Skip to content

Agent and listener shellcode communication protocol

This document describes TLV structures exchanged between Agent core and any listener shellcode it is using.

In both directions data is sent in packets with format ("actual data" is one of the TLV's): 

1
< 4 byte little endian length >< actual data >

2. Agent to shellcode command & result

Requests that are sent from agent to the shellcode and their responses

2.1 Send shellcode new configuration

Listener configuration changing request & response

2.1.1 Request

  • ID: 0x20
    TYPE = PARENT
    VALUE: Outer ID 0x20 shows that the structure contains listener reconfiguration information or response
    • ID: 0x1
      TYPE: BYTE
      required: YES
      VALUE: isRequest (1 == request, 0 == response), so should be 0x1
    • ID: 0x2
      TYPE: INT32
      required: YES
      VALUE: Unique ID generated by the agent to distinguish responses to different requests
    • ID: 0x4
      TYPE: BLOB
      required: YES
      VALUE: Configuration to be relayed to the shellcode

2.1.2 Response

  • ID: 0x20
    TYPE: PARENT
    VALUE: Outer ID 0x20 shows that the structure contains listener reconfiguration information or response
    • ID: 0x1
      TYPE: BYTE
      required: YES
      VALUE: #isRequest (1 == request, 0 == response), so should be 0x0
    • ID: 0x2
      TYPE: INT32
      required: YES
      VALUE: Unique ID generated by the agent to distinguish responses to different requests
    • ID: 0x3
      TYPE: BYTE
      required: YES
      VALUE: isSuccess (1 == yes, 0 == no)
    • ID: 0x4
      TYPE: BLOB
      VALUE: Error msg

3. Shellcode to agent command & result

Requests that are sent from shellcode to agent

3.1 Get metadata

Shellcode asks for metadata blob

3.1.1 Request

  • ID: 0x21
    TYPE: PARENT
    VALUE: Outer ID 0x21 shows that the structure contains metadata request or response
    • ID: 0x1
      TYPE: BYTE
      required: YES
      VALUE: isRequest (1 == request, 0 == response), so should be 0x1
    • ID: 0x2
      TYPE: INT32
      required: YES
      VALUE: Unique ID generated by the shellcode to distinguish responses to different requests

3.1.2 Response

  • ID: 0x21
    TYPE: PARENT
    VALUE: Outer ID 0x21 shows that the structure contains metadata request or response
    • ID: 0x1
      TYPE: BYTE
      required: YES
      VALUE: isRequest (1 == request, 0 == response), so should be 0x0
    • ID: 0x2
      TYPE: INT32
      required: YES
      VALUE: Unique ID generated by the shellcode to distinguish responses to different requests
    • ID: 0x4
      TYPE: BLOB
      VALUE: Metadata binary

3.2 Get next message to send to C2

Shellcode asks for command blob

3.2.1 Request

  • ID: 0x22
    TYPE: PARENT
    VALUE: Outer ID 0x22 shows that the structure contains command asking request or response
    • ID: 0x1
      TYPE: BYTE
      required: YES
      VALUE: isRequest (1 == request, 0 == response), so should be 1
    • ID: 0x2
      TYPE: INT32
      required: YES
      VALUE: Unique ID generated by the shellcode to distinguish responses to different requests

3.2.2 Response

  • ID: 0x22
    TYPE: PARENT
    VALUE: Outer ID 0x22 shows that the structure contains command asking request or response
    • ID: 0x1
      TYPE: BYTE
      required: YES
      VALUE: isRequest (1 == request, 0 == response), so should be 0
    • ID: 0x2
      TYPE: INT32
      required: YES
      VALUE: Unique ID generated by the shellcode to distinguish responses to different requests
    • ID: 0x4
      TYPE: BLOB
      VALUE: Command binary

3.3 Give agent core a new message received from C2

Shellcode sends received message to agent core

3.3.1 Request

  • ID: 0x23
    TYPE: BLOB
    VALUE: Outer ID 0x23 shows that the structure contains command binary

3.3.2 Response

NO RESPONSE