search

jm33-m0 / emp3r0r

Linux/Windows post-exploitation framework made by linux user
https://infosec.exchange/@jm33
MIT License
1.26k stars 232 forks source link

Read runtime config: should read directly from memory #89

Closed jm33-m0 closed 2 years ago

jm33-m0 commented 2 years ago

Now emp3r0r agent reads its config info by parsing os.Args[0], which works in most cases. However, sometimes os.Args[0] is not guaranteed to be the (unmodified) agent binary itself, instead, it can be the executable file of injected process, or some packed agent binary.

https://github.com/jm33-m0/emp3r0r/blob/5a1dcd4e8fc5be35f6e7d4ed96d1b975d9e98d9b/core/lib/agent/config.go#L22

To address this issue, it's better that we read config data from somewhere reliable, for example, we can wrap the data with our MagicString, and append it to stub.exe. When reading the config, we read /proc/self/mem and search for the magic string, split and extract our config data.

jm33-m0 commented 2 years ago

https://github.com/jm33-m0/emp3r0r/blob/1e1b8380c89effbbdf7d5686147b6666dd1eddfc/core/lib/agent/config.go#L73

This has not been tested yet, I will integrate packer into C2 and test this function later

jm33-m0 commented 2 years ago

https://github.com/jm33-m0/emp3r0r/commit/b6a0d7b4d831497e66d46b5d36071e46fb2b6e06

Now supported by packer