Skip to content

Post Module Methods

Maxime Landon edited this page Mar 5, 2020 · 8 revisions

When writing a post-exploitation module in Wiregost, you will need to interact with an implant session, and send commands to it. All implant commands available in the console thus have their equivalent function in a Post Module. Some functions are also specific to modules, such as GetSession() which selects a session for the module to interact with.

All functions have a GoDoc comment, so you can browse them with the GoToDefinition and other utilities available to you code editor.

First, some general functions are available:

General functions

func (m *Post) GetSession() (err error)

This function finds the session with the m.Options["Session"] option. It returns an error if either the session hasn't the OS/arch required by the module, or if the Session name provided does not correspond to a connected implant.

func (m *Module) CheckRequiredOptions() (ok bool, err error)

Checks that all required options for the Module have a value

func (m *Module) Event(event string)

Sends an event back to console. Useful to give detailed status of the module when running.

func (m *Module) Asset(path string) (filePath string, err error)

You can copy any amount of non-Go source files in your package directory (as said here). When compiling the C2 Server, it will automatically pack all the files. You can access any of these files, anywhere in you package directory tree, by using this function. For example, if you have a bash script in src/mimipenguin.sh, you can point to it like this: m.Asset("src/mimipenguin.sh").


The Session object

Once you have called the GetSession() method in your module, you have now access to the module's Session object. Thus you have access to all variables stored in it: username, hostname, remote address, PID, UID, and some others.

In order to use these values, just do m.Session.Username, or m.Session.ID, or m.Session.RemoteAddress, etc...


Post Exploitation Functions

All post-exploitation functions are listed below, by category. Please check the codebase, or try writing a module and browse these functions with some GoToDefinition features in your editor. This is a list of these functions.

Some of these functions involve a slightly more complex process and more actions, so they already integrate m.Event() functions, that will send back status messages to the console.

(All these functions are actually methods of the Post type, we ommit here to show the receiver)


File System

Upload(src string, path string, timeout time.Duration) (result string, err error)

Download(lpath string, rpath string, timeout time.Duration) (result string, err error)

Remove(path string, timeout time.Duration) (result string, err error)

ChangeDirectory(dir string, timeout time.Duration) (result string, err error)

ListDirectory(path string, timeout time.Duration) (files []*ghostpb.FileInfo, err error)

Proc

Ps(timeout time.Duration) (procs []*ghostpb.Process, err error) 

Terminate(pid int, timeout time.Duration) (result string, err error) 

GetPIDByName(name string, timeout time.Duration) (pid int, err error) 

Migrate(pid int, timeout time.Duration) (result string, err error) 

ProcDump(pid int, timeout time.Duration) (tmp string, err error) 

Priv

RunAs(username, process string, args []string, timeout time.Duration) (result string, err error) 

Impersonate(username string, timeout time.Duration) (result string, err error) 

Rev2Self(timeout time.Duration) (result string, err error) 

GetSystem(process string, timeout time.Duration) (result string, err error) 

Execute

Execute(path string, args []string, timeout time.Duration) (result string, err error) 

ExecuteAssembly(dll, process string, args []string, timeout time.Duration) (result string, err error) 

ExecuteShellcode(shellcodePath string, pid int, rwxPages bool, timeout time.Duration) (result string, err error) 

SideloadDLL(dll, entryPoint, process string, args []string, timeout time.Duration) (result string, err error) 

SpawnDLL(dll, export, process string, args []string, timeout time.Duration) (result string, err error) 

InjectMSFPayload(payload, lhost string, lport int, pid int, encoder string, iters int, timeout time.Duration) (result string, err error) 
Clone this wiki locally