README
¶
goMalleable
🔎🪲 Malleable C2 profiles parser and assembler library written in golang
Latest supported CobaltStrike version: 4.9.1
Table of Contents
WARNING
goMalleable treats you as a consenting adult and assumes you know how to write Malleable C2 Profiles. It's able to detect syntax errors, however there are no runtime checks implemented. It'll gladly generate profiles that don't actually work in production if instructed to do so. Always run the generated profiles through c2lint before using them in production!
Installation
Package can be installed with:
go get github.com/D00Movenok/goMalleable@v1
Usage
Parse
Function Parse parses Malleable profile string to easy-to-read structure. Full example Link.
package main
import (
"os"
malleable "github.com/D00Movenok/goMalleable"
)
func main() {
...
data, _ := os.Open("example.profile")
parsed, _ := malleable.Parse(data)
...
}
Full definition of structure can be found here.
Assembly
You may print this structure as string to get Malleable profile file. Full example: Link.
fmt.Println(parsed)
Output:
...
set host_stage "false";
set jitter "33";
set tcp_frame_header "";
set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36";
https-certificate {
set CN "whatever.com";
set L "California";
set O "whatever LLC.";
set OU "local.org";
set ST "CA";
set validity "365";
set C "US";
}
...
Examples
| Link | Description |
|---|---|
| Link | Example of profile parsing |
| Link | Example of profile creation |
TODO
- Use map[Name]Type instead of []Type with Name field
Documentation
¶
Index ¶
- type Boolean
- type CodeSigner
- type CommaSeparatedList
- type DNSBeacon
- type Data
- type Function
- type HTTPBeacon
- type HTTPConfig
- type HTTPGet
- type HTTPGetClient
- type HTTPPost
- type HTTPPostClient
- type HTTPSCertificate
- type HTTPServer
- type HTTPStager
- type HTTPStagerClient
- type Header
- type Parameter
- type PostEx
- type ProcessInject
- type Profile
- type SpaceSeparatedList
- type Stage
- type String
- type StringW
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Boolean ¶
type Boolean bool
NOTE: created because github.com/alecthomas/participle/v2 parses default bool type as true if something is found.
type CodeSigner ¶
type CodeSigner struct {
Keystore string `parser:"( \"set\" \"keystore\" @String \";\""`
Password string `parser:"| \"set\" \"password\" @String \";\""`
Alias string `parser:"| \"set\" \"alias\" @String \";\""`
DigestAlgorithm string `parser:"| \"set\" \"digest_algorithm\" @String \";\""`
Timestamp Boolean `parser:"| \"set\" \"timestamp\" @String \";\""`
TimestampURL string `parser:"| \"set\" \"timestamp_url\" @String \";\" )*"`
}
func (CodeSigner) String ¶
func (b CodeSigner) String() string
type CommaSeparatedList ¶
type CommaSeparatedList []string
NOTE: default comma-separated string list parser and stringer, e.g. curl*,lynx*,wget*.
func (*CommaSeparatedList) Capture ¶
func (l *CommaSeparatedList) Capture(values []string) error
func (CommaSeparatedList) String ¶
func (l CommaSeparatedList) String() string
type DNSBeacon ¶
type DNSBeacon struct {
Name string `parser:"@String? \"{\""`
DNSIdle string `parser:"( \"set\" \"dns_idle\" @String \";\""`
DNSMaxTXT int `parser:"| \"set\" \"dns_max_txt\" @String \";\""`
DNSSleep int `parser:"| \"set\" \"dns_sleep\" @String \";\""`
DNSTTL int `parser:"| \"set\" \"dns_ttl\" @String \";\""`
MaxDNS int `parser:"| \"set\" \"maxdns\" @String \";\""`
DNSStagerPrepend string `parser:"| \"set\" \"dns_stager_prepend\" @String \";\""`
DNSStagerSubhost string `parser:"| \"set\" \"dns_stager_subhost\" @String \";\""`
Beacon string `parser:"| \"set\" \"beacon\" @String \";\""`
GetA string `parser:"| \"set\" \"get_A\" @String \";\""`
GetAAAA string `parser:"| \"set\" \"get_AAAA\" @String \";\""`
GetTXT string `parser:"| \"set\" \"get_TXT\" @String \";\""`
PutMetadata string `parser:"| \"set\" \"put_metadata\" @String \";\""`
PutOutput string `parser:"| \"set\" \"put_output\" @String \";\""`
NSResponse string `parser:"| \"set\" \"ns_response\" @String \";\")* \"}\""`
}
type Function ¶
NOTE: parser and stringer for function sequences, e.g. http-get output, transforms in post-ex, etc.
type HTTPBeacon ¶ added in v1.1.0
type HTTPBeacon struct {
Name string `parser:"@String? \"{\""`
Library string `parser:"( \"set\" \"library\" @String \";\")* \"}\""`
}
func (HTTPBeacon) String ¶ added in v1.1.0
func (b HTTPBeacon) String() string
type HTTPConfig ¶
type HTTPConfig struct {
HeadersOrder CommaSeparatedList `parser:"( \"set\" \"headers\" @String \";\""`
Headers []Header `parser:"| \"header\" @@ \";\""`
TrustXForwardedFor Boolean `parser:"| \"set\" \"trust_x_forwarded_for\" @String \";\""`
BlockUserAgents CommaSeparatedList `parser:"| \"set\" \"block_useragents\" @String \";\""`
AllowUserAgents CommaSeparatedList `parser:"| \"set\" \"allow_useragents\" @String \";\")*"`
}
func (HTTPConfig) String ¶
func (b HTTPConfig) String() string
type HTTPGet ¶
type HTTPGet struct {
Name string `parser:"@String? \"{\""`
Verb string `parser:"( \"set\" \"verb\" @String \";\""`
URI SpaceSeparatedList `parser:"| \"set\" \"uri\" @String \";\""`
Client HTTPGetClient `parser:"| \"client\" \"{\" @@ \"}\""`
Server HTTPServer `parser:"| \"server\" \"{\" @@ \"}\" )* \"}\""`
}
type HTTPGetClient ¶
type HTTPGetClient struct {
Headers []Header `parser:"( \"header\" @@ \";\""`
Parameters []Parameter `parser:"| \"parameter\" @@ \";\""`
Metadata []Function `parser:"| \"metadata\" \"{\" @@* \"}\" )*"`
}
func (HTTPGetClient) String ¶
func (b HTTPGetClient) String() string
type HTTPPost ¶
type HTTPPost struct {
Name string `parser:"@String? \"{\""`
Verb string `parser:"( \"set\" \"verb\" @String \";\""`
URI SpaceSeparatedList `parser:"| \"set\" \"uri\" @String \";\""`
Client HTTPPostClient `parser:"| \"client\" \"{\" @@ \"}\""`
Server HTTPServer `parser:"| \"server\" \"{\" @@ \"}\" )* \"}\""`
}
type HTTPPostClient ¶
type HTTPPostClient struct {
Headers []Header `parser:"( \"header\" @@ \";\""`
Parameters []Parameter `parser:"| \"parameter\" @@ \";\""`
Output []Function `parser:"| \"output\" \"{\" @@* \"}\""`
ID []Function `parser:"| \"id\" \"{\" @@* \"}\" )*"`
}
func (HTTPPostClient) String ¶
func (b HTTPPostClient) String() string
type HTTPSCertificate ¶
type HTTPSCertificate struct {
Name string `parser:"@String? \"{\""`
Keystore string `parser:"( \"set\" \"keystore\" @String \";\""`
Password string `parser:"| \"set\" \"password\" @String \";\""`
C string `parser:"| \"set\" \"C\" @String \";\""`
CN string `parser:"| \"set\" \"CN\" @String \";\""`
L string `parser:"| \"set\" \"L\" @String \";\""`
O string `parser:"| \"set\" \"O\" @String \";\""`
OU string `parser:"| \"set\" \"OU\" @String \";\""`
ST string `parser:"| \"set\" \"ST\" @String \";\""`
Validity int `parser:"| \"set\" \"validity\" @String \";\")* \"}\""`
}
func (HTTPSCertificate) String ¶
func (b HTTPSCertificate) String() string
type HTTPServer ¶
type HTTPServer struct {
Headers []Header `parser:"( \"header\" @@ \";\""`
Output []Function `parser:"| \"output\" \"{\" @@* \"}\" )*"`
}
func (HTTPServer) String ¶
func (b HTTPServer) String() string
type HTTPStager ¶
type HTTPStager struct {
Name string `parser:"@String? \"{\""`
URIx86 SpaceSeparatedList `parser:"( \"set\" \"uri_x86\" @String \";\""`
URIx64 SpaceSeparatedList `parser:"| \"set\" \"uri_x64\" @String \";\""`
Client HTTPStagerClient `parser:"| \"client\" \"{\" @@ \"}\""`
Server HTTPServer `parser:"| \"server\" \"{\" @@ \"}\" )* \"}\""`
}
func (HTTPStager) String ¶
func (b HTTPStager) String() string
type HTTPStagerClient ¶
type HTTPStagerClient struct {
Headers []Header `parser:"( \"header\" @@ \";\""`
Parameters []Parameter `parser:"| \"parameter\" @@ \";\" )*"`
}
func (HTTPStagerClient) String ¶
func (b HTTPStagerClient) String() string
type Header ¶
NOTE: key-value type with "header" prefix, used for headers parsing and (mostly) stringer, e.g. header "Accept-Encoding" "gzip, deflate";.
type Parameter ¶
NOTE: key-value type with "parameter" prefix, used for parameters parsing and (mostly) stringer, e.g. parameter "param_name" "param_value";.
type PostEx ¶
type PostEx struct {
SpawnToX86 string `parser:"( \"set\" \"spawnto_x86\" @String \";\""`
SpawnToX64 string `parser:"| \"set\" \"spawnto_x64\" @String \";\""`
Obfuscate Boolean `parser:"| \"set\" \"obfuscate\" @String \";\""`
SmartInject Boolean `parser:"| \"set\" \"smartinject\" @String \";\""`
AmsiDisable Boolean `parser:"| \"set\" \"amsi_disable\" @String \";\""`
Cleanup Boolean `parser:"| \"set\" \"cleanup\" @String \";\""`
ThreadHint string `parser:"| \"set\" \"thread_hint\" @String \";\""`
PipeName string `parser:"| \"set\" \"pipename\" @String \";\""`
Keylogger string `parser:"| \"set\" \"keylogger\" @String \";\""`
TransformX86 []Function `parser:"| \"transform-x86\" \"{\" @@* \"}\""`
TransformX64 []Function `parser:"| \"transform-x64\" \"{\" @@* \"}\" )*"`
}
type ProcessInject ¶
type ProcessInject struct {
Allocator string `parser:"( \"set\" \"allocator\" @String \";\""`
BOFAllocator string `parser:"| \"set\" \"bof_allocator\" @String \";\""`
BOFReuseMemory Boolean `parser:"| \"set\" \"bof_reuse_memory\" @String \";\""`
MinAlloc int `parser:"| \"set\" \"min_alloc\" @String \";\""`
UseRWX Boolean `parser:"| \"set\" \"userwx\" @String \";\""`
StartRWX Boolean `parser:"| \"set\" \"startrwx\" @String \";\""`
TransformX86 []Function `parser:"| \"transform-x86\" \"{\" @@* \"}\""`
TransformX64 []Function `parser:"| \"transform-x64\" \"{\" @@* \"}\""`
Execute []Function `parser:"| \"execute\" \"{\" @@* \"}\" )*"`
}
func (ProcessInject) String ¶
func (b ProcessInject) String() string
type Profile ¶
type Profile struct {
SampleName string `parser:"( \"set\" \"sample_name\" @String \";\""`
SleepTime int `parser:"| \"set\" \"sleeptime\" @String \";\""`
Jitter int `parser:"| \"set\" \"jitter\" @String \";\""`
UserAgent string `parser:"| \"set\" \"useragent\" @String \";\""`
DataJitter int `parser:"| \"set\" \"data_jitter\" @String \";\""`
HostStage Boolean `parser:"| \"set\" \"host_stage\" @String \";\""`
Pipename string `parser:"| \"set\" \"pipename\" @String \";\""`
PipenameStager string `parser:"| \"set\" \"pipename_stager\" @String \";\""`
SMBFrameHeader string `parser:"| \"set\" \"smb_frame_header\" @String \";\""`
TCPPort int `parser:"| \"set\" \"tcp_port\" @String \";\""`
TCPFrameHeader string `parser:"| \"set\" \"tcp_frame_header\" @String \";\""`
SSHBanner string `parser:"| \"set\" \"ssh_banner\" @String \";\""`
SSHPipename string `parser:"| \"set\" \"ssh_pipename\" @String \";\""`
StealTokenAccessMask int `parser:"| \"set\" \"steal_token_access_mask\" @String \";\""`
TasksMaxSize int `parser:"| \"set\" \"tasks_max_size\" @String \";\""`
TasksProxyMaxSize int `parser:"| \"set\" \"tasks_proxy_max_size\" @String \";\""`
TasksDNSProxyMaxSize int `parser:"| \"set\" \"tasks_dns_proxy_max_size\" @String \";\""`
HeadersRemove CommaSeparatedList `parser:"| \"set\" \"headers_remove\" @String \";\""`
DNSBeacon []DNSBeacon `parser:"| \"dns-beacon\" @@"`
HTTPBeacon []HTTPBeacon `parser:"| \"http-beacon\" @@"`
HTTPSCertificate []HTTPSCertificate `parser:"| \"https-certificate\" @@"`
CodeSigner CodeSigner `parser:"| \"code-signer\" \"{\" @@ \"}\""`
HTTPConfig HTTPConfig `parser:"| \"http-config\" \"{\" @@ \"}\""`
HTTPGet []HTTPGet `parser:"| \"http-get\" @@"`
HTTPPost []HTTPPost `parser:"| \"http-post\" @@"`
HTTPStager []HTTPStager `parser:"| \"http-stager\" @@"`
Stage Stage `parser:"| \"stage\" \"{\" @@ \"}\""`
ProcessInject ProcessInject `parser:"| \"process-inject\" \"{\" @@ \"}\""`
PostEx PostEx `parser:"| \"post-ex\" \"{\" @@ \"}\" )*"`
}
type SpaceSeparatedList ¶ added in v1.1.0
type SpaceSeparatedList []string
NOTE: default space-separated string list parser and stringer, e.g. /jquery-3.3.1.min.js /jquery-1.3.3.7.min.js /someotherurl.
func (*SpaceSeparatedList) Capture ¶ added in v1.1.0
func (l *SpaceSeparatedList) Capture(values []string) error
func (SpaceSeparatedList) String ¶ added in v1.1.0
func (l SpaceSeparatedList) String() string
type Stage ¶
type Stage struct {
Checksum int `parser:"( \"set\" \"checksum\" @String \";\""`
CompileTime string `parser:"| \"set\" \"compile_time\" @String \";\""`
EntryPoint int `parser:"| \"set\" \"entry_point\" @String \";\""`
ImageSizeX86 int `parser:"| \"set\" \"image_size_x86\" @String \";\""`
ImageSizeX64 int `parser:"| \"set\" \"image_size_x64\" @String \";\""`
Name string `parser:"| \"set\" \"name\" @String \";\""`
RichHeader string `parser:"| \"set\" \"rich_header\" @String \";\""`
UseRWX Boolean `parser:"| \"set\" \"userwx\" @String \";\""`
Cleanup Boolean `parser:"| \"set\" \"cleanup\" @String \";\""`
SleepMask Boolean `parser:"| \"set\" \"sleep_mask\" @String \";\""`
StompPE Boolean `parser:"| \"set\" \"stomppe\" @String \";\""`
Obfuscate Boolean `parser:"| \"set\" \"obfuscate\" @String \";\""`
Allocator string `parser:"| \"set\" \"allocator\" @String \";\""`
MagicMZX86 string `parser:"| \"set\" \"magic_mz_x86\" @String \";\""`
MagicMZX64 string `parser:"| \"set\" \"magic_mz_x64\" @String \";\""`
MagicPE string `parser:"| \"set\" \"magic_pe\" @String \";\""`
SmartInject Boolean `parser:"| \"set\" \"smartinject\" @String \";\""`
ModuleX86 string `parser:"| \"set\" \"module_x86\" @String \";\""`
ModuleX64 string `parser:"| \"set\" \"module_x64\" @String \";\""`
SyscallMethod string `parser:"| \"set\" \"syscall_method\" @String \";\""`
TransformX86 []Function `parser:"| \"transform-x86\" \"{\" @@* \"}\""`
TransformX64 []Function `parser:"| \"transform-x64\" \"{\" @@* \"}\""`
Data []Data `parser:"| \"data\" @String \";\""`
Strings []String `parser:"| \"string\" @String \";\""`
SwtringsW []StringW `parser:"| \"stringw\" @String \";\" )*"`
}
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.