Vulpes

Vulpes is a Command & Control Framework with a Python Backend, and a C++ Implant. The Implant is designed to be as evasive as possible, whilst providing as much utility as possible.

Key Features

• C++ Utilising Object Oriented Programming (OOP) and Resource Acquisition is Initialised (RAII)
• MinGW-w64 and Visual Studio Support
• Operator Configuration File: Provides malleable PE, Listener, and Injection
• Fully configurable API Endpoints, Verbs, Dynamic URI Handling, and implant -> server authentication
• Custom SysCall Execution
• Custom Reflective DLL Loader
• Custom Sleep Masking / Region Protection
• Position Independant Stage 0: This performs initial checks, then loads the Reflective DLL
• .NET Code Execution (Local or Remote Process)
• Runtime Configuration Changes

Demo

TBC.

Command List

#	Name	Description
1	cat	Using stdlib, read the contents of the file and return the data (or the exception).
2	download	The stdlib will be used to read the bytes from disk.
3	executeassembly	Host a .NET CLR in the current process, execute the assembly, and then cleanly exit.
4	getdrivers	Enumerate all the system drivers.
5	getenv	Parse the Environmental Variable from the PEB Structure
6	getexports	Enumerate all the exports in a given dll.
7	gethandles	Enumerate all the handles for a process.
8	getmodules	Using the WINAPI, list the modules loaded by a process. If a PID is passed, the data is filtered
9	getregions	Enumerate all the memory regions in a process.
10	getsystem	Pass in a PID to a SYSTEM process. The Access Token is cloned and set on the executing thread
11	getthreads	Using the WINAPI, list the threads used by a process. If a PID is passed, the data is filtered
12	hostname	Return GetComputerName()
13	huntrwx	Using the NtQueryVirtualMemory SysCall, identify RWX Regions
14	inject	Using the configured method, inject a stageless implant into the target process.
15	injectbin	Using the configured method, inject specified shellcode into the target process.
16	injectrdll	Inject A Reflective DLL into a process. Setting the pid to 0 will self-inject. The injection is done via the configured method in the server configuration file.
17	loaddll	Using LoadLibraryA, load a DLL from disk.
18	ls	Use FindFirstFile & FindNextFile to cycle through either a user specified directory, or the current directory.
19	modulegrep	Using the WINAPI, list the processes on the host and enumerate the loaded modules
20	procgrep	Using the WINAPI, list the processes on the host and filter by name
21	ps	Using the WINAPI, list the processes on the host. If a PID is passed, the data is filtered
22	pwd	Extract the current path from the PEB.
23	setpriv	Using the WINAPI, Set or remove a privilege
24	spawn	Using the configured method, inject a stageless implant into the newly created process.
25	upload	The stdlib will be used to write the bytes to disk.
26	whoami	Return GetComputerName()\GetUsername() (CONTOSO\Administrator).