github.com/iDigitalFlame/xmt@v0.5.4/README.md (about) 1 # XMT: eXtensible Malware Toolkit 2 3 [![Go Report Card](https://goreportcard.com/badge/github.com/iDigitalFlame/xmt)](https://goreportcard.com/report/github.com/iDigitalFlame/xmt) 4 [![Go Reference](https://pkg.go.dev/badge/github.com/iDigitalFlame/xmt.svg)](https://pkg.go.dev/github.com/iDigitalFlame/xmt) 5 [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0) 6 [![Code Analysis](https://github.com/iDigitalFlame/XMT/actions/workflows/checks.yaml/badge.svg)](https://github.com/iDigitalFlame/XMT/actions/workflows/checks.yaml) 7 [![codecov](https://codecov.io/github/iDigitalFlame/XMT/branch/main/graph/badge.svg?token=REQESSIT7C)](https://codecov.io/github/iDigitalFlame/XMT) 8 [![Latest](https://img.shields.io/github/v/tag/iDigitalFlame/XMT)](https://github.com/iDigitalFlame/XMT/releases) 9 10 XMT is a full-featured C2 framework written in Golang that allows for control, 11 data exfiltration and some other cool functions. Can be used to make full C2 12 clients/servers with little out-of-the-box changes. 13 14 [ThunderStorm](https://github.com/iDigitalFlame/ThunderStorm) would be an implementation 15 of this. 16 17 This framework also contains many utility functions, including: 18 19 - Advanced Process Control (Windows) 20 - Device Identification 21 - User Identification 22 - Windows "Window" utils 23 - Efficient Data Marshaling interfaces 24 - Easy Network communication resources 25 - Super low file size! ~5mb completely using [JetStream](https://github.com/iDigitalFlame/ThunderStorm) 26 - Backwards compatibility with systems as old as Windows Xp! 27 28 The pkg.go.dev site has some of the framework documentation and definitions 29 [here](https://pkg.go.dev/github.com/iDigitalFlame/xmt). 30 31 __DISCLAIMER: Please use for legal reasons only. I'm not responsible if you get__ 32 __in trouble for using this improperly or if someone owns your environment and is__ 33 __using XMT (or a derivative of it).__ 34 35 ## Roadmap 36 37 _Updated 02/17/23_ 38 39 - Reflective DLL Injection (Windows) 40 - Updates to handeling x86 PEB (Windows) 41 - Linux mem_fd loader 42 - Thread Injection improvements 43 - "Device Check" package 44 - Detect VM 45 - Anti-VM checks 46 47 These are some things that would be nice to have, but are not as important as the 48 above list: 49 50 - Keylogging 51 - MultiProxy support 52 - X/Wayland/OSX Screenshot support 53 - EDR Detection 54 - Linux shellcode support 55 - More thread injection options (Windows) 56 57 ## Compatibility 58 59 This project is compatable with __ALL__ Golang versions starting from __go1.10__! 60 You can download the older versions of Golang from [the Golang website](https://go.dev/dl/). 61 62 Unless convined otherwise, I plan to keep the compatibility down to Go1.10. 63 __Since I don't control the Script engines, Scripts are bound to >= go1.18__ 64 65 __The following depreciated build types will NOT be supported__ 66 67 - nacl/386 68 - nacl/amd64p32 69 - nacl/arm 70 71 __The following depreciated build types WORK but are specific__ 72 73 - darwin/386 (<= go1.14) 74 - darwin/arm (<= go1.14, needs CGO) 75 76 ### Older OS Support Issues 77 78 So far the only issues I've seen are: 79 80 - Xp 81 - Lacks the "CreateProcessWithTokenW" so any processes created while impersonating 82 a user will fail. _(This does NOT affect Server 2003 WTF)_ 83 - Xp < SP3 84 - Lacks the "WinHttpGetDefaultProxyConfiguration" function, which disables 85 automatic HTTP Proxy detection. 86 - Xp and Server 2003 87 - Lacks the "RegDeleteTree" function so deleting non-empty Keys may fail. 88 - The concept of Token "Integrity" does not exist and users that are in the 89 "Administrators" group are considered elevated. 90 - Per the previous entry, the "Untrust" helper will NOT set the Token Integrity 91 _(since it doesn't exist!)_, but it will STILL remove Token permissions. 92 - Setting the parent process does __NOT__ work. 93 - Vista, Server 2008 and older 94 - Cannot evade ETW logs as the function calls do not exist. 95 - Windows 8.1, Server 2012 and older 96 - Cannot evade ASMI as it is only present in Windows 10 and newer. 97 98 ### Compiling for Go1.10 (pre-modules) 99 100 Golang version 1.11 introduced the concept of Golang Modules and made dependency 101 management simple. Unfortunately, Go1.10 (the last to support Xp, 2003, 2008 102 and Vista) does __not__. 103 104 To work around this, we can just _vendor_ the packages, since the only dependencies, 105 are the following PurpleSec modules: 106 107 - [LogX: github.com/PurpleSec/logx](https://github.com/PurpleSec/logx) 108 - [Escape: github.com/PurpleSec/escape](https://github.com/PurpleSec/escape) 109 110 Which we already make backwards compatible :D 111 112 These dependencies can be downloaded and used with the following commands: 113 114 ```bash 115 go mod vendor 116 mkdir "deps" 117 mv "vendor" "deps/src" 118 mkdir "deps/src/github.com/iDigitalFlame" 119 ln -s "$(pwd)" "deps/src/github.com/iDigitalFlame/xmt" 120 export GOPATH="$(pwd)/deps" 121 export GOROOT="<path to downloaded Go1.10 folder>" 122 ``` 123 124 _(Yes, I know you CAN use "-o" to specific the vendor directory, but that isn't_ 125 _supported until go1.18!)_ 126 127 This should allow you to compile using the fullpath of the Go1.10 Golang binary. 128 _(As long as you set your `GOROOT` and `GOPATH` correctly)_ 129 130 ## TODO 131 132 These are some things I need to work on. 133 134 - Documentation 135 - Build tags list 136 137 ## References / Hightlights / Presentations 138 139 BSides Las Vegas 2022: So you Wanta Build a C2? 140 141 [Video](https://www.youtube.com/watch?v=uAfGtGlHLxs) / 142 [Slides](https://public.idigitalflame.com/docs/so_you_wanta_build_a_c2.pdf) 143 144 ## Bugs 145 146 _Updated 02/17/23_ 147 148 - Potential KeyPair sync issue over long periods of time. __Still needs more testing__ 149 150 Feel free to submit issue tickets or pull requests if something is broken or 151 doesn't act right. (I don't bite, mostly owo) 152 153 ## Thanks and Credits 154 155 - [Geoff Chappell](https://www.geoffchappell.com) for his insights into various Windows API stuff 156 - Package Monkey by @skx [github.com/skx/monkey](https://github.com/skx/monkey) 157 - Package Otto by @robertkrimen [github.com/robertkrimen/otto](https://github.com/robertkrimen/otto) 158 - Intern method by @bradfitz [tailscale.com/blog/netaddr-new-ip-type-for-go/](https://tailscale.com/blog/netaddr-new-ip-type-for-go/) 159 - Also the IP struct code and info. 160 - mTLS insights by @kofoworola [kofo.dev/how-to-mtls-in-golang](https://kofo.dev/how-to-mtls-in-golang) 161 - DLL loader by @monoxgas [github.com/monoxgas/sRDI](https://github.com/monoxgas/sRDI) 162 - Initial idea for MiniDump/DLL Reload by the Sliver C2 framework [github.com/BishopFox/sliver/](https://github.com/BishopFox/sliver/) 163 - Untrust idea by @zha0gongz1 [golangexample.com/...](https://golangexample.com/without-closing-windows-defender-to-make-defender-useless-by-removing-its-token-privileges-and-lowering-the-token-integrity/) 164 165 # Licenses 166 167 XMT is covered by the GNU GPLv3 License 168 169 Third-party Licenses: 170 171 - [sRDI](https://raw.githubusercontent.com/monoxgas/sRDI/master/LICENSE) (GPLv3) 172 - [Monkey](https://raw.githubusercontent.com/skx/monkey/master/LICENSE) (MIT) 173 - Only if [Monkey](https://github.com/skx/monkey) support is compiled in and enabled. 174 - [Otto](https://raw.githubusercontent.com/robertkrimen/otto/master/LICENSE) (MIT) 175 - Only if [Otto](https://github.com/robertkrimen/otto) support is compiled in and enabled. 176 - [LogX](https://raw.githubusercontent.com/PurpleSec/LogX/main/LICENSE) (Apache v2) 177 - [Escape](https://raw.githubusercontent.com/PurpleSec/Escape/main/LICENSE) (Apache v2)