WARNING: This repository contains components that can be abused for malicious purposes (e.g., keylogging, screenshots, audio recording, browser data access, etc.). Use strictly for academic, defensive research, or in isolated, controlled laboratory environments. Unauthorized use may violate laws. Authors and contributors take NO responsibility for misuse.

Purpose

• Defensive security research: enable technical analysis, detection signature development, and mitigation design.
• Education: provide examples to learn defensive mechanisms, detection techniques, and incident response.

Audience

• Security researchers, blue teams, and cybersecurity students operating in controlled, isolated, lawful environments.

Mandatory usage principles

• Use only in isolated lab environments (VMs/lab networks). Do not connect to public networks or production devices/data.
• Do not deploy, test, or operate on systems/accounts you do not own or lack explicit written authorization to use.
• Do not collect, process, transmit, or store real personal data; use synthetic data only.
• Respect applicable laws, organizational policies, and professional ethics.

Architecture overview (high-level, not operational guidance)

• client/: sample components showcasing host-side techniques (keylogger, clipboard, screenshots, audio, browser, etc.) for defensive research.
  • inc/: module headers and interfaces.
  • src/: reference implementations of common offensive techniques for analysis and IOC/mitigation research.
• server/: controller-side scaffolding for lab simulations and defensive testing only.
  • scripts/: internal helper scripts for simulations.
  • sql/: lab data structures (defaults to server/sql/agentlab.sqlite3).
• payload/: example lab scenarios.
• setup/: helper setup files for lab dependencies.
• Utilities: main.py, create.py, etc.

Naming and standardized artifacts

• Reflective DLL: agentlab_reflective.dll (built from client/src/agentlab_reflective.cpp).
• Default injector name: AgentLabInjector.exe.
• Database: server/sql/agentlab.sqlite3.

Simulated capabilities (high-level)

• Client-side sample modules in client/src/ include:
  • Keylogger/ClipboardLogger: keystroke and clipboard capture in lab to build IOCs/defenses.
  • Screenshot/Webcam: screen and webcam capture for detection analysis.
  • AudioRecorder: simulated audio capture to study device access detection.
  • BrowserStealer: browser data extraction in lab for data protection research.
  • FileHunter/FileMonitor: file discovery and change monitoring to observe filesystem access.
  • FileTransfer: file transfer within lab scenarios for defensive testing.
  • KeystrokeInjector: keystroke injection to evaluate input control defenses.
  • Persistence: simulated persistence mechanisms for detection and removal research.
  • UACBypass/Stealth/AntiAnalysis: privilege-evasion/stealth/anti-analysis simulations for detection research.
  • Exec: local command execution to observe system artifacts.
  • Connexion/HandShake: simulated client-server communication channel.
  • ModuleBase/ModuleLoader: dynamic module loading framework for extensible simulations.
• Server-side scaffolding in server/ provides:
  • Session management, simulated command routing/messaging, and lab data collection.
  • Operator scripts in server/scripts/ (e.g., broadcast, session management, simulated shell).
  • Storage under server/sql/ for post-analysis.

This README intentionally omits build/run/operate instructions to reduce misuse risk. If you are a legitimate researcher, construct your own lab environment in compliance with the above principles and your organization’s policies.

Safe research guidelines (recommendations)

• Use snapshotted virtual machines, isolated networks (Host-only/Isolated VLAN), and disable clipboard/folder sharing with the host.
• Observe behavior with lab tooling: EDR in lab mode, Sysmon, Windows Event Forwarding, dynamic sandboxes, and internal network logging.
• Capture IOCs/TTPs: system API calls, process creation, registry changes, scheduled tasks, stealth techniques, and network behavior.
• Build defenses: Sigma/YARA rules, EDR analytics, hardening policies, least privilege, and persistence monitoring.

Legal and compliance

• Possession, distribution, or use of this code may be regulated by local/international laws. Consult legal counsel before testing.
• You are solely responsible for ensuring legal and policy compliance.

Contributions

• Defensive-only contributions are welcome: better lab simulations, additional detection indicators, defensive documentation, or safer research practices.
• No contributions that extend offensive capabilities or add operational run instructions.

Disclaimer

This repository is provided “as is” for educational/defensive purposes only, without warranties of any kind. Use at your own risk.