diff --git a/Makefile b/Makefile index b21cb43..6353f10 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,9 @@ -.PHONY: all clean build-all checksums +.PHONY: all clean build-all checksums build-dll # Define platforms and output settings OUTPUT_DIR=bin -all: build-all checksums +all: build-all build-dll checksums build-all: mkdir -p $(OUTPUT_DIR) @@ -27,6 +27,28 @@ build-all: GOOS=windows GOARCH=amd64 go build -o $(OUTPUT_DIR)/darkflare-client-windows-amd64.exe client/main.go GOOS=windows GOARCH=amd64 go build -o $(OUTPUT_DIR)/darkflare-server-windows-amd64.exe server/main.go +# New target for DLL builds +build-dll: + mkdir -p $(OUTPUT_DIR)/dll + # Windows AMD64 DLL + CGO_ENABLED=1 GOOS=windows GOARCH=amd64 \ + CC="x86_64-w64-mingw32-gcc" \ + CGO_CFLAGS="-I/opt/homebrew/Cellar/mingw-w64/12.0.0_1/toolchain-x86_64/x86_64-w64-mingw32/include" \ + CGO_LDFLAGS="-L/opt/homebrew/Cellar/mingw-w64/12.0.0_1/toolchain-x86_64/x86_64-w64-mingw32/lib" \ + go build --buildmode=c-shared \ + -ldflags="-s -w" \ + -o $(OUTPUT_DIR)/dll/darkflare-client-windows-amd64.dll \ + client/main.go + # Windows 386 DLL + CGO_ENABLED=1 GOOS=windows GOARCH=386 \ + CC="i686-w64-mingw32-gcc" \ + CGO_CFLAGS="-I/opt/homebrew/Cellar/mingw-w64/12.0.0_1/toolchain-i686/i686-w64-mingw32/include" \ + CGO_LDFLAGS="-L/opt/homebrew/Cellar/mingw-w64/12.0.0_1/toolchain-i686/i686-w64-mingw32/lib" \ + go build --buildmode=c-shared \ + -ldflags="-s -w" \ + -o $(OUTPUT_DIR)/dll/darkflare-client-windows-386.dll \ + client/main.go + checksums: cd $(OUTPUT_DIR) && \ echo "# DarkFlare Binary Checksums" > checksums.txt && \ @@ -35,10 +57,10 @@ checksums: ( \ if command -v sha256sum >/dev/null 2>&1; then \ echo "Using sha256sum" && \ - sha256sum * >> checksums.txt; \ + find . -type f ! -name checksums.txt -exec sha256sum {} \; >> checksums.txt; \ else \ echo "Using shasum" && \ - shasum -a 256 * >> checksums.txt; \ + find . -type f ! -name checksums.txt -exec shasum -a 256 {} \; >> checksums.txt; \ fi \ ) diff --git a/README.md b/README.md index e8dc01c..eb1dfb2 100644 --- a/README.md +++ b/README.md @@ -295,72 +295,20 @@ Then simply: ssh remote-server ``` +## 🔒 Windows Fileless Execution -## 🧙 Fileless Execution - -DarkFlare supports fileless execution on Windows systems using PowerShell, allowing you to run the client without saving any files to disk. This is particularly useful in restricted environments where: -- You don't have write permissions to the local system -- Security policies prevent executing downloaded binaries -- You need to leave no traces on the filesystem -- You want to run the client without installation or cleanup - -### PowerShell Memory Execution -Save this as `memory-exec.ps1` or download from examples/: -```powershell -# See examples/memory-exec.ps1 in the repository -param ( - [Parameter(Mandatory=$true)] - [string]$t, - [Parameter(Mandatory=$true)] - [string]$d, - [Parameter(Mandatory=$false)] - [string]$l = "stdin:stdout", - [Parameter(Mandatory=$false)] - [string]$p -) - -$url = "https://github.com/doxx/darkflare/releases/latest/download/darkflare-client-windows-amd64.exe" -$webClient = New-Object System.Net.WebClient -$bytes = $webClient.DownloadData($url) -$assembly = [System.Reflection.Assembly]::Load($bytes) -$args = @("-l", $l, "-t", $t, "-d", $d) -if ($p) { $args += @("-p", $p) } -$assembly.EntryPoint.Invoke($null, @(,[string[]]$args)) -``` +For scenarios requiring fileless operation on Windows systems, DarkFlare provides DLL variants that can be loaded directly into memory: -### Usage Examples +Location: `bin/dll/` +- `darkflare-client-windows-386.dll` (32-bit) +- `darkflare-client-windows-amd64.dll` (64-bit) -1. Direct SSH connection using ProxyCommand: -```bash -ssh -o ProxyCommand="powershell -ExecutionPolicy Bypass -File memory-exec.ps1 -t cdn.example.com -d localhost:22" user@remote -``` +These DLLs can be embedded within C# or C++ applications for memory-only execution, making them suitable for situations where disk writes need to be avoided. -2. One-liner for immediate execution (no script file needed): -```powershell -$script = (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/doxx/darkflare/main/examples/memory-exec.ps1'); -powershell -Command $script -t cdn.example.com -d localhost:22 -``` +For implementation details and examples, see: +- [Embedding Golang Tools in C#/C++](https://medium.com/@shantanukhande/red-team-how-to-embed-golang-tools-in-c-e269bf33876a) -3. With a SOCKS5 proxy: -```powershell -powershell -ExecutionPolicy Bypass -File memory-exec.ps1 -t cdn.example.com -d localhost:22 -p socks5://proxy:1080 -``` - -### Benefits -- **No Installation Required**: Run directly from memory without installing -- **No Filesystem Traces**: Leaves no artifacts on the local system -- **Bypass Restrictions**: Works in environments with strict file execution policies -- **Easy Cleanup**: No files to remove after use -- **Latest Version**: Always downloads the latest release -- **Portable**: Can be run from any PowerShell prompt with internet access - -### Security Considerations -- Only download from trusted sources over HTTPS -- Consider adding checksum verification for enhanced security -- Be aware that some security software may detect/block memory execution -- Use only in environments where you have permission to do so -- The binary is still downloaded, just not saved to disk -- Network administrators may still see the download traffic +⚠️ Note: This feature should only be used in legitimate testing scenarios with proper authorization. ## 📖 Command Line Reference diff --git a/bin/checksums.txt b/bin/checksums.txt index 8e24099..331bcd5 100644 --- a/bin/checksums.txt +++ b/bin/checksums.txt @@ -1,14 +1,15 @@ # DarkFlare Binary Checksums -# Generated: Mon Dec 23 17:06:48 UTC 2024 +# Generated: Tue Jan 7 15:20:19 UTC 2025 -77b1046247f2ad10c0674197a71f4b2c5cc1e09dd9e02630dee8db5e106786d9 checksums.txt -14705381b2991a46ecfe71682b3e0ff8e4189aab025a8b345d29f018ba514710 darkflare-client-darwin-amd64 -d6d7711419853958e955b500fcc3e1a212cf4c8e69ba9b8d1426c04a7a275e91 darkflare-client-darwin-arm64 -a377734c31105f0178a1f6ec2c2e1d91116c5aeba9bbfc79c7cdbdfe070ff685 darkflare-client-linux-amd64 -530aba39b34abdcf44b95f6eb1797f95e6484edaa1e790d6777138f7f8f7cbb9 darkflare-client-linux-arm64 -89baf3b59620b321cc888a6a7e5e8d04b2544c6dd1d4350289f0cba06a157367 darkflare-client-windows-amd64.exe -cdf29af875438dbb991398f4331290299acb2676ba3e2cd93a945a1f67fde6f7 darkflare-server-darwin-amd64 -c7da08b1666b8adf1fc1f3bd6aba70b1c0a671903b8350d0a449316fa7384229 darkflare-server-darwin-arm64 -5baabce34c6460ab34e521d810d273a15214478ac28ddc5173e97508b4553e08 darkflare-server-linux-amd64 -adc8509157eec206a35521bd4350348b0b91be03a0ec154a80ef919973adf49a darkflare-server-linux-arm64 -894b84c82a4a750b71446301820535edf142552ff18f49983a368fb99c52ad81 darkflare-server-windows-amd64.exe +c7da08b1666b8adf1fc1f3bd6aba70b1c0a671903b8350d0a449316fa7384229 ./darkflare-server-darwin-arm64 +894b84c82a4a750b71446301820535edf142552ff18f49983a368fb99c52ad81 ./darkflare-server-windows-amd64.exe +d6d7711419853958e955b500fcc3e1a212cf4c8e69ba9b8d1426c04a7a275e91 ./darkflare-client-darwin-arm64 +89baf3b59620b321cc888a6a7e5e8d04b2544c6dd1d4350289f0cba06a157367 ./darkflare-client-windows-amd64.exe +adc8509157eec206a35521bd4350348b0b91be03a0ec154a80ef919973adf49a ./darkflare-server-linux-arm64 +530aba39b34abdcf44b95f6eb1797f95e6484edaa1e790d6777138f7f8f7cbb9 ./darkflare-client-linux-arm64 +5baabce34c6460ab34e521d810d273a15214478ac28ddc5173e97508b4553e08 ./darkflare-server-linux-amd64 +cdf29af875438dbb991398f4331290299acb2676ba3e2cd93a945a1f67fde6f7 ./darkflare-server-darwin-amd64 +14705381b2991a46ecfe71682b3e0ff8e4189aab025a8b345d29f018ba514710 ./darkflare-client-darwin-amd64 +55d66950ba24f831185b239bcd5d3b10472de5f905944a9b172f1b90a04cde4a ./dll/darkflare-client-windows-amd64.dll +ae697bb86934dc7788edbb72fb5089c75403be9b1b9da4cc8cfad8dcbabf8011 ./dll/darkflare-client-windows-386.dll +a377734c31105f0178a1f6ec2c2e1d91116c5aeba9bbfc79c7cdbdfe070ff685 ./darkflare-client-linux-amd64 diff --git a/bin/dll/darkflare-client-windows-386.dll b/bin/dll/darkflare-client-windows-386.dll new file mode 100644 index 0000000..e2f8b45 Binary files /dev/null and b/bin/dll/darkflare-client-windows-386.dll differ diff --git a/bin/dll/darkflare-client-windows-amd64.dll b/bin/dll/darkflare-client-windows-amd64.dll new file mode 100644 index 0000000..f90eb1f Binary files /dev/null and b/bin/dll/darkflare-client-windows-amd64.dll differ