github.com/iDigitalFlame/xmt@v0.5.4/README.md (about)

     1  # XMT: eXtensible Malware Toolkit
     2  
     3  [![Go Report Card](https://goreportcard.com/badge/github.com/iDigitalFlame/xmt)](https://goreportcard.com/report/github.com/iDigitalFlame/xmt)
     4  [![Go Reference](https://pkg.go.dev/badge/github.com/iDigitalFlame/xmt.svg)](https://pkg.go.dev/github.com/iDigitalFlame/xmt)
     5  [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)
     6  [![Code Analysis](https://github.com/iDigitalFlame/XMT/actions/workflows/checks.yaml/badge.svg)](https://github.com/iDigitalFlame/XMT/actions/workflows/checks.yaml)
     7  [![codecov](https://codecov.io/github/iDigitalFlame/XMT/branch/main/graph/badge.svg?token=REQESSIT7C)](https://codecov.io/github/iDigitalFlame/XMT)
     8  [![Latest](https://img.shields.io/github/v/tag/iDigitalFlame/XMT)](https://github.com/iDigitalFlame/XMT/releases)
     9  
    10  XMT is a full-featured C2 framework written in Golang that allows for control,
    11  data exfiltration and some other cool functions. Can be used to make full C2
    12  clients/servers with little out-of-the-box changes.
    13  
    14  [ThunderStorm](https://github.com/iDigitalFlame/ThunderStorm) would be an implementation
    15  of this.
    16  
    17  This framework also contains many utility functions, including:
    18  
    19  - Advanced Process Control (Windows)
    20  - Device Identification
    21  - User Identification
    22  - Windows "Window" utils
    23  - Efficient Data Marshaling interfaces
    24  - Easy Network communication resources
    25  - Super low file size! ~5mb completely using [JetStream](https://github.com/iDigitalFlame/ThunderStorm)
    26  - Backwards compatibility with systems as old as Windows Xp!
    27  
    28  The pkg.go.dev site has some of the framework documentation and definitions
    29  [here](https://pkg.go.dev/github.com/iDigitalFlame/xmt).
    30  
    31  __DISCLAIMER: Please use for legal reasons only. I'm not responsible if you get__
    32  __in trouble for using this improperly or if someone owns your environment and is__
    33  __using XMT (or a derivative of it).__
    34  
    35  ## Roadmap
    36  
    37  _Updated 02/17/23_
    38  
    39  - Reflective DLL Injection (Windows)
    40  - Updates to handeling x86 PEB (Windows)
    41  - Linux mem_fd loader
    42  - Thread Injection improvements
    43  - "Device Check" package
    44    - Detect VM
    45    - Anti-VM checks
    46  
    47  These are some things that would be nice to have, but are not as important as the
    48  above list:
    49  
    50  - Keylogging
    51  - MultiProxy support
    52  - X/Wayland/OSX Screenshot support
    53  - EDR Detection
    54  - Linux shellcode support
    55  - More thread injection options (Windows)
    56  
    57  ## Compatibility
    58  
    59  This project is compatable with __ALL__ Golang versions starting from __go1.10__!
    60  You can download the older versions of Golang from [the Golang website](https://go.dev/dl/).
    61  
    62  Unless convined otherwise, I plan to keep the compatibility down to Go1.10.
    63  __Since I don't control the Script engines, Scripts are bound to >= go1.18__
    64  
    65  __The following depreciated build types will NOT be supported__
    66  
    67  - nacl/386
    68  - nacl/amd64p32
    69  - nacl/arm
    70  
    71  __The following depreciated build types WORK but are specific__
    72  
    73  - darwin/386 (<= go1.14)
    74  - darwin/arm (<= go1.14, needs CGO)
    75  
    76  ### Older OS Support Issues
    77  
    78  So far the only issues I've seen are:
    79  
    80  - Xp
    81    - Lacks the "CreateProcessWithTokenW" so any processes created while impersonating
    82      a user will fail. _(This does NOT affect Server 2003 WTF)_
    83  - Xp < SP3
    84    - Lacks the "WinHttpGetDefaultProxyConfiguration" function, which disables
    85      automatic HTTP Proxy detection.
    86  - Xp and Server 2003
    87    - Lacks the "RegDeleteTree" function so deleting non-empty Keys may fail.
    88    - The concept of Token "Integrity" does not exist and users that are in the
    89      "Administrators" group are considered elevated.
    90    - Per the previous entry, the "Untrust" helper will NOT set the Token Integrity
    91      _(since it doesn't exist!)_, but it will STILL remove Token permissions.
    92    - Setting the parent process does __NOT__ work.
    93  - Vista, Server 2008 and older
    94    - Cannot evade ETW logs as the function calls do not exist.
    95  - Windows 8.1, Server 2012 and older
    96    - Cannot evade ASMI as it is only present in Windows 10 and newer.
    97  
    98  ### Compiling for Go1.10 (pre-modules)
    99  
   100  Golang version 1.11 introduced the concept of Golang Modules and made dependency
   101  management simple. Unfortunately, Go1.10 (the last to support Xp, 2003, 2008
   102  and Vista) does __not__.
   103  
   104  To work around this, we can just _vendor_ the packages, since the only dependencies,
   105  are the following PurpleSec modules:
   106  
   107  - [LogX: github.com/PurpleSec/logx](https://github.com/PurpleSec/logx)
   108  - [Escape: github.com/PurpleSec/escape](https://github.com/PurpleSec/escape)
   109  
   110  Which we already make backwards compatible :D
   111  
   112  These dependencies can be downloaded and used with the following commands:
   113  
   114  ```bash
   115  go mod vendor
   116  mkdir "deps"
   117  mv "vendor" "deps/src"
   118  mkdir "deps/src/github.com/iDigitalFlame"
   119  ln -s "$(pwd)" "deps/src/github.com/iDigitalFlame/xmt"
   120  export GOPATH="$(pwd)/deps"
   121  export GOROOT="<path to downloaded Go1.10 folder>"
   122  ```
   123  
   124  _(Yes, I know you CAN use "-o" to specific the vendor directory, but that isn't_
   125  _supported until go1.18!)_
   126  
   127  This should allow you to compile using the fullpath of the Go1.10 Golang binary.
   128  _(As long as you set your `GOROOT` and `GOPATH` correctly)_
   129  
   130  ## TODO
   131  
   132  These are some things I need to work on.
   133  
   134  - Documentation
   135  - Build tags list
   136  
   137  ## References / Hightlights / Presentations
   138  
   139  BSides Las Vegas 2022: So you Wanta Build a C2?
   140  
   141  [Video](https://www.youtube.com/watch?v=uAfGtGlHLxs) /
   142  [Slides](https://public.idigitalflame.com/docs/so_you_wanta_build_a_c2.pdf)
   143  
   144  ## Bugs
   145  
   146  _Updated 02/17/23_
   147  
   148  - Potential KeyPair sync issue over long periods of time. __Still needs more testing__
   149  
   150  Feel free to submit issue tickets or pull requests if something is broken or
   151  doesn't act right. (I don't bite, mostly owo)
   152  
   153  ## Thanks and Credits
   154  
   155  - [Geoff Chappell](https://www.geoffchappell.com) for his insights into various Windows API stuff
   156  - Package Monkey by @skx [github.com/skx/monkey](https://github.com/skx/monkey)
   157  - Package Otto by @robertkrimen [github.com/robertkrimen/otto](https://github.com/robertkrimen/otto)
   158  - Intern method by @bradfitz [tailscale.com/blog/netaddr-new-ip-type-for-go/](https://tailscale.com/blog/netaddr-new-ip-type-for-go/)
   159    - Also the IP struct code and info.
   160  - mTLS insights by @kofoworola [kofo.dev/how-to-mtls-in-golang](https://kofo.dev/how-to-mtls-in-golang)
   161  - DLL loader by @monoxgas [github.com/monoxgas/sRDI](https://github.com/monoxgas/sRDI)
   162  - Initial idea for MiniDump/DLL Reload by the Sliver C2 framework [github.com/BishopFox/sliver/](https://github.com/BishopFox/sliver/)
   163  - Untrust idea by @zha0gongz1 [golangexample.com/...](https://golangexample.com/without-closing-windows-defender-to-make-defender-useless-by-removing-its-token-privileges-and-lowering-the-token-integrity/)
   164  
   165  # Licenses
   166  
   167  XMT is covered by the GNU GPLv3 License
   168  
   169  Third-party Licenses:
   170  
   171  - [sRDI](https://raw.githubusercontent.com/monoxgas/sRDI/master/LICENSE) (GPLv3)
   172  - [Monkey](https://raw.githubusercontent.com/skx/monkey/master/LICENSE) (MIT)
   173    - Only if [Monkey](https://github.com/skx/monkey) support is compiled in and enabled.
   174  - [Otto](https://raw.githubusercontent.com/robertkrimen/otto/master/LICENSE) (MIT)
   175    - Only if [Otto](https://github.com/robertkrimen/otto) support is compiled in and enabled.
   176  - [LogX](https://raw.githubusercontent.com/PurpleSec/LogX/main/LICENSE) (Apache v2)
   177  - [Escape](https://raw.githubusercontent.com/PurpleSec/Escape/main/LICENSE) (Apache v2)