Skip to content

Code Structure

Jump to bottom
Maxime Landon edited this page Feb 21, 2020 · 5 revisions

At the higher level, the code structure of Wiregost is the following:

  • client/ - Console client code
  • server/ - C2 Server code
  • ghost/ - Implants code
  • modules/ - All modules available (implants, post, etc...)
  • protobuf/ - Protobuf message (core of the capabilities of Wiregost)
  • data_service/ - Data Service code

For a complete readability of the codebase and an easy browsing of it, all of the above directories, as well as most of their subpackages, include a README explaining their roles and their respective contents.

Example for the client console commands package README

Complete Code Structure

Client

  • assets/ - Static asset files and management code (ex: client config)
  • commands/ - Command implementations
  • completers/ - Root and Command-specific completers
  • console/ - Console code (prompt, command dispatch, connect, etc...)
  • constants/ - Various shared constant values
  • core/ - Client/Server bind state management
  • events/ - Handles events from Wiregost server
  • help/ - Console help strings
  • spin/ - Console spinner library
  • transport/ - Wires the client to the server (MTLS connection code)
  • util/ - Various utilities needed by the client/console
  • version/ - Version information
  • wiregost-console.go - Entrypoint

Server

  • assets/ - Static assets embedded in the server binary, and their associated methods
  • c2/ - The server-side command and control implementation
  • certs/ - X509 certificate generation and management code
  • core/ - Data structures and methods managing connection state from agents/clients
  • cryptography/ - Cryptography code and wrappers around Go's standard crypto APIs
  • encoders/ - Data encoders and decoders
  • generate/ - Package for generating agents and shared libraries
  • gobfuscate/ - Compile-time obfuscation library
  • gogo/ - Go wrappers around the Go compiler toolchain
  • handlers/ - Methods invokable by agents without user interaction
  • log/ - Wrappers around Logrus logging
  • module/ - Agents' functionality is used through modules. Their functionning is defined here.
  • msf/ - Metasploit helper functions
  • rpc/ - RPC functions and logic, called by clients to control agents
  • transport/ - Contains server-side code for handling communication with clients
  • users / - Contains server-side code for managing Wiregost users
  • website/ - Static content that can be hosted on HTTP(S) C2 domains

Ghost Implants

  • constants/ - Various shared constant values
  • evasion/ - Evasion code
  • handlers/ - Code for handling C2 requests and tunnels
  • limits/ - Code for managing/observing imposed limits on implant (hostname, username, datetime)
  • priv/ - Code for managing privileges, mostly Windows-related now.
  • procdump/ - Code for process dumping
  • proxy/ - Code to detect/use/set proxies on the target
  • ps/ - Manage/view target processes
  • shell/ - Code for getting/using system shells on target
  • syscalls/ - Library for using Windows syscalls
  • taskrunner/ - Code for process injection/migration
  • transports/ - Wires the implant to the C2 server
  • version/ - Implant version
  • winhttp/ - Code for using Windows HTTP APIs (used by proxy package)
  • dllmain.c - Code used by implants compiled as shared libraries
  • ddlmain.h - Headers for implants as shared libraries
  • dllmain.go - (Secondary) Entrypoint for implants as shared libraries
  • ghost.go - Entrypoint for all implants

Modules

  • exploit - All exploits
  • payload - Stubs to Wiregost implant generation code, and listener spawning
  • post - All modules that can be run on a Ghost agent (privesc, recon, persistence, etc...)
  • auxiliary - All modules that do not trigger any vulnerability (scanners, proxies, etc...)

Protobuf

  • client/ - Generally refered as clientpb in the code, these messages/stubs should only be send from client to server, or conversely.
  • ghost/ - Referred as ghostpb in the /server/ code, or pb in the /ghost/ code, these messages/stubs may be sent from client to the server, or from server to agents and vice versa.

Data Service

  • models/ - All entities that need persistence in Wiregost, and their DB methods.
  • remote/ - Methods used by client to make requests to data service
  • handlers/ - Server handlers, calling models and their methods.
  • config.yaml - Configuration file for database access and http service
  • data_service.go - Entry point for data service

Overview

Install

Data Service

C2 Server

Console

Modules

Implants

Writing Modules

Configuration

Clone this wiki locally