Skip to content

eXtensiable Malware Toolkit: Full Featured Golang C2 Framework with Awesome Features

License

Notifications You must be signed in to change notification settings

iDigitalFlame/XMT

Repository files navigation

XMT: eXtensible Malware Toolkit

Go Report Card Go Reference License: GPL v3 Code Analysis codecov Latest

XMT is a full-featured C2 framework written in Golang that allows for control, data exfiltration and some other cool functions. Can be used to make full C2 clients/servers with little out-of-the-box changes.

ThunderStorm would be an implementation of this.

This framework also contains many utility functions, including:

  • Advanced Process Control (Windows)
  • Device Identification
  • User Identification
  • Windows "Window" utils
  • Efficient Data Marshaling interfaces
  • Easy Network communication resources
  • Super low file size! ~5mb completely using JetStream
  • Backwards compatibility with systems as old as Windows Xp!

The pkg.go.dev site has some of the framework documentation and definitions here.

DISCLAIMER: Please use for legal reasons only. I'm not responsible if you get in trouble for using this improperly or if someone owns your environment and is using XMT (or a derivative of it).

Roadmap

Updated 02/17/23 (I will update this soon!)

  • Reflective DLL Injection (Windows)
  • Updates to handeling x86 PEB (Windows)
  • Linux mem_fd loader
  • Thread Injection improvements
  • "Device Check" package
    • Detect VM
    • Anti-VM checks

These are some things that would be nice to have, but are not as important as the above list:

  • Keylogging
  • MultiProxy support
  • X/Wayland/OSX Screenshot support
  • EDR Detection
  • Linux shellcode support
  • More thread injection options (Windows)

Go 1.23 Notes

Due to the Golang team no longer allowing the usage of go:linkname (unless you're a huge project like Docker), ALL XMT BUILDS MUST INCLUDE THIS BUILD ARG:

-ldflags '-checklinkname=0'

For example, if you want to build a simple binary with XMT like:

GOOS=windows go build -o test.exe examples/main.go

You must now include -checklinkname=0 or IT WILL NOT COMPILE like:

GOOS=windows go build -ldflags '-checklinkname=0' -o test.exe examples/main.go

I'm sorry if this breaks any building systems. ThunderStorm's JetStream/CloudSeed has been updated to support this flag.

Due to how XMT interacts with the runtime and requires functions that the Golang developers will never export, removing the usage go:linkname is not possible.

Compatibility

This project is compatable with ALL Golang versions starting from go1.10! You can download the older versions of Golang from the Golang website.

Unless convined otherwise, I plan to keep the compatibility down to Go1.10. Since I don't control the Script engines, Scripts are bound to >= go1.18

The following depreciated build types will NOT be supported

  • nacl/386
  • nacl/amd64p32
  • nacl/arm

The following depreciated build types WORK but are specific

  • darwin/386 (<= go1.14)
  • darwin/arm (<= go1.14, needs CGO)

Older OS Support Issues

So far the only issues I've seen are:

  • Xp
    • Lacks the "CreateProcessWithTokenW" so any processes created while impersonating a user will fail. (This does NOT affect Server 2003 WTF)
  • Xp < SP3
    • Lacks the "WinHttpGetDefaultProxyConfiguration" function, which disables automatic HTTP Proxy detection.
  • Xp and Server 2003
    • Lacks the "RegDeleteTree" function so deleting non-empty Keys may fail.
    • The concept of Token "Integrity" does not exist and users that are in the "Administrators" group are considered elevated.
    • Per the previous entry, the "Untrust" helper will NOT set the Token Integrity (since it doesn't exist!), but it will STILL remove Token permissions.
    • Setting the parent process does NOT work.
  • Vista, Server 2008 and older
    • Cannot evade ETW logs as the function calls do not exist.
  • Windows 8.1, Server 2012 and older
    • Cannot evade ASMI as it is only present in Windows 10 and newer.

Compiling for Go1.10 (pre-modules)

Golang version 1.11 introduced the concept of Golang Modules and made dependency management simple. Unfortunately, Go1.10 (the last to support Xp, 2003, 2008 and Vista) does not.

To work around this, we can just vendor the packages, since the only dependencies, are the following PurpleSec modules:

Which we already make backwards compatible :D

These dependencies can be downloaded and used with the following commands:

go mod vendor
mkdir "deps"
mv "vendor" "deps/src"
mkdir "deps/src/github.com/iDigitalFlame"
ln -s "$(pwd)" "deps/src/github.com/iDigitalFlame/xmt"
export GOPATH="$(pwd)/deps"
export GOROOT="<path to downloaded Go1.10 folder>"

(Yes, I know you CAN use "-o" to specific the vendor directory, but that isn't supported until go1.18!)

This should allow you to compile using the fullpath of the Go1.10 Golang binary. (As long as you set your GOROOT and GOPATH correctly)

TODO

These are some things I need to work on.

  • Documentation
  • Build tags list

References / Hightlights / Presentations

BSides Las Vegas 2022: So you Wanta Build a C2?

Video / Slides

Bugs

Updated 02/17/23

  • Potential KeyPair sync issue over long periods of time. Still needs more testing

Feel free to submit issue tickets or pull requests if something is broken or doesn't act right. (I don't bite, mostly owo)

Thanks and Credits

Licenses

XMT is covered by the GNU GPLv3 License

Third-party Licenses:

  • sRDI (GPLv3)
  • Monkey (MIT)
    • Only if Monkey support is compiled in and enabled.
  • Otto (MIT)
    • Only if Otto support is compiled in and enabled.
  • LogX (Apache v2)
  • Escape (Apache v2)

ko-fi