Fixes #38

Ne0nd0g · Mar 22, 2024 · 4432ebf · 4432ebf
1 parent 13d204c
commit 4432ebf
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 1 deletion.
diff --git a/clients/smb/smb_windows.go b/clients/smb/smb_windows.go
@@ -43,6 +43,8 @@ import (
 	// X Package
 	"golang.org/x/sys/windows"
 
+	// 3rd Party
+	"github.com/Ne0nd0g/npipe"
 	"github.com/google/uuid"
 
 	// Merlin

diff --git a/docs/CHANGELOG.MD b/docs/CHANGELOG.MD
@@ -31,6 +31,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Resolved several SOCKS5 issues
   - Updated Mythic client to handle `post_response` actions with `ServerPostResponse` structure to include SOCKS information
   - Created a go routine and a channel just for sending SOCKS data in place of using the Jobs channel
+- [Issue 38](https://github.com/Ne0nd0g/merlin-agent/issues/38) - Added `evasion_386.go` to facilitate x86 Windows builds 
 
 ### Changed
 

diff --git a/os/windows/pkg/evasion/evasion.go b/os/windows/pkg/evasion/evasion.go
@@ -1,4 +1,4 @@
-//go:build windows
+//go:build windows && amd64
 
 /*
 Merlin is a post-exploitation command and control framework.

diff --git a/os/windows/pkg/evasion/evasion_386.go b/os/windows/pkg/evasion/evasion_386.go
@@ -0,0 +1,56 @@
+//go:build windows && !amd64
+
+/*
+Merlin is a post-exploitation command and control framework.
+
+This file is part of Merlin.
+Copyright (C) 2024 Russel Van Tuyl
+
+Merlin is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+any later version.
+
+Merlin is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with Merlin.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package evasion
+
+import (
+	// Standard
+	"fmt"
+)
+
+// Patch will find the target procedure and overwrite the start of its function with the provided bytes.
+// Used to for evasion to patch things like amsi.dll!AmsiScanBuffer or ntdll.dll!EtwEvenWrite
+func Patch(module string, proc string, data *[]byte) (string, error) {
+	return "", fmt.Errorf("cannot patch %s!%s on x86 architecture", module, proc)
+}
+
+// Read will find the target module and procedure address and then read its byteLength
+func Read(module string, proc string, byteLength int) ([]byte, error) {
+	return []byte{}, fmt.Errorf("cannot read %d bytes for %s!%s on x86 architecture", byteLength, module, proc)
+}
+
+// ReadBanana will find the target procedure and overwrite the start of its function with the provided bytes directly
+// using the NtReadVirtualMemory syscall
+func ReadBanana(module string, proc string, byteLength int) ([]byte, error) {
+	return []byte{}, fmt.Errorf("cannot read %d bytes for %s!%s on x86 architecture", byteLength, module, proc)
+}
+
+// Write will find the target module and procedure and overwrite the start of the function with the provided bytes
+func Write(module string, proc string, data *[]byte) error {
+	return fmt.Errorf("cannot write %d bytes for %s!%s on x86 architecture", len(*data), module, proc)
+}
+
+// WriteBanana will find the target module and procedure and overwrite the start of the function with the provided bytes
+// using the ZwWriteVirtualMemory syscall directly
+func WriteBanana(module string, proc string, data *[]byte) error {
+	return fmt.Errorf("cannot write %d bytes for %s!%s on x86 architecture", len(*data), module, proc)
+}