Proteus

Rust C2 agent for the Mythic framework. Three Rust crates (shellcode agent, pre-link COFF analyzer, data-section obfuscation) bundled with a Python Mythic Payload Type service:

• proteus-agent — no_std, no_main payload (x86_64-pc-windows-gnu) that resolves Win32/NT APIs from the PEB without static imports, runs entirely from a private NT heap, and communicates with Mythic over WinHTTP. Boots via a custom _start and a one-shot initialize() that promotes a stack-bootstrapped Instance to a permanent heap slot registered in PEB.ProcessHeaps. Produces raw shellcode (Proteus.bin).
• layout-manifest — host-side COFF analyzer that emits a JSON manifest of sections, REL32 relocations, and the inferred call graph. Used as a debugging aid and as the foundation of the function shuffler.
• obf/runtime (proteus-obf) + obf/macros (proteus-obf-macros) — runtime + proc-macro halves of the data-section ciphering system. Every obf!("…") / obf_bytes!(b"…") / obf_utf16_z!(b"…") site emits an encrypted blob in its own .rdata$prx_obf_<id> COFF section, decoded on-stack at use-time via ChaCha20 keystream.
• Payload_Type/proteus/proteus/ — Python package (Mythic MythicContainer SDK) declaring build parameters and commands, auto-registered via mythic/agent_functions/.

The signature feature is the shuffle pipeline: each build produces a binary where _start is pinned at offset 0 but every other function is reordered randomly, with all REL32 / RIP-relative references repaired by the linker. Combined with per-build random ChaCha20 master key + nonce salt, identical source produces structurally different output on every build.

Layout

Proteus/
├── config.json                       # mythic-cli install gateway
├── README.md, ROADMAP.md
├── LICENSE
├── documentation-payload/            # ships with payload (config: exclude=false)
│   ├── ARCHITECTURE.md               # global system schema
│   ├── DEV_GUIDELINES.md             # rules for new code
│   ├── STATE_OF_WORK.md              # development log
│   ├── DATA_SECTIONS_CIPHERING.md    # Phase 1.5 design doc
│   └── analysis/                     # detectability scoring scripts
└── Payload_Type/proteus/             # Docker build context (mythic-cli copies this)
    ├── Dockerfile
    ├── .dockerignore
    ├── main.py, requirements.txt
    ├── README.md
    └── proteus/                      # Python package — everything below lives here
        ├── __init__.py
        ├── mythic/                   # Mythic SDK glue
        │   ├── __init__.py           # glob auto-import of agent_functions/*.py
        │   ├── agent_functions/      # PayloadType + per-command CommandBase subclasses
        │   ├── browser_scripts/
        │   ├── builders/             # shellcode build orchestration
        │   └── agent_icon/
        └── agent_code/               # Rust crates (Docker-only compilation)
            ├── proteus-agent/        # shellcode agent (no_std, no_main, windows-gnu)
            │   ├── build.rs          #   per-build CFG_*, master key, nonce salt
            │   ├── Linker.{ld,shuffled.ld}
            │   ├── Makefile.toml
            │   ├── tools/            #   gen-shuffled-linker.py, link-shuffled.sh
            │   └── src/
            │       ├── main.rs           # _start + initialize + run + _Unwind_Resume
            │       ├── log.rs            # debug-log feature
            │       ├── obf.rs            # MASTER_KEY + obf!*-macro re-exports
            │       ├── build_config.rs   # include!() of $OUT_DIR/build_config.rs
            │       ├── win/              # Windows OS surface
            │       ├── agent/            # Mythic agent business logic
            │       └── comms/            # comms stack (crypto + envelope + http + json)
            ├── layout-manifest/      # pre-link COFF analyzer (host dev tool)
            └── obf/                  # ChaCha20 data-section obfuscation
                ├── runtime/          #   `proteus-obf` runtime library
                └── macros/           #   `proteus-obf-macros` proc-macros

Install

All compilation happens inside the Mythic Docker container. To install (or re-install after a code change):

sudo mythic-cli install folder <path-to-repo>/ -f

Operators trigger a build via the Mythic web UI; that calls proteus.mythic.agent_functions.builder.Proteus.build, which orchestrates cargo make shuffle against the staged agent_code/ tree inside the container and returns the raw Proteus.bin shellcode.

Build parameters and commands are declared in Payload_Type/proteus/proteus/mythic/agent_functions/ and auto-registered.

PE wrapper

Proteus produces raw position-independent shellcode only. To turn Proteus.bin into a self-injecting Windows executable, use the sibling Minotaur wrapper payload type — Minotaur embeds the shellcode in a disguised GUI PE via steganography in .rsrc bitmap resources.

Documentation

File	Content
ROADMAP.md	Phase-by-phase development roadmap
documentation-payload/ARCHITECTURE.md	System architecture diagrams
documentation-payload/DEV_GUIDELINES.md	Coding conventions and rules
documentation-payload/DATA_SECTIONS_CIPHERING.md	Phase 1.5 obfuscation design
documentation-payload/STATE_OF_WORK.md	Development log
Payload_Type/proteus/proteus/agent_code/proteus-agent/README.md	Shuffle pipeline details
Payload_Type/proteus/proteus/agent_code/layout-manifest/README.md	COFF analyzer usage

Disclaimer

This project is an open-source educational red team training tool and personal portfolio piece. It is intentionally similar in scope and capabilities to existing public Mythic agents (Apollo, Athena, Thanatos, Poseidon).

All development and testing are conducted exclusively on hardware and lab VMs owned by the author.