API introduction
CrossC2 can run without files on the Linux and MacOS ends, parse and load directly from memory, and finally execute the dynamic library (.so / .dylib) in the task issued by the user. ) And executable file (ELF / MachO).
It also reserves the information interface collected in the CobaltStrike data set, such as 'portscan' port scan results, 'screenshot' screenshots, keyboard records, password credentials, etc. The results can be freely designated to return, and attacks such as portscan can be easily and quickly developed Kit. At the same time, advanced interfaces such as beaconNode, ssh beacon are also reserved. If you are familiar with ExtC2 or use pure custom communication C2 protocol for centralized management, you can attack metadata. The collection will be more flexible.
Finally, use the following method to send a task to CrossC2 beacon to load the execution file from memory.
cna: The command is defined in the plugin, and the crossc2_load_dyn() function is called to load the execution file
bcrossc2_load_dyn($beaconid, $taskType, $taskName, $taskResType, $loadlib, $transportArg);
Executable: The header entry point will be parsed from the memory search, and finally the parameters contained in the task will be passed for execution. It also means that it can be viewed in the process, so the dynamic library execution method below is recommended.
Dynamic library file:
1. Scenarios that require incoming parameters specify a dynamic library entry point
int crossc2_entry(int argc, char **argv)
In the same way as the traditional main function, argc records the number of parameters, and argv is a two-dimensional array that points to the specific parameter values passed in.
2. If you do not need to pass in parameters, you can use the compile-time attribute to specify the entry, and it will be executed automatically when the dynamic library is loaded.
The method of dynamic library is highly recommended, so that the process information of the executable file will not appear when the process is viewed.