{"id":50506205,"url":"https://github.com/enkomio/argus","last_synced_at":"2026-06-02T16:03:24.697Z","repository":{"id":360620567,"uuid":"1239970383","full_name":"enkomio/argus","owner":"enkomio","description":"Windows network traffic interception tool for malware analysis. Intercepts HTTP/S, DNS, SMTP, POP3 with fake responses, HTTPS MITM, and per-transaction capture.","archived":false,"fork":false,"pushed_at":"2026-05-27T06:16:42.000Z","size":1332,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-27T08:07:09.088Z","etag":null,"topics":["dns","http","https","malware-analysis","network-interception","smtp","traffic-analysis"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/enkomio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-15T16:23:52.000Z","updated_at":"2026-05-27T06:15:22.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/enkomio/argus","commit_stats":null,"previous_names":["enkomio/argus"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/enkomio/argus","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enkomio%2Fargus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enkomio%2Fargus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enkomio%2Fargus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enkomio%2Fargus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/enkomio","download_url":"https://codeload.github.com/enkomio/argus/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enkomio%2Fargus/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33829346,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-02T02:00:07.132Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns","http","https","malware-analysis","network-interception","smtp","traffic-analysis"],"created_at":"2026-06-02T16:03:24.061Z","updated_at":"2026-06-02T16:03:24.687Z","avatar_url":"https://github.com/enkomio.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Argus\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"media/logo.png\" alt=\"Argus logo\" width=\"500\"/\u003e\n\u003c/p\u003e\n\nA Windows network traffic interception tool for malware analysis.\n\n## Index\n\n- [What is Argus?](#what-is-argus)\n- [Usage](#usage)\n- [Configuration](#configuration)\n- [Customising fake HTTP responses](#customising-fake-http-responses)\n- [HTTPS interception (MITM)](#https-interception-mitm)\n- [ForwardTo — external traffic modifier](#forwardto--external-traffic-modifier)\n- [Request/response capture](#requestresponse-capture)\n- [Listeners](#listeners)\n- [Building](#building)\n- [Legal Notice](#legal-notice)\n- [License](#license)\n\n## What is Argus?\n\nArgus intercepts all outgoing network traffic from a system and responds with fake but plausible responses. This tricks malware into thinking it has successfully connected to its C2 server, allowing analysts to observe its behaviour in a controlled environment.\n\nKey capabilities:\n- **Automatic traffic redirection** — WinDivert rewrites packet destinations at kernel level; no manual DNS or proxy configuration needed\n- **Protocol-aware listeners** — HTTP/HTTPS, DNS, SMTP, POP3, raw TCP/UDP\n- **Per-host HTTPS interception** — automatic CA generation with dynamic per-hostname leaf certificates (mitmproxy-style); install the CA once and all TLS traffic is decryptable\n- **Process identification** — every intercepted connection is attributed to the originating process name and PID\n- **Selective passthrough** — chosen processes, PIDs, IPs, domains, or URL patterns are passed through transparently to the real destination instead of receiving a fake response\n- **Selective logging suppression** — `NoLog` entries exclude matching connections from capture files\n- **Request/response capture** — every intercepted transaction is saved to disk under `capture/\u003cprocess\u003e/\u003cpid\u003e/\u003cprotocol\u003e/`\n- **Customisable fake responses** — drop files into `default_files/` to serve custom content per path; built-in fallback if the directory or file is absent\n\n## Usage\n\nArgus requires an elevated terminal or UAC prompt (the embedded manifest requests `requireAdministrator` automatically).\n\n```powershell\n# Run with default config\nargus.exe\n\n# Custom config file\nargus.exe -c configs\\default.ini\n\n# Verbose / debug logging\nargus.exe -v\n\n# Bind listeners to a specific address\nargus.exe -b 0.0.0.0\n\n# Write log output to file\nargus.exe -l argus.log\n\n# Override capture directory (default: capture\\)\nargus.exe --log-dir D:\\analysis\\run1\n\n# List available listener types\nargus.exe --list-listeners\n```\n\n## Configuration\n\nEdit `configs\\default.ini` to enable/disable listeners and customise responses.\n\n### Global options\n\n```ini\n[Argus]\nDivertTraffic: Yes # Enable WinDivert automatic traffic redirection\n```\n\n### Listener configuration reference\n\nEvery listener section (except `[Argus]`) accepts the following keys:\n\n| Key | Required | Applies to | Description | Example values |\n|-----|----------|------------|-------------|----------------|\n| `Listener` | ✅ | All | Listener type to use | `HTTPListener`, `DNSListener`, `SMTPListener`, `POPListener`, `RawListener` |\n| `Enabled` | ✅ | All | Whether to start this listener | `True`, `False` |\n| `ServicePort` | ✅ | All | Port WinDivert intercepts (traffic destined for this port is captured) | `80`, `443`, `53`, `25` |\n| `ListenerPort` | ✖️ | All | Port Argus actually binds on locally. Defaults to `ServicePort` when omitted | `18080`, `18443`, `10053` |\n| `Protocol` | ✖️ | All | Transport protocol. Default: `TCP` | `TCP`, `UDP` |\n| `UseSSL` | ✖️ | HTTP | Enable TLS termination (HTTPS MITM). Default: `No` | `Yes`, `No` |\n| `Timeout` | ✖️ | All | Idle connection timeout in seconds. Default: `10` | `5`, `10`, `30` |\n| `Banner` | ✖️ | SMTP, POP3 | Greeting line sent to the client on connect | `220 mail.example.com ESMTP`, `+OK POP3 ready` |\n| `ResponseA` | ✖️ | DNS | IP address returned for **A** queries | `127.0.0.1`, `192.168.1.1` |\n| `ResponseMX` | ✖️ | DNS | Hostname returned for **MX** queries | `mail.argus.local` |\n| `ResponseTXT` | ✖️ | DNS | String returned for **TXT** queries | `v=spf1 -all`, `ARGUS` |\n| `Passthrough` | ✖️ | All | Comma-separated list of processes / IPs / domains to pass through to the real destination instead of intercepting. See [Selective passthrough](#selective-passthrough) | `curl.exe`, `93.184.216.34`, `.*\\.microsoft\\.com` |\n| `NoLog` | ✖️ | All | Comma-separated list of processes / IPs / domains whose traffic is **not** written to capture files. Same entry format as `Passthrough` | `analytics\\.example\\.com`, `telemetry\\.microsoft\\.com` |\n| `ForwardTo` | ✖️ | All | `IP:PORT` of an external TCP endpoint that can inspect and modify every request and response before it is processed. See [ForwardTo](#forwardto--external-traffic-modifier) | `127.0.0.1:9999` |\n\n\u003e **`ServicePort` vs `ListenerPort`** — `ServicePort` is the well-known port the monitored application connects to (e.g. 80 for HTTP). WinDivert transparently redirects that traffic to `ListenerPort`, which is where Argus actually listens. Using a high-numbered `ListenerPort` avoids privilege conflicts when two listeners would otherwise share the same port.\n\n### Selective passthrough\n\nThe `Passthrough` key accepts a comma-separated list of entries. A connection is passed through to the real destination when **any** entry matches. Supported entry types:\n\n| Entry type | Example | Matched against |\n|--------------|--------------------------------------|------------------------------|\n| Process name | `curl.exe`, `curl.*` | originating process name |\n| PID | `1234` | originating process PID |\n| IPv4 address | `93.184.216.34` | original destination IP |\n| IPv6 address | `2606:2800:220:1:248:1893:25c8:1946` | original destination IP |\n| Domain | `example.com`, `.*\\.microsoft\\.com` | HTTP `Host` / DNS query name |\n| Domain+path | `example.com/api/v1` | HTTP `Host` + URI prefix |\n| URL | `http://example.com/path` | scheme stripped, then above |\n\n**Process names and domain/URL entries are treated as case-insensitive regular expressions** anchored at the start (`^`). A plain name like `curl.exe` still works — the `.` in regex matches any character, which is harmless in practice. Use `curl\\.exe` for a precise literal-dot match.\n\n```ini\n# Pass through any process whose name starts with \"curl\"\nPassthrough: curl.*\n\n# Pass through DNS queries for any Microsoft domain\nPassthrough: .*\\.microsoft\\.com\n\n# Pass through requests to a specific path only\nPassthrough: updates\\.vendor\\.com/v2/check\n\n# Mix multiple entry types\nPassthrough: malware_loader.exe, 93.184.216.34, c2\\.evil\\.io\n```\n\nWhen an HTTP connection is passed through:\n- **Phase 1** (before reading data): PID, process name, and IP entries are checked. If matched, the raw TCP stream is proxied transparently (`copy_bidirectional`).\n- **Phase 2** (after reading HTTP headers): domain and URL entries are checked against the `Host` header and URI. The already-read request bytes are replayed to the real server before proxying the rest.\n\nArgus's own outbound connections (created during passthrough) are automatically excluded from WinDivert interception to prevent redirect loops.\n\n### Selective logging suppression\n\nThe `NoLog` key uses the same entry format as `Passthrough`. Matching connections are not written to capture files (they are still logged to the console/log file at `info` level).\n\n```ini\nNoLog: analytics\\.example\\.com, telemetry\\.microsoft\\.com\n```\n\n### Listener example — HTTP / HTTPS\n\n```ini\n[HTTPListener]\nEnabled: True\nListener: HTTPListener\nServicePort: 80\nListenerPort: 18080\nProtocol: TCP\nUseSSL: No\nTimeout: 10\n\n[HTTPSListener]\nEnabled: True\nListener: HTTPListener\nServicePort: 443\nListenerPort: 18443\nProtocol: TCP\nUseSSL: Yes\nTimeout: 10\n\n# Optional: pass through matching connections to the real destination.\n# Passthrough: curl.exe, 1234, 93.184.216.34, example\\.com, http://evil\\.com/payload\n\n# Optional: suppress capture files for matching connections.\n# NoLog: curl.exe, 1234, 93.184.216.34, analytics\\.example\\.com\n```\n\n### Listener example — DNS\n\n```ini\n[DNSListener]\nEnabled: True\nListener: DNSListener\nServicePort: 53\nListenerPort: 10053\nProtocol: UDP\nResponseA: 127.0.0.1 # IP returned for A queries\nResponseMX: mail.argus.local\nResponseTXT: ARGUS\n\n# Optional: forward matching queries to the real DNS server.\n# Passthrough: curl.exe, 1234, 93.184.216.34, example.com, .*\\.microsoft\\.com\n\n# Optional: suppress capture files for matching queries.\n# NoLog: curl.exe, 1234, 93.184.216.34, analytics\\.example\\.com\n```\n\nSupported record types: `A`, `AAAA` (returns `::1`), `MX`, `TXT`. Any other query type receives an `A` record fallback.\n\n### Listener example — SMTP / POP3\n\n```ini\n[SMTPListener]\nEnabled: True\nListener: SMTPListener\nServicePort: 25\nListenerPort: 10025\nProtocol: TCP\nBanner: 220 argus.local SMTP Service Ready\n\n[POPListener]\nEnabled: True\nListener: POPListener\nServicePort: 110\nListenerPort: 10110\nProtocol: TCP\nBanner: +OK Argus POP3 Server Ready\n```\n\nEach listener logs credentials (USER/PASS) and protocol commands, and replies with plausible success responses to keep the malware running.\n\n### Listener example — Raw TCP/UDP\n\n```ini\n[RawTCPListener]\nEnabled: True\nListener: RawListener\nServicePort: 1337\nListenerPort: 11337\nProtocol: TCP\nTimeout: 5\n\n[RawUDPListener]\nEnabled: True\nListener: RawListener\nServicePort: 1338\nListenerPort: 11338\nProtocol: UDP\nTimeout: 5\n```\n\nAccepts any traffic, echoes it back, and logs a hex dump of up to 256 bytes per packet. Used as the default catch-all for ports with no dedicated listener.\n\n## Customising fake HTTP responses\n\nThe HTTP listener looks for files in the `default_files/` directory before falling back to the built-in response.\n\nResolution order for each incoming request:\n\n| Priority | Path tried | Example for `GET /login.html` |\n|----------|-----------|-------------------------------|\n| 1 | `default_files/{uri}` | `default_files/login.html` |\n| 2 | `default_files/index.html` | generic HTML fallback |\n| 3 | Built-in constant | always available |\n\nPlace any file in `default_files/` and it will be served automatically when the URI matches. The URI path is sanitised before use (leading `/` stripped, `..` components removed) to prevent directory traversal.\n\n```\ndefault_files/\n├── index.html ← served for \"/\" and any unmatched HTML request\n├── login.html ← served for \"/login.html\"\n├── api/\n│ └── status.json ← served for \"/api/status.json\"\n└── update.exe ← served for \"/update.exe\"\n```\n\n## HTTPS interception (MITM)\n\nOn first run, Argus generates a CA key pair in `configs/`:\n\n```\nconfigs/\n├── argus-ca.crt ← install this in Windows Certificate Store (Trusted Root CAs)\n└── argus-ca.key ← private key — keep secret\n```\n\nFor each TLS connection, Argus dynamically generates a leaf certificate for the requested hostname, signed by the CA. Once the CA is trusted by the OS, browsers and HTTP clients accept the leaf certificates without errors.\n\n**Installing the CA on Windows:**\n\n```powershell\ncertutil -addstore -f \"Root\" configs\\argus-ca.crt\n```\n\n**Removing the CA:**\n\n```\ncertmgr.msc → Trusted Root Certification Authorities → Certificates → right-click \"Argus CA\" → Delete\n```\n\nThe CA certificate expires after one year. Argus warns at startup if the loaded CA is expired.\n\n## ForwardTo — external traffic modifier\n\nThe `ForwardTo` key lets you route every intercepted request and response through an external TCP endpoint before Argus processes or returns it. The endpoint can inspect and modify the bytes; whatever it returns is used in place of the original payload. If the endpoint is unreachable or returns an error, Argus falls back to the original payload — traffic is never dropped.\n\n### Wire protocol\n\n```\nArgus → endpoint:\n [4 bytes BE uint32] length of JSON metadata header\n [N bytes UTF-8] JSON metadata\n [4 bytes BE uint32] length of raw payload\n [M bytes] raw payload\n\nendpoint → Argus:\n [4 bytes BE uint32] length of (possibly modified) payload\n [K bytes] payload to use in place of the original\n```\n\n**JSON metadata fields:**\n\n| Field | Type | Description |\n|------------|--------|------------------------------------------------------|\n| `direction`| string | `\"request\"` or `\"response\"` |\n| `protocol` | string | `\"http\"`, `\"https\"`, `\"dns\"`, `\"smtp\"`, `\"pop3\"`, `\"raw\"` |\n| `src_ip` | string | Client source IP |\n| `src_port` | number | Client source port |\n| `dst_ip` | string | Original destination IP (before WinDivert) |\n| `dst_port` | number | Original destination port |\n| `process` | string | Originating executable name (e.g. `\"malware.exe\"`) |\n| `pid` | number | Originating PID (`0` = unknown) |\n\n### Configuration\n\nAdd `ForwardTo` to any listener section in `configs\\default.ini`:\n\n```ini\n[HTTPListener]\nEnabled: True\nListener: HTTPListener\nServicePort: 80\nListenerPort: 18080\nProtocol: TCP\nForwardTo: 127.0.0.1:9999\n\n[DNSListener]\nEnabled: True\nListener: DNSListener\nServicePort: 53\nListenerPort: 10053\nProtocol: UDP\nForwardTo: 127.0.0.1:9999\n```\n\nMultiple listeners can point to the same endpoint, or each to a different one.\n\n### Running the example Python forwarder\n\nA ready-to-use example is provided in `python/example_interceptor.py`. It requires no external dependencies (standard library only).\n\n**Terminal 1 — start the forwarder first:**\n\n```bash\ncd python\npython example_interceptor.py # listens on 0.0.0.0:9999\npython example_interceptor.py --port 8888 # custom port\npython example_interceptor.py --debug # verbose output\n```\n\n**Terminal 2 — start Argus (elevated):**\n\n```powershell\nargus.exe -c configs\\default.ini\n```\n\n**Expected output (interceptor terminal):**\n\n```\n12:34:01 INFO Argus interceptor listening on 0.0.0.0:9999\n12:34:01 INFO Handling protocols: http, https, dns, smtp, raw\n12:34:01 INFO Add 'ForwardTo: 127.0.0.1:9999' to any listener in configs/default.ini\n12:34:01 INFO ────────────────────────────────────────────────────────────\n12:34:45 INFO [HTTP req] malware.exe → GET /c2/beacon\n12:34:45 INFO [HTTP rsp] 200 OK (1024 bytes) title tag patched\n12:34:46 INFO [DNS req] malware.exe → A evil-c2.example.com\n12:34:46 INFO [DNS rsp] evil-c2.example.com A TTL=60 127.0.0.1\n```\n\n### Python library (`argus_interceptor`)\n\n`python/argus_interceptor.py` is a zero-dependency library that handles all socket framing. Implement only the handlers you need:\n\n```python\nfrom argus_interceptor import (\n create_interceptor,\n http_request, http_response,\n dns_message,\n smtp_response, smtp_command,\n)\n\ndef handle_http(meta, payload):\n if meta.direction == \"response\":\n resp = http_response(payload)\n resp.body = resp.body.replace(b\"foo\", b\"bar\")\n return resp.to_bytes() # Content-Length auto-updated\n return payload\n\ndef handle_dns(meta, payload):\n msg = dns_message(payload)\n for q in msg.questions:\n print(f\"{q.type_name} query for {q.name}\")\n return payload\n\ninterceptor = create_interceptor(\n http_handler=handle_http,\n https_handler=handle_http,\n dns_handler=handle_dns,\n)\ninterceptor.serve()\n```\n\n**Built-in protocol parsers:**\n\n| Function | Returns | Key fields |\n|---|---|---|\n| `http_request(payload)` | `HttpRequest` | `.method`, `.path`, `.headers`, `.body` |\n| `http_response(payload)` | `HttpResponse` | `.status_code`, `.status_text`, `.headers`, `.body` |\n| `dns_message(payload)` | `DnsMessage` | `.questions`, `.answers`, `.is_query`, `.rcode` |\n| `smtp_response(payload)` | `SmtpResponse` | `.code`, `.lines` |\n| `smtp_command(payload)` | `SmtpCommand` | `.command`, `.args` |\n\n`Headers` is a case-insensitive dict; `HttpRequest.to_bytes()` and `HttpResponse.to_bytes()` rebuild the raw message and update `Content-Length` automatically.\n\n`DnsRecord.address` returns the decoded IP for A/AAAA records; `DnsRecord.text` returns the decoded string for TXT records. `DnsMessage.to_bytes()` re-serialises the DNS wire format.\n\nThe interceptor can also be implemented in any other language — the wire protocol is language-agnostic (see wire format above). ForwardTo is called for both intercepted **and** passthrough connections, so the endpoint sees all traffic regardless of whether Argus is returning a fake response or proxying to the real server.\n\n## Request/response capture\n\nEvery intercepted transaction is saved to disk. The directory layout is:\n\n```\ncapture/\n└── \u003cprocess_name\u003e/\n └── \u003cpid\u003e/\n └── \u003cprotocol\u003e/\n ├── 20260515_143201_0001_req.log\n ├── 20260515_143201_0001_rsp.log\n ├── 20260515_143205_0002_req.log\n └── ...\n```\n\n- **`\u003cprocess_name\u003e`** — sanitised executable name (e.g. `malware.exe`)\n- **`\u003cpid\u003e`** — numeric PID; a new subdirectory is created if the process restarts\n- **`\u003cprotocol\u003e`** — `http`, `https`, `smtp`, `pop`, `dns`, `raw`\n- **filename** — `\u003cyyyymmdd\u003e_\u003cHHMMSS\u003e_\u003cNNNN\u003e_\u003creq|rsp\u003e.log` where `NNNN` is a per-PID transaction counter\n\nThe default capture directory is `capture\\` relative to the working directory. Override with `--log-dir`.\n\n## Listeners\n\n| Listener | Port | Protocol | Description |\n|---------------|-------|----------|-----------------------------------------------------|\n| HTTPListener | 80 | TCP | HTTP — serves fake HTML/files, passthrough on match |\n| HTTPSListener | 443 | TCP | HTTPS — per-host MITM certs, decrypted capture |\n| DNSListener | 53 | UDP | DNS — configurable A/AAAA/MX/TXT, passthrough |\n| SMTPListener | 25 | TCP | Email sending — logs credentials and message body |\n| POPListener | 110 | TCP | POP3 email retrieval — logs credentials |\n| RawListener | any | TCP/UDP | Catch-all — hex dump logging, echo response |\n\n## Building\n\n### Requirements\n\n- Windows 10/11 or Windows Server 2016+\n- **Administrator privileges** (required for WinDivert and privileged ports)\n- [WinDivert](https://reqrypt.org/windivert.html) — `WinDivert.dll` and `WinDivert64.sys` must be in the same folder as `argus.exe` (included in the repository)\n\n### 1. Install Rust\n\n```powershell\nwinget install Rustlang.Rustup\n# or download the installer from https://rustup.rs\n```\n\n### 2. Build\n\n```powershell\ncargo build --release\n```\n\nThe `build.rs` script automatically:\n- Adds `WinDivert-2.2.2-A/x64/` to the linker search path so `WinDivert.lib` is found at compile time\n- Copies `WinDivert.dll` and `WinDivert64.sys` next to `argus.exe`\n- Embeds a UAC manifest requesting `requireAdministrator`\n\nBinary location: `argus.exe`\n\n## Legal Notice\n\nThis tool is intended for legitimate malware analysis and security research. Use only in isolated lab environments. Do not use on production networks.\n\n## License\n\n[PolyForm Noncommercial 1.0.0](LICENSE) — free for personal use, security research, and non-commercial purposes. Commercial use is prohibited.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fenkomio%2Fargus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fenkomio%2Fargus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fenkomio%2Fargus/lists"}