package ghost.core
Get desktop application:
View/edit binary Protocol Buffers messages
message
filesystem.proto:54cd
uint32 GhostID = 1
string Path = 2
message
filesystem.proto:89string Path = 1
string Encoder = 2
bool Exists = 3
bytes Content = 9
message
filesystem.proto:84download
uint32 GhostID = 1
string Path = 2
message
priv.proto:76bool Success = 1
string Err = 2
message
priv.proto:70elevate
uint32 GhostID = 1
int32 Timeout = 2
message
base.proto:73Environment - Provides the set of Environment variables on a remote host
Used in: ,
uint32 HostID = 1
Maybe a bit of OS info can be useful
string OSName = 2
string OSSp = 3
map<string, string> Vars = 4
Actual variables
message
execute.proto:46string Error = 1
string Result = 2
message
execute.proto:61string Output = 1
string Error = 2
message
execute.proto:52execute-assembly
uint32 GhostID = 1
bytes HostingDLL = 2
bytes Assembly = 3
repeated string Arguments = 4
string Process = 5
int32 Timeout = 6
message
execute.proto:39execute
uint32 GhostID = 1
string Path = 2
repeated string Args = 3
bool output = 4
message
filesystem.proto:35Used in:
string Name = 1
bool IsDir = 2
int64 Size = 3
int32 FileMode = 4
User and permission bits
string ModTime = 5
Last modification timestamp
message
priv.proto:65string Output = 1
message
priv.proto:58getsystem
uint32 GhostID = 1
string HostingProcess = 2
bytes Shellcode = 3
message
net.proto:39repeated NetInterfaces = 1
message
net.proto:35uint32 GhostID = 1
message
priv.proto:44string Err = 1
message
priv.proto:38impersonate
uint32 GhostID = 1
string Username = 2
message
base.proto:28Info - Send back multiple informations to the server at once.
Used in:
string Name = 1
string Username = 3
string UID = 4
string GID = 5
string OS = 6
string Arch = 7
int32 PID = 8
string Filename = 9
string Version = 10
uint32 WorkspaceID = 12
repeated Transports = 14
Available C2 transports
repeated Interfaces = 15
Network
repeated Netstat = 18
Maybe we can use this to automatically devise some better ports to use for routing/etc
repeated Routes = 19
We might send current route listeners, in case.
optional Environment = 20
Environment variables
message
base.proto:65Kill - Sends back status on implant kill
bool Success = 1
string Warning = 2
If force kill, will kill anyway but send a warning instead of an error
string Err = 3
Sends an error if kill was not force and there things still running
message
base.proto:59KillRequest - Kills the ghost executable and connection
uint32 GhostID = 1
bool Force = 2
message
filesystem.proto:29string Path = 1
bool Exists = 2
repeated Files = 3
message
filesystem.proto:24ls
uint32 GhostID = 1
string Path = 2
message
proc.proto:70bool Success = 1
string Err = 2
message
proc.proto:64migrate
uint32 GhostID = 1
int32 PID = 2
bytes Shellcode = 3
message
filesystem.proto:77bool Success = 1
string Path = 2
string Err = 3
message
filesystem.proto:72mkdir
uint32 GhostID = 1
string Path = 2
message
net.proto:27NetInterface - A network interface on the implant's target
Used in: ,
int32 Index = 1
string Name = 2
string MAC = 3
repeated IPAddresses = 4
When server receives them, it parses them into net.IPAddr objects before using them.
message
net.proto:69repeated Entries = 1
message
net.proto:58uint32 GhostID = 9
bool TCP = 1
bool UDP = 2
bool IP4 = 3
bool IP6 = 4
bool Listening = 5
Maybe we can grab the REUSEPORT/REUSEADDR option value
message
base.proto:54Ping - Test ghost connection
int32 Nonce = 1
message
proc.proto:24Process is a process running on the target
Used in: ,
int32 PID = 1
int32 PPID = 2
string Executable = 3
string Owner = 4
message
proc.proto:58bytes Memory = 1
string Err = 2
message
proc.proto:52procdump
uint32 GhostID = 1
int32 PID = 2
int32 Timeout = 3
message
proc.proto:36repeated Processes = 1
message
proc.proto:32ps
uint32 GhostID = 1
message
filesystem.proto:48string Path = 1
string Err = 2
message
filesystem.proto:44pwd
uint32 GhostID = 1
message
base.proto:49Register - Implant calls back to C2 Server and sends its information.
optional Information = 1
message
execute.proto:31string Encoder = 1
bool RWXPages = 2
uint32 PID = 3
bytes Shellcode = 4
message
priv.proto:53string Err = 1
message
priv.proto:49rev-to-self
uint32 GhostID = 1
message
filesystem.proto:65bool Success = 1
string Path = 2
string Err = 3
message
filesystem.proto:60rm
uint32 GhostID = 1
string Path = 2
message
priv.proto:32string Output = 1
string Err = 2
message
priv.proto:24run-as
uint32 GhostID = 1
string Username = 2
string Process = 3
repeated string Args = 4
message
capture.proto:29bytes Screenshot = 1
message
capture.proto:24Screenshot
uint32 GhostID = 1
bytes ScreenshotDetails = 2
message
shell.proto:31bool Success = 1
string Err = 2
uint64 TunnelID = 9
message
shell.proto:23uint32 GhostID = 1
string Path = 2
bool EnablePTY = 3
uint64 TunnelID = 9
message
execute.proto:73string Output = 1
string Error = 2
message
execute.proto:67sideload-dll
uint32 GhostID = 1
bytes DLL = 2
string Process = 3
message
net.proto:53Used in:
string IP = 1
uint32 Port = 2
message
net.proto:44netstat
Used in: ,
optional LocalAddr = 1
optional RemoteAddr = 2
string State = 3
uint32 UID = 4
optional Process = 5
The process owning the socket
string Protocol = 6
message
execute.proto:87string Output = 1
string Error = 2
message
execute.proto:79spawn-dll
uint32 GhostID = 1
bytes DLL = 2
string Process = 3
string Offset = 4
repeated string Args = 5
message
execute.proto:24shellcode task
string Encoder = 1
bool RWXPages = 2
uint32 PID = 3
bytes Shellcode = 4
message
proc.proto:47string Err = 1
message
proc.proto:41terminate
uint32 GhostID = 1
int32 PID = 2
message
filesystem.proto:104bool Success = 1
string Path = 2
string Err = 3
message
filesystem.proto:97upload
uint32 GhostID = 1
string Path = 2
string Encoder = 3
bytes Content = 4