Functions

The CrystalC2 client is written in Kotlin and runs on the JVM. It therefore uses scripts written in Sleep as the primary means of extending the client with new Beacon commands, etc.

This page documents all the CrystalC2-specific functions that you can call from Sleep.

blog

Send output to a Beacon console.

Arguments

• $1 - Beacon ID

• $2 - Text to print

Example

blog ( $1, "Hello World" );

bof_pack

Pack arguments in a way that's suitable for the Beacon APIs to unpack.

Arguments

• $1 - Beacon ID

• $2 - Format template

• ... - Arguments

Format string	Description	Unpack with
b	Binary data	BeaconDataExtract
i	Integer	BeaconDataInt
s	Short	BeaconDataShort
z	Null-terminated ANSI string	BeaconDataExtract
Z	Null-terminated Unicode string	(wchar_t *) BeaconDataExtract

Example

$args = bof_pack ( $1, "iz", 1337, "Hello World" );

bexit

Commands a Beacon to exit.

Arguments

• $1 - Beacon ID

• $2 - Callback

Example

bexit ( $1, {
    blog ( $1, "bye bye :D" );
} );

binline_execute

Execute a PICO inline.

Arguments

• $1 - Beacon ID

• $2 - PICO bytes

• $3 - Packed arguments

• $4 - Callback

Example

sub demo
{
    local ( '$handle $coff $spec $cap $pico $args' );

    $handle = openf ( "demo.x64.o" );
    $coff   = readb ( $handle, -1 );
    closef ( $handle );

    $spec = [ LinkSpec Parse: "demo.spec" ];
    $cap  = [ Capability Parse: cast ( $coff, 'b' ) ];
    $pico = [ $spec run: $cap, [ new HashMap ] ];

    $args = bof_pack ( $1, "z", $2 );

    binline_execute ( $1, $pico, $args );
}

register_command

Register a custom Beacon command.

Arguments

• $1 - Command alias

• $2 - Short description

• $3 - Long description

• $4 - Callback

Example

sub demo {
    ...
}

register_command ( "demo", "Demo command", "This is just a demo command", &demo );