You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
New tasks!
Bugfixes galore!
HEADS UP! THIS VERSION IS **INCOMPATIBLE** FROM OLDER VERSIONS FROM A NETWORKING
STANDPOINT!
The cause is the new KeyPair Sync mechanism. Current running implants built with
"nokeyset" wll still operate normally.
c2:
- New Frag Group expiration timeouts.
- Frag groups now expire and no longer stay forever if no updates are received.
- ECDH key sync!
- Packet data keys are now synced using a server-based Public/Private keypair.
- Enables the 'TrustedKey' support.
- 'c2.Server' now has a new 'Keys' attribute that can be used to specify the key
material for the server. THIS MUST BE DONE BEFORE ANY LISTENERS ARE CREATED.
- Sessions using Channel Mode will now set the ReadDeadlines in the same cadence
as the WriteDeadlines, allowing for smoother operations and can assist with
detecting socket closures.
c2/cfg:
- Added 'cfg.TrustedKey' Setting which can be used multiple times to limit the
Servers that the client should connect to.
- This can also take the hash of a Key
- Updated 'Profile.KillDate()' to no longer use a '*time.Time' value and instead
return 'time.Time, bool'. The boolean should only be true if the KillDate is being
set (or unset if the 'time.Time' value is zero).
- Added the 'Profile.TrustedKey(data.PublicKey) bool' method that can be used to
verify if a PublicKey is trusted.
c2/task:
- New Whoami task!
- Returns the real-time Username and the running Process path.
- Update to Pull to allow redirecting downloads to the Server instead.
- Use a empty destination path to redirect the download.
- "c2/task/result" was updated for the new results.
- Bugfix for PullExecute (DEX) where Stdout/Stderr was cut off by 8 bytes.
- Bugfix for Pull where downloaded file Handle wasn't closed.
c2/task/result:
- Support for the new Whoami task.
- Updated the "Pull" function which returns an additional 'io.Reader' which is
not nil if the results were returned instead of written to the local filesystem.
cmd:
- Bugfix for 'os.Pipe()' in older Windows (<7) versions that prevented output from
being read.
- Bugfix to prevent closing an invalid parent Handle with detached/released Assembly
threads.
- Bugfix to ensure that Zombie Thread Handles are closed on detach/release.
- Bugfix to allow for exit codes to be properly returned instead of the default
exit code "4919".
com:
- Added ListenContext support for older Golang versions.
- Fixed a bunch of UDP handeling bugs
- Fixed the "long hang" UDP read bug.
- Fixed the "bad read" UDP bug.
com/limits:
- Updated the signal handeling code for older Golang versions to properly defer
to prevent deadlocks.
com/wc2:
- Updated to not use reflect calls to get the raw 'net.Conn'.
- Updated some init function names to create 'wc2.Server' and 'wc2.Client'
- This makes the 'wc2.Client' zero value usable.
data:
- Added some pre-"fs" package function calls for compatibility.
- If Golang is >1.14 then they are just redirects to the respective functions.
- Refactored and updated the 'data.Chunk' code to be x2 more efficient and perform
less allocations when being used.
- Added the (Windows Only) "Heap Backed" 'data.Chunk' that can use the Windows Heap
and is managed manually that can be used to allocate memory without bothering the
runtime. The "heap" buildtag can be used to enable this on Windows.
- Added the new 'data.KeyPair' struct that can be used to manager a ECDH keyset.
- Adds the 'data.PrivateKey', 'data.PublicKey' and 'data.SharedSecret' alias for
raw key data. These can be used to print signatures of the keys.
device:
- Resolved some of the 'unsafe.Sizeof' calls to static values where appropriate.
- Bugfix for a fat finger issue that caused all file entries to "device.DumpProcess"
to error.
device/local:
- Updated to use the new 'device/unix' package.
- Updated all "fs" package functions to use their 'data' counterparts instead.
device/tags:
- Bugfix to properly indicate when the memory manager is enabled.
- Added a tag for the new Heap 'data.Chunk'.
device/winapi:
- Resolved some of the 'unsafe.Sizeof' calls to static values where appropriate.
- Bugfix to prevent a DLL load bug where err == nil but the Handle was still zero
and was not actually loaded.
- Updated "winapi.CheckFunction()" with x64 and new x86 ASM instructions for Syscall
detection.
- Added a version gate to "PatchASMI" (>= 10) and "PatchETW" (>= Vista).
- Bugfix for 'winapi.KillRuntime' to address issues when 'Access Denied' is raised
when querying our own threads for their status.
- Updated 'Nt*' error messages to be formatted correctly and drop the "{}".
- Bugfix to correct the Windows PEB struct layout on 32bit.
- Bugfix for older WOW processing not detecting they were running in 32bit mode.
- Bugfix to prevent "winapi.CheckDebugWithLoad()" in Windows from erroneously returning
true when loading WOW64 DLLs that do not exist.
- Bugfix for 'GetLogicalDrives' that fixes a C0000005 error on 32bit systems.
device/unix:
- New "device/unix" package to query device details for *nix machines without relying
on the "golang.org/x/sys" package.
man:
- Bugfix to fix the Windows Event SecurityAttributes struct size mismatch.
tools:
- Updated "test.sh" script with better formatting.
- Added a check to "header_check.py" to look for matching older (+build) build tags.
util:
- Added the "Uitoa" and "Itoa" functions from the Golang "internal/iota" package
for alloc-less int-to-string conversions.
- This function replaced many calls to 'strconv.FormatUint'/'strconv.FormatInt'
when using base10.
Backwards Compatibility Issues (these do **NOT** affect any > go1.10 versions):
- Xp
- Lacks the "CreateProcessWithTokenW" so any Processes created while impersonating
a user will fail. _(This does NOT affect Server 2003 WTF?)_
- Xp devices that are currently impersonating a Token will instead NOT drop
the current Token and will call "CreateProcess" normally.
- Xp <= SP2
- Lacks the "WinHttpGetDefaultProxyConfiguration" function, which will disable
automatic HTTP Proxy detection.
- Xp and Server 2003
- Lacks the "RegDeleteTree" function so deleting non-empty Keys may fail.
- The concept of Token "Integrity" does not exist and users that are in the
"Administrators" group are considered elevated.
- This applies to "filter.Filter.Elevated" also!
- Per the previous entry, the "Untrust" helper will NOT set the Token Integrity
_(since it doesn't exist!)_, but it will STILL remove Token permissions.
- Setting the parent process will **NOT** work. _(The API calls do not exist!)_
- NtCreateThreadEx doesn't exist and we fallback to CreateRemoteThread. *shrug*
- Vista, Server 2008 and Older
- Cannot evade ETW logs as the function calls do not exist.
Backwards Compatibility Issues (these **DO** affect any > go1.10 versions):
- 8 and Older
- The PROCESS_CREATION_MITIGATION_POLICY flag will NOT be enabled as it's not
avaliable until 8.1.
- 8.1, Server 2012 and Older
- Cannot evade ASMI as it is only present in >= Windows 10.
0 commit comments