fix(parser): replace packet size rejection with warning on receive

Server parser no longer rejects large packets from implants. Instead
it logs a warning and accepts the data. This prevents session
disconnection when exec output or other task results exceed the
configured packet_length.

The packet_length limit remains meaningful for the sending side
(implant controls its own packet size), but the receiving side
should accept whatever arrives successfully over the wire.

Also adds xor_bytes builtin function for Lua scripts (used by
onedrive pull XOR decryption).

Author: h3zh1

helper/intermediate/builtin.go

@@ -530,4 +530,30 @@ format_path("C:\\Windows\\System32\\calc.exe")
 			},
 			Example: `parse_hex("0x1f04")`,
 		})
+
+	RegisterFunction("xor_bytes", func(data string, key string) (string, error) {
+		if len(key) == 0 {
+			return data, nil
+		}
+		buf := []byte(data)
+		keyBytes := []byte(key)
+		for i := range buf {
+			buf[i] ^= keyBytes[i%len(keyBytes)]
+		}
+		return string(buf), nil
+	})
+	AddHelper(
+		"xor_bytes",
+		&mals.Helper{
+			Group: EncodeGroup,
+			Short: "XOR data with a repeating key",
+			Input: []string{
+				"data: raw bytes as string",
+				"key: XOR key",
+			},
+			Output: []string{
+				"string",
+			},
+			Example: `xor_bytes(data, "mykey")`,
+		})
 }

server/internal/parser/malefic/parser.go

@@ -104,8 +104,10 @@ func (parser *MaleficParser) readHeader(conn io.ReadWriteCloser) (uint32, uint32
 	}
 	sessionId := ParseSid(header)
 	length := binary.LittleEndian.Uint32(header[MsgSessionEnd:])
-	if length > parser.maxPacketLen()+consts.KB*16 {
-		return 0, 0, fmt.Errorf("%w,expect: %d, recv: %d", types.ErrPacketTooLarge, parser.maxPacketLen(), length)
+	maxLen := parser.maxPacketLen()
+	if maxLen > 0 && length > maxLen+consts.KB*16 {
+		logs.Log.Warnf("[parser] large packet from session %x: %d bytes (limit %d), accepting anyway",
+			sessionId, length, maxLen)
 	}
 
 	return sessionId, length + 1, nil
@@ -116,10 +118,6 @@ func (parser *MaleficParser) ReadHeader(conn io.ReadWriteCloser) (uint32, uint32
 	if err != nil {
 		return 0, 0, err
 	}
-	//logs.Log.Debugf("%v read packet from %s , %d bytes", sid, conn.RemoteAddr(), length)
-	if length > parser.maxPacketLen()+consts.KB*16+1 {
-		return 0, 0, fmt.Errorf("%w,expect: %d, recv: %d", types.ErrPacketTooLarge, parser.maxPacketLen(), length)
-	}
 	return sid, length, nil
 }
 

server/internal/parser/malefic/parser_test.go

@@ -78,9 +78,16 @@ func TestMaleficParser_ReadHeader_PacketTooLarge(t *testing.T) {
 	header := buildHeader(DefaultStartDelimiter, 1, hugeLen)
 
 	buf := &rwcBuf{bytes.NewBuffer(header)}
-	_, _, err := p.ReadHeader(buf)
-	if !errors.Is(err, types.ErrPacketTooLarge) {
-		t.Fatalf("expected ErrPacketTooLarge, got %v", err)
+	sid, length, err := p.ReadHeader(buf)
+	// Large packets are now accepted with a warning, not rejected
+	if err != nil {
+		t.Fatalf("expected large packet to be accepted, got error: %v", err)
+	}
+	if sid != 1 {
+		t.Fatalf("expected session_id=1, got %d", sid)
+	}
+	if length == 0 {
+		t.Fatal("expected non-zero length")
 	}
 }