What’s up everyone.

I want to share the complete architectural flow of a project I've been refining: Ghost-C2 paired with Phantom Loader.

The goal was simple but brutal: Drop the bloated C/C++ frameworks, eliminate libc dependencies, avoid the disk entirely, and build a stateless C2 communication over ICMP using pure x64 Assembly. But rather than just running a standalone binary that blue teams can spot in ps aux, I integrated a custom loader to inject the implant directly into a legitimate, running host process as Position Independent Code (PIC).

Here is the exact execution flow and network architecture.

Initial Infection: Phantom Loader (loader.asm)

The deployment starts with loader.asm. Its only job is to find a host, inject the payload, and vanish. It executes the following pure syscall sequence:

Target Acquisition : Scans /proc to find the PID of a legitimate target daemon.

Hijack : Executes ptrace(PTRACE_ATTACH) to halt the target process.

Memory Allocation : Forces the target to execute a remote mmap syscall, creating a PROT_READ | PROT_WRITE memory page.

Injection : Writes sniff.asm (compiled as raw PIC shellcode) into the newly allocated memory space.

Permission Flip : Calls mprotect to flip the page permissions to PROT_READ | PROT_EXEC (RX), avoiding the highly suspicious RWX flag that EDRs hunt for.

Execution : Hijacks the Instruction Pointer (RIP) to point to the entry of the injected shellcode.

Vanish : Executes ptrace(PTRACE_DETACH). The loader exits and deletes itself. The target process resumes, now hosting our ICMP listener purely in RAM.

The Implant: Stateless & Fileless (sniff.asm)

Now living inside the host process, the implant acts as a passive, stateless raw socket listener. It doesn't open ports. It doesn't establish TCP handshakes.

• The Trigger : The Operator console (client.asm) prompts for an IP and command, encrypts the payload using a Symmetric Rolling XOR cipher, and fires an ICMP Echo Request (Type 8).

• Asymmetric Authentication : The implant ignores all standard pings. It only wakes up if the packet's ID + SEQ fields match a specific mathematical sum (Auth Key: 45,000).

• Execution via memfd_create : Once validated, it decrypts the command, calls fork and execve, and pipes the STDOUT/STDERR into an anonymous RAM file using sys_memfd_create. No disk I/O, no forensic artifacts.

Exfiltration: Beating DPI & Traffic Analysis

Exfiltrating shell output over ICMP usually means massive packet fragmentation that Deep Packet Inspection (DPI) engines easily flag. To counter this:

• Hybrid Compression : Before sending the data back, the implant compresses the memory buffer using a custom DPCM-RLE (Differential Pulse-Code Modulation + Run-Length Encoding) engine written in assembly.

• Traffic Shaping : The compressed output is encrypted, fragmented, and sent back as ICMP Echo Replies. To bypass OS network stack confusion and network echo interference, the implant replies with a different Auth Key (55,000).

• Jitter : The outgoi…

为什么值得关注

能改变理解方式,而不只是重复常识;符合当前抓取需求;它提供了新的理解或解释,而不只是表面观点

来源:reddit,领域:tech,保留分:0.58