Skip to content

Agent and command shellcode communication protocol

This document describes TLV structures exchanged between Agent core and any command shellcode it is using.

2. Shellcode to agent command & result

Requests that are sent from shellcode to agent

2.1 Send data

Shellcode sends result data to agent

2.1.1 Request

  • ID: 0x30
    TYPE: BLOB
    VALUE: Result data to be added to the command result data

2.1.2 Response

NO RESPONSE

2.2 Send error data

Shellcode sends error data to agent

2.2.1 Request

  • ID: 0x32
    TYPE: BLOB
    VALUE: Error data to be added to the command error data

2.2.2 Response

NO RESPONSE

2.3 Command successful

Shellcode sends info to agent that command was successful

2.3.1 Request

  • ID: 0x33
    TYPE: EMPTY
    VALUE: Lets agent know that command was successful

2.3.2 Response

NO RESPONSE

2.4 Command failed

Shellcode sends info to agent that command failed

2.4.1 Request

  • ID: 0x34
    TYPE: EMPTY
    VALUE: Lets agent know that command failed

2.4.2 Response

NO RESPONSE

2.5 Command configuration settingg

Shellcode sends info to agent to change some type of configuration/handling logic at agent side for the command - subvalues are not all mandatory, use only the ones that you want to change

2.5.1 Request

  • ID: 0x31
    TYPE: PARENT
    VALUE: Outer ID 0x21 shows that the structure contains command configuration changes for agent running the command
    • ID: 0x1
      TYPE: BYTE
      VALUE: isOngoingCommand - if set true(1), the agent will send results coming from command on to C2 as they come. Otherwise result is only sent when command marks itself done (1 == ongoing command, 0 == not ongoing command)
    • ID: 0x2
      TYPE: BYTE
      VALUE: isBlockByBlockResult - If set to 1 (true), the agent will forward result data block-by-block as it receives them from the shellcode, without combining them into a single result block. This mode may simplify parsing on the plugin server side in certain specific scenarios. However, it introduces additional overhead, especially when result blocks are small. (1 == block by block result, 0 == joining blocks)
    • ID: 0x3
      TYPE: INT32
      VALUE: setStopWait - Specifies the maximum time (in seconds) the agent will wait for this command to stop after being instructed to do so. If the value is greater than 0, it indicates that the command supports graceful termination. After the stop instruction is issued, the agent will wait up to this duration before forcibly terminating the command thread if it hasn't stopped on its own

2.4.2 Response

NO RESPONSE

3. Agent to shellcode command & result

Requests/notifications that are sent from agent to shellcode

3.1 Stop execution

Shellcode should stop execution

3.1.1 Request

  • ID: 0x38
    TYPE: EMPTY
    VALUE: Lets shellcode know that it should stop

3.1.2 Response

NO RESPONSE

3.1 Data to command

New data is sent to the command

3.1.1 Request

  • ID: 0x39
    TYPE: BLOB
    VALUE: Send's shellcode new data

3.1.2 Response

NO RESPONSE