Skip to content

Agent and command shellcode communication protocol

This document describes TLV structures exchanged between Agent core and any command shellcode it is using.

2. Shellcode to agent command & result

Requests that are sent from shellcode to agent

2.1 Send data

Shellcode sends result data to agent

2.1.1 Request

  • ID: 0x30
    TYPE: BLOB
    VALUE: Result data to be added to the command result data

2.1.2 Response

NO RESPONSE

2.2 Send error data

Shellcode sends error data to agent

2.2.1 Request

  • ID: 0x32
    TYPE: BLOB
    VALUE: Error data to be added to the command error data

2.2.2 Response

NO RESPONSE

2.3 Command successful

Shellcode sends info to agent that command was successful

2.3.1 Request

  • ID: 0x33
    TYPE: EMPTY
    VALUE: Lets agent know that command was successful

2.3.2 Response

NO RESPONSE

2.4 Command failed

Shellcode sends info to agent that command failed

2.4.1 Request

  • ID: 0x34
    TYPE: EMPTY
    VALUE: Lets agent know that command failed

2.4.2 Response

NO RESPONSE

2.5 Command configuration settingg

Shellcode sends info to agent to change some type of configuration/handling logic at agent side for the command

2.5.1 Request

  • ID: 0x31
    TYPE: PARENT
    VALUE: Outer ID 0x21 shows that the structure contains command configuration changes for agent running the command
    • ID: 0x1
      TYPE: BYTE
      VALUE: isOngoingCommand - if set true(1), the agent will send results coming from command on to C2 as they come. Otherwise result is only sent when command marks itself done (1 == ongoing command, 0 == not ongoing command)

2.4.2 Response

NO RESPONSE


3. Agent to shellcode command & result

Requests that are sent from shellcode to agent

3.1 Stop execution

Shellcode should stop execution

3.1.1 Request

  • ID: 0x38
    TYPE: EMPTY
    VALUE: Lets shellcode know that it should stop

3.1.2 Response

NO RESPONSE

3.1 Data to command

New data is sent to the command

3.1.1 Request

  • ID: 0x39
    TYPE: BLOB
    VALUE: Send's shellcode new data

3.1.2 Response

NO RESPONSE