Initial Agent Looksy

.devcontainer/devcontainer.json

@@ -8,7 +8,7 @@
 			"RUST_VARIANT": "buster",
 			// Options
 			"NODE_VERSION": "lts/*"
-		}
+		},
 	},
 	"runArgs": [ "--cap-add=SYS_PTRACE", "--security-opt", "seccomp=unconfined" ],
 
@@ -37,4 +37,11 @@
 
 	// Comment out connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
 	// "remoteUser": "vscode"
-}
+
+	// SPEEEEEEED
+	"mounts": [
+		"source=realm-cmd-implants-eldritch-target,target=${containerWorkspaceFolder}/cmd/implants/eldritch/target,type=volume",
+		"source=realm-cmd-implants-eldritch-target,target=${containerWorkspaceFolder}/cmd/implants/imix/target,type=volume",
+		"source=realm-cmd-implants-target,target=${containerWorkspaceFolder}/cmd/implants/target,type=volume"
+	]
+}

.gitignore

@@ -2,10 +2,6 @@
 # will have compiled files and executables
 /target/
 
-# Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
-# More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
-Cargo.lock
-
 # These are backup files generated by rustfmt
 **/*.rs.bk
 

cmd/implants/.gitignore

@@ -0,0 +1,9 @@
+# Generated by Cargo
+# will have compiled files and executables
+target/
+
+# These are backup files generated by rustfmt
+**/*.rs.bk
+
+# Also not an exec create so no Cargo.lock
+/Cargo.lock

cmd/implants/Cargo.toml

@@ -0,0 +1,5 @@
+[workspace]
+members = [
+    "imix",
+    "eldritch"
+]

cmd/implants/contrib/example_config.json

@@ -0,0 +1,47 @@
+{
+  "target_name":"Team 1 - Web",
+  "callback_interval":60000,
+  "callback_jitter":5000,
+  "c2_configs":[
+    {
+      "uri":"http://c2.prn0.realm.pub",
+      "timeout":5,
+      "priority":10,
+      "sticky":false,
+      "failsafe":false
+    },
+    {
+      "uri":"http://c2.frc0.realm.pub",
+      "timeout":5,
+      "priority":10,
+      "sticky":false,
+      "failsafe":false
+    },
+    {
+      "uri":"http://sketchy.realm.pub",
+      "timeout":5,
+      "priority":5,
+      "sticky":true,
+      "failsafe":false
+    },
+    {
+      "uri":"http://secret.realm.pub.com",
+      "timeout":5,
+      "priority":5,
+      "sticky":false,
+      "failsafe":true
+    }
+  ],
+  "service_configs":[
+    {
+      "name":"rsyslog-ng",
+      "description":"Definitely logging",
+      "executable_path":"/usr/sbin/rsyslog-ng"
+    },
+    {
+      "name":"thermald",
+      "description":"careful things don't overheat",
+      "executable_path":"/bin/thermald"
+    }
+  ]
+}

cmd/implants/eldritch/.gitignore

@@ -0,0 +1,9 @@
+# Generated by Cargo
+# will have compiled files and executables
+target/
+
+# These are backup files generated by rustfmt
+**/*.rs.bk
+
+# Also not an exec create so no Cargo.lock
+Cargo.lock

cmd/implants/eldritch/Cargo.toml

@@ -0,0 +1,9 @@
+[package]
+name = "eldritch"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+starlark = "0.6.0"
+anyhow = "1.0.55"
+derive_more = "0.99.17"

cmd/implants/eldritch/rust-toolchain

@@ -0,0 +1,2 @@
+[toolchain]
+channel = "nightly-2021-11-22"

cmd/implants/eldritch/src/file.rs

@@ -0,0 +1,102 @@
+mod append_impl;
+mod copy_impl;
+mod download_impl;
+mod exists_impl;
+mod hash_impl;
+mod is_dir_impl;
+mod mkdir_impl;
+mod read_impl;
+mod remove_impl;
+mod rename_impl;
+mod replace_all_impl;
+mod replace_impl;
+mod timestomp_impl;
+mod write_impl;
+
+use derive_more::Display;
+
+use starlark::environment::{Methods, MethodsBuilder, MethodsStatic};
+use starlark::values::{StarlarkValue, Value, UnpackValue, ValueLike};
+use starlark::values::none::NoneType;
+use starlark::{starlark_type, starlark_simple_value, starlark_module};
+
+#[derive(Copy, Clone, Debug, PartialEq, Display)]
+#[display(fmt = "FileLibrary")]
+pub struct FileLibrary();
+starlark_simple_value!(FileLibrary);
+
+impl<'v> StarlarkValue<'v> for FileLibrary {
+    starlark_type!("file_library");
+
+    fn get_methods(&self) -> Option<&'static Methods> {
+        static RES: MethodsStatic = MethodsStatic::new();
+        RES.methods(methods)
+    }
+}
+
+impl<'v> UnpackValue<'v> for FileLibrary {
+    fn expected() -> String {
+        FileLibrary::get_type_value_static().as_str().to_owned()
+    }
+
+    fn unpack_value(value: Value<'v>) -> Option<Self> {
+        Some(*value.downcast_ref::<FileLibrary>().unwrap())
+    }
+}
+
+// This is where all of the "file.X" impl methods are bound
+#[starlark_module]
+fn methods(builder: &mut MethodsBuilder) {
+    fn append(_this: FileLibrary, path: String, content: String) -> NoneType {
+        append_impl::append(path, content)?;
+        Ok(NoneType{})
+    }
+    fn copy(_this: FileLibrary, src: String, dst: String) -> NoneType {
+        copy_impl::copy(src, dst)?;
+        Ok(NoneType{})
+    }
+    fn download(_this: FileLibrary, uri: String, dst: String) -> NoneType {
+        download_impl::download(uri, dst)?;
+        Ok(NoneType{})
+    }
+    fn exists(_this: FileLibrary, path: String) -> bool {
+        exists_impl::exists(path)
+    }
+    fn hash(_this: FileLibrary, path: String) -> String {
+        hash_impl::hash(path)
+    }
+    fn is_dir(_this: FileLibrary, path: String) -> bool {
+        is_dir_impl::is_dir(path)
+    }
+    fn mkdir(_this: FileLibrary, path: String) -> NoneType {
+        mkdir_impl::mkdir(path)?;
+        Ok(NoneType{})
+    }
+    fn read(_this: FileLibrary, path: String) -> String {
+        read_impl::read(path)
+    }
+    fn remove(_this: FileLibrary, path: String) -> NoneType {
+        remove_impl::remove(path)?;
+        Ok(NoneType{})
+    }
+    fn rename(_this: FileLibrary, old: String, new: String) -> NoneType {
+        rename_impl::rename(old, new)?;
+        Ok(NoneType{})
+    }
+    fn replace_all(_this: FileLibrary, path: String, pattern: String, value: String) -> NoneType {
+        replace_all_impl::replace_all(path, pattern, value)?;
+        Ok(NoneType{})
+    }
+    fn replace(_this: FileLibrary, path: String, pattern: String, value: String) -> NoneType {
+        replace_impl::replace(path, pattern, value)?;
+        Ok(NoneType{})
+    }
+    fn timestomp(_this: FileLibrary, src: String, dst: String) -> NoneType {
+        timestomp_impl::timestomp(src, dst)?;
+        Ok(NoneType{})
+    }
+    fn write(_this: FileLibrary, path: String, content: String) -> NoneType {
+        write_impl::write(path, content)?;
+        Ok(NoneType{})
+    }
+}

cmd/implants/eldritch/src/file/append_impl.rs

@@ -0,0 +1,5 @@
+use anyhow::Result;
+
+pub fn append(_path: String, _content: String) -> Result<()> {
+    unimplemented!("Method unimplemented")
+}

cmd/implants/eldritch/src/file/copy_impl.rs

@@ -0,0 +1,5 @@
+use anyhow::Result;
+
+pub fn copy(_src: String, _dst: String) -> Result<()> {
+    unimplemented!("Method unimplemented")
+}

cmd/implants/eldritch/src/file/download_impl.rs

@@ -0,0 +1,5 @@
+use anyhow::Result;
+
+pub fn download(_uri: String, _dst: String) -> Result<()> {
+    unimplemented!("Method unimplemented")
+}

cmd/implants/eldritch/src/file/exists_impl.rs

@@ -0,0 +1,5 @@
+use anyhow::Result;
+
+pub fn exists(_path: String) -> Result<bool> {
+    unimplemented!("Method unimplemented")
+}

cmd/implants/eldritch/src/file/hash_impl.rs

@@ -0,0 +1,5 @@
+use anyhow::Result;
+
+pub fn hash(_path: String) -> Result<String> {
+    unimplemented!("Method unimplemented")
+}

cmd/implants/eldritch/src/file/is_dir_impl.rs

@@ -0,0 +1,5 @@
+use anyhow::Result;
+
+pub fn is_dir(_path: String) -> Result<bool> {
+    unimplemented!("Method unimplemented")
+}

cmd/implants/eldritch/src/file/mkdir_impl.rs

@@ -0,0 +1,5 @@
+use anyhow::Result;
+
+pub fn mkdir(_path: String) -> Result<()> {
+    unimplemented!("Method unimplemented")
+}

cmd/implants/eldritch/src/file/read_impl.rs

@@ -0,0 +1,5 @@
+use anyhow::Result;
+
+pub fn read(_path: String) -> Result<String> {
+    unimplemented!("Method unimplemented")
+}

cmd/implants/eldritch/src/file/remove_impl.rs

@@ -0,0 +1,5 @@
+use anyhow::Result;
+
+pub fn remove(_path: String) -> Result<()> {
+    unimplemented!("Method unimplemented")
+}

cmd/implants/eldritch/src/file/rename_impl.rs

@@ -0,0 +1,5 @@
+use anyhow::Result;
+
+pub fn rename(_old: String, _new: String) -> Result<()> {
+    unimplemented!("Method unimplemented")
+}

cmd/implants/eldritch/src/file/replace_all_impl.rs

@@ -0,0 +1,5 @@
+use anyhow::Result;
+
+pub fn replace_all(_path: String, _pattern: String, _value: String) -> Result<()> {
+    unimplemented!("Method unimplemented")
+}

cmd/implants/eldritch/src/file/replace_impl.rs

@@ -0,0 +1,5 @@
+use anyhow::Result;
+
+pub fn replace(_path: String, _pattern: String, _value: String) -> Result<()> {
+    unimplemented!("Method unimplemented")
+}

cmd/implants/eldritch/src/file/timestomp_impl.rs

@@ -0,0 +1,5 @@
+use anyhow::Result;
+
+pub fn timestomp(_src: String, _dst: String) -> Result<()> {
+    unimplemented!("Method unimplemented")
+}

cmd/implants/eldritch/src/file/write_impl.rs

@@ -0,0 +1,5 @@
+use anyhow::Result;
+
+pub fn write(_path: String, _content: String) -> Result<()> {
+    unimplemented!("Method unimplemented")
+}

cmd/implants/eldritch/src/lib.rs

@@ -0,0 +1,35 @@
+mod file;
+mod process;
+mod sys;
+
+#[cfg(test)]
+mod tests {
+    use starlark::environment::{GlobalsBuilder};
+    use starlark::{starlark_module};
+    use starlark::assert::Assert;
+
+    use super::file::FileLibrary;
+    use super::process::ProcessLibrary;
+    use super::sys::SysLibrary;
+
+    // just checks dir...
+    #[test]
+    fn test_library_bindings() {
+        #[starlark_module]
+        fn globals(builder: &mut GlobalsBuilder) {
+            const file: FileLibrary = FileLibrary();
+            const process: ProcessLibrary = ProcessLibrary();
+            const sys: SysLibrary = SysLibrary();
+        }
+
+        let mut a = Assert::new();
+        a.globals_add(globals);
+        a.all_true(
+            r#"
+dir(file) == ["append", "copy", "download", "exists", "hash", "is_dir", "mkdir", "read", "remove", "rename", "replace", "replace_all", "timestomp", "write"]
+dir(process) == ["kill", "list", "name"]
+dir(sys) == ["exec", "is_linux", "is_windows", "shell"]
+"#,
+        );
+    }
+}