶ added in v0.2.0
MigratePullProfile will attempt to migrate to a new instance using the provided URL as the source with the supplied Profile bytes.
The supplied 'agent' string (if non-empty) will specify the User-Agent header string to be used.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
If the 'b' Profile bytes is nil or empty, the current target Session Profile will be used.
This function will automatically wait for all Jobs to complete. Use the 'MigratePullProfileEx' function to change this behavior.
The download data may be saved in a temporary location depending on what the resulting data type is or file extension. (see 'man.ParseDownloadHeader')
C2 Details:
ID: MvMigrate
Input:
bool // Wait for Jobs
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type (always TvPullExecute)
string // URL
string // User-Agent
Output:
<none> // RvResult packet sent separately
func MigratePullProfileEx ¶ added in v0.2.0
func MigratePullProfileEx(f *filter.Filter, w bool, s string, b []byte, url, agent string) *com.Packet
MigratePullProfileEx will attempt to migrate to a new instance using the provided URL as the source with the supplied Profile bytes and the 'w' boolean to specify waiting for Jobs to complete.
The supplied 'agent' string (if non-empty) will specify the User-Agent header string to be used.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
If the 'b' Profile bytes is nil or empty, the current target Session Profile will be used.
The download data may be saved in a temporary location depending on what the resulting data type is or file extension. (see 'man.ParseDownloadHeader')
C2 Details:
ID: MvMigrate
Input:
bool // Wait for Jobs
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type (always TvPullExecute)
string // URL
string // User-Agent
Output:
<none> // RvResult packet sent separately
func Mounts ¶ added in v0.2.0
Mounts returns a list mounted drives Packet. This can be used to instruct the client to return a string list of all the mount points on the host device.
C2 Details:
ID: MvMounts
Input:
<none>
Output:
[]string // Mount Paths List
func Move ¶ added in v0.2.5
Move returns a file move Packet. This can be used to instruct to move the specified source file to the specified destination path.
The source and destination paths may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvSystemIO
Input:
uint8 // IO Type
string // Source
string // Destination
Output:
uint8 // IO Type
string // Expanded Destination Path
uint64 // Byte Count Written
func Netcat ¶ added in v0.4.0
Netcat returns a network connection Packet. This will instruct the client to initiate a network call to the specified host:port with the provided protocol. Reading the results and timeouts can be specified, along with the payload to be sent.
If 'read' is true, the resulting data stream results would be returned.
C2 Details:
ID: TvNetcat
Input:
string // Host:Port
uint8 // Read | Protocol
uint64 // Timeout
[]byte // Data to send
Output:
[]byte // Result data (if read is true)
func PatchDLL ¶ added in v0.4.2
PatchDLL returns a DLL patching Packet. This can be used to instruct the client to overrite the in-memory contents of the DLL name or file path provided to ensure it has "known-good" values.
This function version will overwrite the DLL contents against the supplied bytes and starting address. The 'winapi.ExtractDLLBase' can suppply these values. If the byte array is nil/empty, this will instead act like the 'PatchDLLFile' function and read from disk.
DLL base names will be expanded on the client to full paths not if already full path names. (Unless it is a known DLL name).
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvPatch
Input:
string // DLL Name/Path
string // Empty for this function
uint32 // Zero for this function
[]byte // Empty for this function
Output:
<none>
func PatchDLLFile ¶ added in v0.4.2
PatchDLLFile returns a DLL patching Packet. This can be used to instruct the client to overrite the in-memory contents of the DLL name or file path provided to ensure it has "known-good" values.
This function version will read in the DLL data from the client disk and will overwite the entire executable region.
DLL base names will be expanded on the client to full paths not if already full path names. (Unless it is a known DLL name).
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvPatch
Input:
string // DLL Name/Path
string // Empty for this function
uint32 // Zero for this function
[]byte // Empty for this function
Output:
<none>
func PatchFunction ¶ added in v0.4.2
PatchFunction returns a DLL patching Packet. This can be used to instruct the client to overrite the in-memory contents of the DLL name or file path provided with the supplied function name to ensure it has "known-good" values.
This function version will overwite the function base address against the supplied bytes. If the bytes supplied are nil/empty, this will pull the bytes for the function from the local DLL source.
DLL base names will be expanded on the client to full paths not if already full path names. (Unless it is a known DLL name).
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvPatch
Input:
string // DLL Name/Path
string // Function name
uint32 // Zero for this function
[]byte // Function bytes to check against
Output:
<none>
func ProcessDump ¶ added in v0.2.2
ProcessDump will instruct the client to attempt to read and download then memory of the filter target. The returned data is a binary blob of the memory if successful.
C2 Details:
ID: TvProcDump
Input:
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
Output:
[]byte // Data
func ProcessList ¶ added in v0.2.2
ProcessList returns a list processes Packet. This can be used to instruct the client to return a list of the current running host's processes.
C2 Details:
ID: MvProcList
Input:
<none>
Output:
uint32 // Count
[]ProcessInfo { // List of Running Processes
uint32 // Process ID
uint32 // Parent Process ID
string // Process Image Name
}
func ProcessName ¶ added in v0.2.2
ProcessName returns a process name change Packet. This can be used to instruct the client to change from its current in-memory name to the specified string.
C2 Details:
ID: TvRename
Input:
string // New Process Name
Output:
<none>
func ProcessUnmarshal ¶ added in v0.2.0
ProcessUnmarshal will read this Process's struct data from the supplied reader and returns a Process runnable struct along with the wait boolean.
This function returns an error if building or reading fails.
func Profile ¶ added in v0.3.2
Profile returns an update profile Packet. This can be used to instruct the client to set its profile to the raw Profile bytes supplied.
IT IS RECOMMENDED TO USE THE 'Session.SetProfile' CALL INSTEAD TO PREVENT DE-SYNC ISSUES BETWEEN SERVER AND CLIENT. HERE ONLY FOR USAGE IN SCRIPTS.
C2 Details:
ID: MvProfile
Input:
[]byte // Profile
Output:
<none>
func Proxy ¶ added in v0.2.4
Proxy returns an add Proxy Packet. This can be used to instruct the client to attempt to add the specified Proxy with the name, bind address and Profile bytes.
Returns an error if Proxy support is disabled, a listen/setup error occurs or the name already is in use.
C2 Details:
ID: MvProxy
Input:
string // Proxy Name (may be empty)
uint8 // Always set to false for this task.
string // Proxy Bind Address
[]byte // Proxy Profile
Output:
<none>
func ProxyRemove ¶ added in v0.2.4
ProxyRemove returns a remove Proxy Packet. This can be used to instruct the client to attempt to remove the Proxy setup by the name, or the single Proxy instance (if multi-proxy mode is disabled).
Returns an NotFound error if the Proxy is not registered or Proxy support is disabled
C2 Details:
ID: MvProxy
Input:
string // Proxy Name (may be empty)
uint8 // Always set to true for this task.
Output:
<none>
func ProxyReplace ¶ added in v0.2.6
ProxyReplace returns a replace Proxy Packet. This can be used to instruct the client to attempt to call the 'Replace' function on the specified Proxy with the name, bind address and Profile bytes as the arguments.
Returns an error if Proxy support is disabled, a listen/setup error occurs or the name already is in use.
C2 Details:
ID: MvProxy
Input:
string // Proxy Name (may be empty)
uint8 // Always set to false for this task.
string // Proxy Bind Address
[]byte // Proxy Profile
Output:
<none>
func Pull ¶ added in v0.1.0
Pull returns a pull Packet. This will instruct the client to download the resource from the provided URL and write the data to the supplied local filesystem path.
The path may contain environment variables that will be resolved during runtime.
If the destination path is empty, the download results were be returned in the results instead.
C2 Details:
ID: TvPull
Input:
string // URL
string // Target Path
Output:
string // Expanded Destination Path
uint64 // Byte Count Written
[]byte // Data
func PullAgent ¶ added in v0.3.1
PullAgent returns a pull Packet. This will instruct the client to download the resource from the provided URL and write the data to the supplied local filesystem path.
The supplied 'agent' string (if non-empty) will specify the User-Agent header string to be used.
The path may contain environment variables that will be resolved during runtime.
If the destination path is empty, the download results were be returned in the results instead.
C2 Details:
ID: TvPull
Input:
string // URL
string // User-Agent
string // Target Path
Output:
string // Expanded Destination Path
uint64 // Byte Count Written
[]byte // Data
func PullExecute ¶ added in v0.2.0
PullExecute returns a pull and execute Packet. This will instruct the client to download the resource from the provided URL and execute the downloaded data.
The download data may be saved in a temporary location depending on what the resulting data type is or file extension. (see 'man.ParseDownloadHeader')
This function allows for specifying a Filter struct to specify the target parent process and the boolean flag can be set to true/false to specify if the task should wait for the process to exit.
Returns the same output as the 'Run*' tasks.
C2 Details:
ID: TvPullExecute
Input:
string // URL
bool // Wait
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
Output:
uint32 // PID
int32 // Exit Code
func PullExecuteAgent ¶ added in v0.3.1
PullExecuteAgent returns a pull and execute Packet. This will instruct the client to download the resource from the provided URL and execute the downloaded data.
The supplied 'agent' string (if non-empty) will specify the User-Agent header string to be used.
The download data may be saved in a temporary location depending on what the resulting data type is or file extension. (see 'man.ParseDownloadHeader')
This function allows for specifying a Filter struct to specify the target parent process and the boolean flag can be set to true/false to specify if the task should wait for the process to exit.
Returns the same output as the 'Run*' tasks.
C2 Details:
ID: TvPullExecute
Input:
string // URL
string // User-Agent
bool // Wait
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
Output:
uint32 // PID
int32 // Exit Code
func Pwd ¶ added in v0.1.0
Pwd returns a print current directory Packet. This can be used to instruct the client to return a string value that contains the current working directory.
C2 Details:
ID: MvPwd
Input:
<none>
Output:
string // Working Dir
func Refresh ¶ added in v0.2.0
Refresh returns a refresh Packet. This will instruct the client to re-update it's internal Device storage and return the new result. This can be used to detect new network interfaces added/removed and changes to hostname/user status.
This is NOT needed after a Migration, as this happens automatically.
C2 Details:
ID: MvRefresh
Input:
<none>
Output:
Machine // Updated device details
func RegDelete ¶ added in v0.2.3
RegDelete returns a delete key/value Packet. This can be used to instruct the client to delete a key or value at the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
bool // Delete Recursively or Delete non-empty Keys
Output:
uint8 // Operation
func RegDeleteKey ¶ added in v0.2.3
RegDeleteKey returns a delete key Packet. This can be used to instruct the client to delete a key at the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
bool // Delete Recursively or Delete non-empty Keys
Output:
uint8 // Operation
func RegGet ¶ added in v0.2.3
RegGet returns a get key/value Packet. This can be used to instruct the client to return an entry details for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
Output:
uint8 // Operation
Entry struct { // Entry
string // Name
uint32 // Type
[]byte // Data
}
func RegLs ¶ added in v0.2.3
RegLs returns a list registry keys/values Packet. This can be used to instruct the client to return a list of Registry entries for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
Output:
uint8 // Operation
uint32 // Count
[]Entry struct { // List of Entries
string // Name
uint32 // Type
[]byte // Data
}
func RegMakeKey ¶ added in v0.2.3
RegMakeKey returns a make registry key Packet. This can be used to instruct the client to make a key at specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
Output:
uint8 // Operation
func RegSet ¶ added in v0.2.3
RegSet returns a set content key/value Packet. This can be used to instruct the client to set the raw value content to the supplied raw bytes for the specified registry path along with the type.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
uint32 // Type
[]byte // Content
Output:
uint8 // Operation
func RegSetBytes ¶ added in v0.2.3
RegSetBytes returns a set as a BINARY (bytes) key/value Packet. This can be used to instruct the client to set the value content to the supplied bytes for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
[]byte // Content
Output:
uint8 // Operation
func RegSetDword ¶ added in v0.2.3
RegSetDword returns a set as a DWORD (uint32) key/value Packet. This can be used to instruct the client to set the value content to the supplied DWORD for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
uint32 // Content
Output:
uint8 // Operation
func RegSetExpandString ¶ added in v0.2.3
RegSetExpandString returns a set as expand string key/value Packet. This can be used to instruct the client to set the value content to the supplied string for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
string // Content
Output:
uint8 // Operation
func RegSetQword ¶ added in v0.2.3
RegSetQword returns a set as QWORD (uint64) key/value Packet. This can be used to instruct the client to set the value content to the supplied QWORD for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
uint64 // Content
Output:
uint8 // Operation
func RegSetString ¶ added in v0.2.3
RegSetString returns a set as string key/value Packet. This can be used to instruct the client to set the value content to the supplied string for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
string // Content
Output:
uint8 // Operation
func RegSetStringList ¶ added in v0.2.3
RegSetStringList returns a set as multi string key/value Packet. This can be used to instruct the client to set the value content to the supplied strings for the specified registry path.
C2 Details:
ID: TvRegistry
Input:
uint8 // Operation
string // Key Path
string // Value Name
[]string // Content
Output:
uint8 // Operation
func Restart ¶ added in v0.4.0
Restart returns a shutdown Packet. This will instruct the client to initiate a restart/reboot operation. A reboot message, reason, force and timeout can be specified. Timeouts are specified in seconds.
Message and Reason codes are only applicable to Windows devices and are ignored on non-Windows devices.
C2 Details:
ID: TvPower
Input:
string // Restart message (Windows only)
uint32 // Timeout (seconds)
uint32 // Reason code (Windows only)
uint8 // Flags
Output:
<none>
func RevToSelf ¶ added in v0.2.0
RevToSelf returns a Rev2Self Packet. This can be used to instruct Windows based devices to drop any previous elevated Tokens they may possess and return to their "normal" Token.
This task result does not return any data, only errors if it fails.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvRevSelf
Input:
<none>
Output:
<none>
func ScreenShot ¶ added in v0.2.2
ScreenShot returns a screenshot Packet. This will instruct the client to attempt to get a screenshot of all the current active desktops on the host. If successful, the returned data is a binary blob of the resulting image, encoded in the PNG image format.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TVScreenShot
Input:
<none>
Output:
[]byte // Data
func Shutdown ¶ added in v0.4.0
Shutdown returns a shutdown Packet. This will instruct the client to initiate a shutdown/poweroff operation. A shutdown message, reason, force and timeout can be specified. Timeouts are specified in seconds.
Message and Reason codes are only applicable to Windows devices and are ignored on non-Windows devices.
C2 Details:
ID: TvPower
Input:
string // Shutdown message (Windows only)
uint32 // Timeout (seconds)
uint32 // Reason code (Windows only)
uint8 // Flags
Output:
<none>
func Sleep ¶ added in v0.3.2
Sleep returns a set Session sleep Packet. This can be used to instruct the client to update it's sleep value to the specified duration.
Anything less than or equal to zero is ignored! This setting will NOT override the Jitter setting.
C2 Details:
ID: MvTime
Input:
uint8 // Always 0 for this Task
int8 // Always -1 for this Task
uint64 // Sleep
Output:
uint8 // Jitter
uint64 // Sleep
uint64 // Kill Date
WorkHours { // Work Hours
uint8 // Day
uint8 // Start Hour
uint8 // Start Min
uint8 // End Hour
uint8 // End Min
}
func Spawn ¶ added in v0.2.0
Spawn will attempt to spawn a new instance using the provided Callable type as the source.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
The return result is the PID of the new instance.
This function uses the same Profile as the target Session. Use the 'SpawnProfile' function to change this behavior.
C2 Details:
ID: MvSpawn
Input:
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type
<...> // Callable Data
Output:
uint32 // New PID
func SpawnProfile ¶ added in v0.2.0
SpawnProfile will attempt to spawn a new instance using the provided Callable type as the source with the supplied Profile bytes.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
The return result is the PID of the new instance.
If the 'b' Profile bytes is nil or empty, the current target Session Profile will be used.
C2 Details:
ID: MvSpawn
Input:
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type
<...> // Callable Data
Output:
uint32 // New PID
func SpawnPull ¶ added in v0.2.0
SpawnPull will attempt to spawn a new instance using the provided URL as the source.
The supplied 'agent' string (if non-empty) will specify the User-Agent header string to be used.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
The return result is the PID of the new instance.
This function uses the same Profile as the target Session. Use the 'SpawnPullProfile' function to change this behavior.
The download data may be saved in a temporary location depending on what the resulting data type is or file extension. (see 'man.ParseDownloadHeader')
C2 Details:
ID: MvSpawn
Input:
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type (always TvPullExecute)
string // URL
string // User-Agent
Output:
uint32 // New PID
func SpawnPullProfile ¶ added in v0.2.0
SpawnPullProfile will attempt to spawn a new instance using the provided URL as the source with the supplied Profile bytes.
The supplied 'agent' string (if non-empty) will specify the User-Agent header string to be used.
The provided Filter specifies the parent of the new instance and the 's' argument string specifies the pipe name to use while connecting.
The return result is the PID of the new instance.
If the 'b' Profile bytes is nil or empty, the current target Session Profile will be used.
The download data may be saved in a temporary location depending on what the resulting data type is or file extension. (see 'man.ParseDownloadHeader')
C2 Details:
ID: MvSpawn
Input:
string // Pipe Name
[]byte // Profile Bytes
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
uint8 // Callable Type (always TvPullExecute)
string // URL
string // User-Agent
Output:
uint32 // New PID
func SwapMouse ¶ added in v0.3.0
SwapMouse returns a swap mouse buttons Packet. This will instruct the client swap the mouse buttons. The buttons will stay swapped until a successful call to 'SwapMouse' with false.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvTroll
Input:
uint8 // Can be 0 or 1 depending on the state set.
Output:
<none>
func Touch ¶ added in v0.2.5
Touch returns a file touch Packet. This can be used to instruct to create the specified file if it does not exist.
The path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvSystemIO
Input:
uint8 // IO Type
string // Path
Output:
uint8 // IO Type
func UnTrust ¶ added in v0.3.1
UnTrust returns an Untrust Packet. This will instruct the client to use the provided Filter to attempt to "Untrust" the targeted process by removing all of its permissions and setting its integrity level to "Untrusted".
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUnTrust
Input:
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
Output:
<none>
func Upload ¶
Upload returns an upload Packet. This will instruct the client to write the provided byte array to the filepath provided. The client will return the number of bytes written and the resulting expanded file path.
The destination path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvUpload
Input:
string // Destination
[]byte // File Data
Output:
string // Expanded Destination Path
uint64 // Byte Count Written
func UploadFile ¶ added in v0.1.0
UploadFile returns an upload Packet. This will instruct the client to write the provided (server local) file content to the filepath provided. The client will return the number of bytes written and the resulting expanded file path.
The destination path may contain environment variables that will be resolved during runtime.
The source path may contain environment variables that will be resolved on server execution.
C2 Details:
ID: TvUpload
Input:
string // Destination
[]byte // File Data
Output:
string // Expanded Destination Path
uint64 // Byte Count Written
func UploadReader ¶ added in v0.1.0
UploadReader returns an upload Packet. This will instruct the client to write the provided reader content to the filepath provided. The client will return the number of bytes written and the resulting file path.
The destination path may contain environment variables that will be resolved during runtime.
C2 Details:
ID: TvUpload
Input:
string // Destination
[]byte // File Data
Output:
string // Expanded Destination Path
uint64 // Byte Count Written
func UserDisconnect ¶ added in v0.4.2
UserDisconnect returns a disconnect user session Packet. This will instruct the client to disconnect the targeted user session via ID (or -1 for the current session).
C2 Details:
ID: TvLoginsAct
Input:
uint8 // Always set to 0 for this task.
int32 // Session ID
Output:
<none>
func UserLogins ¶ added in v0.4.2
UserLogins returns a current Login sessions Packet. This will instruct the client to reterive a list of the current login sessions on the device.
C2 Details:
ID: TvLogins
Input:
<none>
Output:
uint32 // Count
[]Login struct { // List of Logins
uint32 // Session ID
uint8 // Login Status
int64 // Login Time
int64 // Last Idle Time
Address struct { // From Address
uint64 // High bits of Address
uint64 // Low bits of Address
}
string // Username
string // Hostname
}
func UserLogoff ¶ added in v0.4.2
UserLogoff returns a logoff user session Packet. This will instruct the client to logoff the targeted user session via ID (or -1 for the current session).
C2 Details:
ID: TvLoginsAct
Input:
uint8 // Always set to 1 for this task.
int32 // Session ID
Output:
<none>
func UserMessageBox ¶ added in v0.4.2
UserMessageBox returns a MessageBox Packet. This will instruct the client to create a MessageBox with the supplied parent and message options under the specified Session ID (or -1 for the current session).
C2 Details:
ID: TvLoginsAct
Input:
uint8 // Always 2 for this task.
int32 // Session ID
uint32 // Flags
uint32 // Timeout in seconds
bool // Wait for User
string // Title
string // Text
Output:
uint32 // MessageBox return result
func UserProcesses ¶ added in v0.4.2
UserProcesses returns a list processes Packet. This can be used to instruct the client to return a list of the current running host's processes under the specified Session ID (or -1/0 for all session processes).
C2 Details:
ID: TvLoginsProc
Input:
<none>
Output:
uint32 // Count
[]ProcessInfo { // List of Running Processes
uint32 // Process ID
uint32 // _
string // Process Image Name
}
func Wait ¶ added in v0.3.1
Wait returns a wait -n- sleep Packet. This can be used to instruct to the client to pause processing for the specified duration.
This Task only has an affect during Scripts as most operations are threaded.
If the time is less than or equal to zero, the task will become a NOP.
C2 Details:
ID: TvWait
Input:
uint64 // Wait duration
Output:
<none>
func Wallpaper ¶ added in v0.3.0
Wallpaper returns a change user wallpaper Packet. This will instruct the client to change the current user's wallpaper to the filepath provided.
The destination path may contain environment variables that will be resolved during runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvTroll
Input:
uint8 // Always set to 5 for this task.
string // Destination
Output:
<none>
func WallpaperBytes ¶ added in v0.3.0
WallpaperBytes returns a change user wallpaper Packet. This will instruct the client to change the current user's wallpaper to the data contained in the supplied byte slice. The new file will be written in a temporary location before being used as a wallpaper.
The destination path may contain environment variables that will be resolved during runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvTroll
Input:
uint8 // Always set to 4 for this task.
[]byte // File Data
Output:
<none>
func WallpaperFile ¶ added in v0.3.0
WallpaperFile returns a change user wallpaper Packet. This will instruct the client to change the current user's wallpaper to the supplied (server local) file. The new file will be written in a temporary location before being used as a wallpaper.
The destination path may contain environment variables that will be resolved during runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvTroll
Input:
uint8 // Always set to 4 for this task.
[]byte // File Data
Output:
<none>
func WallpaperReader ¶ added in v0.3.0
WallpaperReader returns a change user wallpaper Packet. This will instruct the client to change the current user's wallpaper to the data contained in the supplied reader. The new file will be written in a temporary location before being used as a wallpaper.
The destination path may contain environment variables that will be resolved during runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvTroll
Input:
uint8 // Always set to 4 for this task.
[]byte // File Data
Output:
<none>
func Whoami ¶ added in v0.5.0
Whoami returns a user discovery Packet. This will instruct the client to query it's current token/access and determine a non-cached username/user ID. This Task also returns the current Process path the client is in.
The result is NOT cached, so it may be different depending on the client and any operations in-between calls.
C2 Details:
ID: MvWhoami
Input:
<none>
Output:
string // Username
string // Process Path
func WindowClose ¶ added in v0.3.2
WindowClose returns a close window Packet. This will instruct the client to close the target window.
Using the value "0" for the handle will select all open windows that exist during client runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Always 4 for this task.
uint64 // Handle
Output:
<none>
func WindowEnable ¶ added in v0.3.0
WindowEnable returns an enable/disable window Packet. This will instruct the client to block all user supplied input (keyboard and mouse) to the specified window handle. Input will be blocked and the window will not be usable until a successful call to 'WindowEnable' with the handle and false.
Using the value "0" for the handle will select all open windows that exist during client runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Can be 0 or 1 depending on the state set.
uint64 // Handle
Output:
<none>
func WindowFocus ¶ added in v0.3.2
WindowFocus returns an activate/focus window Packet. This will instruct the client to focus the target window and show it to the user.
Using the value "0" for the handle will select all open windows that exist during client runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Always 7 for this task.
uint64 // Handle
Output:
<none>
func WindowList ¶ added in v0.3.0
WindowList returns a list active Windows Packet. This will instruct the client to return a list of the current open Windows with detailed information.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvWindowList
Input:
<none>
Output:
uint32 // Count
[]Window { // List of open Windows
uint64 // Handle
string // Title
uint32 // Position X
uint32 // Position Y
uint32 // Width
uint32 // Height
}
func WindowMessageBox ¶ added in v0.3.2
WindowMessageBox returns a MessageBox Packet. This will instruct the client to create a MessageBox with the supplied parent and message options.
Using the value "0" for the handle will create a MessageBox without a parent window.
If the handle 'h' is '-1', or "^uintptr(0)", this will attempt to target the Desktop window, which will fall back to '0' if it fails.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Always 5 for this task.
uint64 // Handle
string // Title
string // Text
uint32 // Flags
Output:
uint32 // MessageBox return result
func WindowMove ¶ added in v0.3.2
WindowMove returns a move/resize window Packet. This will instruct the client to move and/or resize the targeted window with the supplied options.
The value '-1' may be used in either the 'X' and 'Y' or the 'Width' and 'Height' values to keep the current values instead of changing them.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Always 6 for this task.
uint64 // Handle
uint32 // X
uint32 // Y
uint32 // Width
uint32 // Height
Output:
<none>
func WindowSendInput ¶ added in v0.3.2
WindowSendInput returns a type input Packet. This will instruct the client to use input events to type out the provided string. The client will first attempt to bring the window supplied to the foreground (if non-zero) before typing.
The window value is optional and may be set to zero.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Always 8 for this task.
uint64 // Handle
string // Text
Output:
<none>
func WindowShow ¶ added in v0.3.2
WindowShow returns a show window Packet. This will instruct the client to change the window's active show state.
Using the value "0" for the handle will select all open windows that exist during client runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Always 3 for this task.
uint64 // Handle
uint8 // Sw* Constant
Output:
<none>
func WindowTransparency ¶ added in v0.3.0
WindowTransparency returns a set window transparency Packet. This will instruct the client to set the window with the supplied handle with the specified transparency value. This value ranges from 0 (transparent) to 255 (opaque).
Using the value "0" for the handle will select all open windows that exist during client runtime.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Always 2 for this task.
uint64 // Handle
Output:
<none>
func WindowWTF ¶ added in v0.3.2
WindowWTF returns a window WTF mode Packet. This will instruct the client to do some crazy things with the active windows for the supplied duration.
Always returns 'ErrNoWindows' on non-Windows devices.
C2 Details:
ID: TvUI
Input:
uint8 // Always 8 for this task.
int64 // Duration
Output:
<none>
func WorkHours ¶ added in v0.4.4
WorkHours returns a set Session Work Hours Packet. This can be used to instruct the client to update it's working hours to the supplied work hours values as uint8 values.
Days is a bitmask of the days that the WorkHours applies to The bit values are 0 (Sunday) to 7 (Saturday). Values 0, 255 and anything over 126 are treated as all days selected.
If all the supplied values are zero, this will clear any previous Work Hours set.
C2 Details:
ID: MvTime
Input:
uint8 // Always 2 for this Task
uint64 // Unix time
Output:
uint8 // Jitter
uint64 // Sleep
uint64 // Kill Date
WorkHours { // Work Hours
uint8 // Day
uint8 // Start Hour
uint8 // Start Min
uint8 // End Hour
uint8 // End Min
}
func ZombieUnmarshal ¶ added in v0.2.0
ZombieUnmarshal will read this Zombies's struct data from the supplied reader and returns a Zombie runnable struct along with the wait and delete status booleans.
This function returns an error if building or reading fails or if the device is not running Windows.
Types ¶
type Assembly ¶ added in v0.1.0
Assembly is a Tasklet that is similar to the 'cmd.Assembly' struct.
This struct is used to Task a Client with running shellcode on devices. It has many of the functionalities matching the 'cmd.Assembly' struct.
This can be directly used in the Session 'Tasklet' function instead of directly creating a Task.
The 'SetParent' function will attempt to set the target that runs the shellcode. If none are specified, the shellcode will be injected into the client process.
C2 Details:
ID: TvAssembly
Input:
Assembly struct {
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Assembly Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
func AssemblyFile ¶ added in v0.2.0
AssemblyFile will create a Tasklet that will instruct the client to run shellcode from a file source on the local (server - the one calling this function) machine.
This will attempt to read the file and will return an error if it fails.
C2 Details:
ID: TvAssembly
Input:
Assembly struct {
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Assembly Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
func AssemblyReader ¶ added in v0.2.0
AssemblyReader will create a Tasklet that will instruct the client to run shellcode from the contents of the supplied Reader.
This will attempt to read from the Reader and will return an error if it fails.
C2 Details:
ID: TvAssembly
Input:
Assembly struct {
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Assembly Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
func (Assembly) MarshalStream ¶ added in v0.1.0
MarshalStream writes the data for this Code thread to the supplied Writer.
func (Assembly) Packet ¶ added in v0.2.0
Packet will take the configured Assembly options and will return a Packet and any errors that may occur during building.
This allows the Assembly struct to fulfil the 'Tasklet' interface.
C2 Details:
ID: TvAssembly
Input:
Assembly struct {
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Assembly Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
type Callable ¶ added in v0.2.0
type Callable interface {
MarshalStream(data.Writer) error
// contains filtered or unexported methods
}
Callable is an internal interface used to specify a wide range of Runnable types that can be Marshaled into a Packet.
Currently the DLL, Zombie, Assembly and Process instances are supported.
type DLL ¶ added in v0.2.0
DLL is a Tasklet that is similar to the 'cmd.DLL' struct. This is used to Task a Client with loading a DLL.
The Path parameter is the path (on the client) where the DLL is located. This may be omitted and Data can be filled instead with the raw binary data to send and load a remote DLL instead. (THIS WILL MAKE A WRITE TO DISK!)
To prevent writes to disk, use the 'cmd.DLLToASM' function on the server (or any non 'implant' tagged build) to build a shellcode DLL+loader using SRDi and launch as Assembly instead.
This can be directly used in the Session 'Tasklet' function instead of directly creating a Task.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: TvDLL
Input:
DLL struct {
string // Path
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Raw DLL Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
func DLLFile ¶ added in v0.2.0
DLLFile will create a Tasklet that will instruct the client to local a DLL from the specified local (server - the one calling this function) file source. (THIS WILL MAKE A WRITE TO DISK!)
To prevent writes to disk, use the 'cmd.DLLToASM' function on the server (or any non 'implant' tagged build) to build a shellcode DLL+loader using SRDi and launch as Assembly instead.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvInjectDLL
Input:
DLL struct {
string // Path
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Raw DLL Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
func DLLReader ¶ added in v0.2.0
DLLReader will create a Tasklet that will instruct the client to local a DLL from the specified reader source. (THIS WILL MAKE A WRITE TO DISK!)
To prevent writes to disk, use the 'cmd.DLLToASM' function on the server (or any non 'implant' tagged build) to build a shellcode DLL+loader using SRDi and launch as Assembly instead.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvInjectDLL
Input:
DLL struct {
string // Path
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Raw DLL Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
func (DLL) MarshalStream ¶ added in v0.2.0
MarshalStream writes the data for this DLL task to the supplied Writer.
func (DLL) Packet ¶ added in v0.2.0
Packet will take the configured DLL options and will return a Packet and any errors that may occur during building.
This allows the DLL struct to fulfil the 'Tasklet' interface.
C2 Details:
ID: TvDLL
Input:
DLL struct {
string // Path
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Raw DLL Data
}
Output:
uint64 // Handle
uint32 // PID
int32 // Exit Code
type Process ¶
type Process struct {
Filter *filter.Filter
Dir string
User, Domain, Pass string
Env, Args []string
Stdin []byte
Timeout time.Duration
Flags uint32
Wait, Hide bool
}
Process is a Tasklet that is similar to the 'cmd.Process' struct. This is used to Task a Client with running a specified command.
This can be directly used in the Session 'Tasklet' function instead of directly creating a Task.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: TvExecute
Input:
Process struct {
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Hide
string // Username
string // Domain
string // Password
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func Run ¶
Run will create a Tasklet that will instruct the client to run a command. This command will be parsed using the 'cmd.Split' function.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
The response to this task will return the PID, ExitCode and Stdout/Stderr data.
C2 Details:
ID: TvExecute
Input:
Process struct {
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func Shell ¶ added in v0.2.0
Shell will create a Task that will instruct the client to run a shell command. The command will be passed as an argument to the default shell found on the device.
The Filter attribute will attempt to set the target that runs the Process. If none are specified, the Process will be ran under the client process.
The response to this task will return the PID, ExitCode and Stdout/Stderr data.
C2 Details:
ID: TvExecute
Input:
Process struct {
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func (Process) MarshalStream ¶
MarshalStream writes the data for this Process to the supplied Writer.
func (Process) Packet ¶ added in v0.2.0
Packet will take the configured Process options and will return a Packet and any errors that may occur during building.
This allows Process to fulfil the 'Tasklet' interface.
C2 Details:
ID: TvAssembly
Input:
Process struct {
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Hide
string // Username
string // Domain
string // Password
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
type Script ¶ added in v0.3.1
type Script struct {
// contains filtered or unexported fields
}
Script is a Tasklet type that allows for chaining the results of multiple Tasks in a single instance to be run as one.
All script tasks will be run in the same thread and will execute in order until all tasks are complete.
Each Script has two boolean options, 'Output' (default: true), which determines if the Script result should be returned and 'StopOnError' (default: false), which will determine the action taken if an error occurs in one of the Script tasks.
func NewScript ¶ added in v0.3.1
NewScript returns a new Script instance with the Settings for 'stop on error' and 'return output' set to the values specified.
Non initialized Scripts can be used instead of calling this function directly.
func (*Script) Add ¶ added in v0.3.1
Add will add the supplied Task (in Packet form), to the Script. If this Script was not initialized, it will be initialized with the default options first.
This function will return an error if the Packet supplied is invalid for Script usage.
An invalid Script Packet is one of the following:
- Any fragmented Packet
- Any Packet with control (error/oneshot/proxy/multi/frag) Flags set
- Any NoP Packet
- Any Packet with a System ID
- Any Script
func (*Script) AddTasklet ¶ added in v0.3.2
AddTasklet will add the supplied Tasklet result, to the Script. If this Script was not initialized, it will be initialized with the default options first.
This function will return an error if the Packet supplied is invalid for Script usage or the Tasklet action returned an error or is invalid.
An invalid Script Packet is one of the following: - Any fragmented Packet - Any Packet with control (error/oneshot/proxy/multi/frag) Flags set - Any NoP Packet - Any Packet with a System ID - Any Script
func (*Script) Append ¶ added in v0.3.1
Append will add the supplied Tasks (in Packet form), to the Script. If this Script was not initialized, it will be initialized with the default options first.
This function is like 'Add' but takes a vardict of multiple Packets to be added in as single call.
This function will return an error if any of the Packets supplied are invalid for Script usage.
An invalid Script Packet is one of the following: - Any fragmented Packet - Any Packet with control (error/oneshot/proxy/multi/frag) Flags set - Any NoP Packet - Any Packet with a System ID
func (*Script) Channel ¶ added in v0.3.2
Channel (if true) will set this Script payload to enable Channeling mode (if supported) before running.
NOTE: There is not a way to Scripts to disable channeling themselves.
func (*Script) Clear ¶ added in v0.3.1
func (s *Script) Clear()
Clear will reset the Script and empty its contents.
This does not remove the error and output settings.
func (*Script) IsChannel ¶ added in v0.3.2
IsChannel returns true if the 'channel' setting is set to true.
func (*Script) IsOutput ¶ added in v0.3.2
IsOutput returns true if the 'return output' setting is set to true.
func (*Script) IsStopOnError ¶ added in v0.3.2
IsStopOnError returns true if the 'stop on error' setting is set to true.
func (*Script) Output ¶ added in v0.3.1
Output controls the 'return output' setting for this Script.
If set to True (the default), the results of all executed Tasks in this script will return their resulting output (if applicable and with no errors). Otherwise, False will disable output and all Task output will be ignored, unless errors occur.
func (*Script) Packet ¶ added in v0.3.1
Packet will take the configured Script options/data and will return a Packet and any errors that may occur during building.
This allows the Script struct to fulfil the 'Tasklet' interface.
C2 Details:
ID: MvScript
Input:
bool // Option 'output'
bool // Option 'stop on error'
...uint8 // Packet ID
...[]byte // Packet Data
Output:
...uint8 // Result Packet ID
...bool // Result is not error
...[]byte // Result Data
func (*Script) Payload ¶ added in v0.3.2
Payload returns the raw, underlying bytes in this Script. If this script is empty the return will be empty.
func (*Script) Replace ¶ added in v0.3.2
Replace will clear the Script data and replace it with the supplied byte array.
It is the callers responsibility to ensure that the first type bytes are correct values for error and output.
func (*Script) Size ¶ added in v0.3.2
Size returns the internal size of the backing Script buffer, similar to len(s).
func (*Script) StopOnError ¶ added in v0.3.1
StopOnError controls the 'stop on error' setting for this Script.
If set to True, the Script will STOP processing if one of the Tasks returns an error during runtime, otherwise False (the default), will report the error in the chain and will keep going.
type Tasker ¶
Tasker is a function alias that will be tasked with executing a Job and will return an error or write the results to the supplied Writer. Associated data can be read from the supplied Reader.
This function is NOT responsible with writing any error codes, the parent caller will handle that.
type Tasklet ¶ added in v0.2.0
Tasklet is an interface that allows for Sessions to be directly tasked without creating the underlying Packet.
The 'Packet' function should return a Packet that has the Task data or any errors that may have occurred during Packet generation.
This function should be able to be called multiple times.
type Zombie ¶ added in v0.2.0
type Zombie struct {
Filter *filter.Filter
Dir string
Data []byte
Env, Args []string
User, Domain, Pass string
Stdin []byte
Timeout time.Duration
Flags uint32
Wait, Hide bool
}
Zombie is a Tasklet that is similar to the 'cmd.Zombie' struct. This is used to Task a Client with running a specified zombie command.
This can be directly used in the Session 'Tasklet' function instead of directly creating a Task.
The Filter attribute will attempt to set the target that runs the Zombie Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
[]byte // Data
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Hide
string // Username
string // Domain
string // Password
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func ZombieAsm ¶ added in v0.2.0
ZombieAsm will create a Zombie Tasklet that can be used to run the supplied Assembly in a Zombie process that uses the specified command line arguments.
The Filter attribute will attempt to set the target that runs the zombie Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
[]byte // Data
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func ZombieAsmFile ¶ added in v0.2.0
ZombieAsmFile will create a Zombie Tasklet that can be used to run the supplied Assembly from the specified local (server) file source in a Zombie process that uses the specified command line arguments.
The Filter attribute will attempt to set the target that runs the zombie Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
[]byte // Data
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func ZombieAsmReader ¶ added in v0.2.0
ZombieAsmReader will create a Zombie Tasklet that can be used to run the supplied Assembly from the specified reader source in a Zombie process that uses the specified command line arguments.
The Filter attribute will attempt to set the target that runs the zombie Process. If none are specified, the Process will be ran under the client process.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
[]byte // Data
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func ZombieDLLFile ¶ added in v0.2.0
ZombieDLLFile will create a Zombie Tasklet that can be used to run the supplied DLL from the specified local (server) file source in a Zombie process that uses the specified command line arguments.
The Filter attribute will attempt to set the target that runs the zombie Process. If none are specified, the Process will be ran under the client process.
NOTE: This converts the DLL to Assembly.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
[]byte // Data
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Filter Status
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func ZombieDLLReader ¶ added in v0.2.0
ZombieDLLReader will create a Zombie Tasklet that can be used to run the supplied DLL from the specified reader source in a Zombie process that uses the specified command line arguments.
The Filter attribute will attempt to set the target that runs the zombie Process. If none are specified, the Process will be ran under the client process.
NOTE: This converts the DLL to Assembly.
C2 Details:
ID: WvZombie
Input:
Zombie struct {
[]byte // Data
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
func (Zombie) MarshalStream ¶ added in v0.2.0
MarshalStream writes the data for this Zombie to the supplied Writer.
func (Zombie) Packet ¶ added in v0.2.0
Packet will take the configured Zombie options and will return a Packet and any errors that may occur during building.
This allows Zombie to fulfil the 'Tasklet' interface.
C2 Details:
ID: WvZombie
Input:
Process struct {
[]byte // Data
[]string // Args
string // Dir
[]string // Environment
uint32 // Flags
bool // Wait
int64 // Timeout
bool // Hide
string // Username
string // Domain
string // Password
Filter struct { // Filter
bool // Filter Status
uint32 // PID
bool // Fallback
uint8 // Session
uint8 // Elevated
[]string // Exclude
[]string // Include
}
[]byte // Stdin Data
}
Output:
uint32 // PID
int32 // Exit Code
[]byte // Output (Stdout and Stderr)
Source Files
Directories