Agent and command shellcode communication protocol
This document describes TLV structures exchanged between Agent core and any command shellcode it is using.
2. Shellcode to agent command & result
Requests that are sent from shellcode to agent
2.1 Send data
Shellcode sends result data to agent
2.1.1 Request
- ID:
0x30
TYPE:BLOB
VALUE: Result data to be added to the command result data
2.1.2 Response
NO RESPONSE
2.2 Send error data
Shellcode sends error data to agent
2.2.1 Request
- ID:
0x32
TYPE:BLOB
VALUE: Error data to be added to the command error data
2.2.2 Response
NO RESPONSE
2.3 Command successful
Shellcode sends info to agent that command was successful
2.3.1 Request
- ID:
0x33
TYPE:EMPTY
VALUE: Lets agent know that command was successful
2.3.2 Response
NO RESPONSE
2.4 Command failed
Shellcode sends info to agent that command failed
2.4.1 Request
- ID:
0x34
TYPE:EMPTY
VALUE: Lets agent know that command failed
2.4.2 Response
NO RESPONSE
2.5 Command configuration settingg
Shellcode sends info to agent to change some type of configuration/handling logic at agent side for the command
2.5.1 Request
- ID:
0x31
TYPE:PARENT
VALUE: Outer ID 0x21 shows that the structure contains command configuration changes for agent running the command- ID:
0x1
TYPE:BYTE
VALUE: isOngoingCommand - if set true(1), the agent will send results coming from command on to C2 as they come. Otherwise result is only sent when command marks itself done (1 == ongoing command, 0 == not ongoing command)
- ID:
2.4.2 Response
NO RESPONSE
3. Agent to shellcode command & result
Requests that are sent from shellcode to agent
3.1 Stop execution
Shellcode should stop execution
3.1.1 Request
- ID:
0x38
TYPE:EMPTY
VALUE: Lets shellcode know that it should stop
3.1.2 Response
NO RESPONSE
3.1 Data to command
New data is sent to the command
3.1.1 Request
- ID:
0x39
TYPE:BLOB
VALUE: Send's shellcode new data
3.1.2 Response
NO RESPONSE