xmt

module
v0.5.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 10, 2023 License: GPL-3.0

README

XMT: eXtensible Malware Toolkit

Go Report Card Go Reference Code Analysis codecov Latest

XMT is a full-featured C2 framework written in Golang that allows for control, data exfiltration and some other cool functions. Can be used to make full C2 clients/servers with little out-of-the-box changes.

ThunderStorm would be an implementation of this.

This framework also contains many utility functions, including:

  • Advanced Process Control (Windows)
  • Device Identification
  • User Identification
  • Windows "Window" utils
  • Efficient Data Marshaling interfaces
  • Easy Network communication resources
  • Super low file size! ~5mb completely using JetStream
  • Backwards compatibility with systems as old as Windows Xp!

The pkg.go.dev site has some of the framework documentation and definitions here.

DISCLAIMER: Please use for legal reasons only. I'm not responsible if you get in trouble for using this improperly or if someone owns your environment and is using XMT (or a derivative of it).

Roadmap

Updated 02/17/23

  • Reflective DLL Injection (Windows)
  • Updates to handeling x86 PEB (Windows)
  • Linux mem_fd loader
  • Thread Injection improvements
  • "Device Check" package
    • Detect VM
    • Anti-VM checks

These are some things that would be nice to have, but are not as important as the above list:

  • Keylogging
  • MultiProxy support
  • X/Wayland/OSX Screenshot support
  • EDR Detection
  • Linux shellcode support
  • More thread injection options (Windows)

Compatibility

This project is compatable with ALL Golang versions starting from go1.10! You can download the older versions of Golang from the Golang website.

Unless convined otherwise, I plan to keep the compatibility down to Go1.10. Since I don't control the Script engines, Scripts are bound to >= go1.18

The following depreciated build types will NOT be supported

  • nacl/386
  • nacl/amd64p32
  • nacl/arm

The following depreciated build types WORK but are specific

  • darwin/386 (<= go1.14)
  • darwin/arm (<= go1.14, needs CGO)
Older OS Support Issues

So far the only issues I've seen are:

  • Xp
    • Lacks the "CreateProcessWithTokenW" so any processes created while impersonating a user will fail. (This does NOT affect Server 2003 WTF)
  • Xp < SP3
    • Lacks the "WinHttpGetDefaultProxyConfiguration" function, which disables automatic HTTP Proxy detection.
  • Xp and Server 2003
    • Lacks the "RegDeleteTree" function so deleting non-empty Keys may fail.
    • The concept of Token "Integrity" does not exist and users that are in the "Administrators" group are considered elevated.
    • Per the previous entry, the "Untrust" helper will NOT set the Token Integrity (since it doesn't exist!), but it will STILL remove Token permissions.
    • Setting the parent process does NOT work.
  • Vista, Server 2008 and older
    • Cannot evade ETW logs as the function calls do not exist.
  • Windows 8.1, Server 2012 and older
    • Cannot evade ASMI as it is only present in Windows 10 and newer.
Compiling for Go1.10 (pre-modules)

Golang version 1.11 introduced the concept of Golang Modules and made dependency management simple. Unfortunately, Go1.10 (the last to support Xp, 2003, 2008 and Vista) does not.

To work around this, we can just vendor the packages, since the only dependencies, are the following PurpleSec modules:

Which we already make backwards compatible :D

These dependencies can be downloaded and used with the following commands:

go mod vendor
mkdir "deps"
mv "vendor" "deps/src"
mkdir "deps/src/github.com/iDigitalFlame"
ln -s "$(pwd)" "deps/src/github.com/iDigitalFlame/xmt"
export GOPATH="$(pwd)/deps"
export GOROOT="<path to downloaded Go1.10 folder>"

(Yes, I know you CAN use "-o" to specific the vendor directory, but that isn't supported until go1.18!)

This should allow you to compile using the fullpath of the Go1.10 Golang binary. (As long as you set your GOROOT and GOPATH correctly)

TODO

These are some things I need to work on.

  • Documentation
  • Build tags list

References / Hightlights / Presentations

BSides Las Vegas 2022: So you Wanta Build a C2?

Video / Slides

Bugs

Updated 02/17/23

  • Potential KeyPair sync issue over long periods of time. Still needs more testing

Feel free to submit issue tickets or pull requests if something is broken or doesn't act right. (I don't bite, mostly owo)

Thanks and Credits

Licenses

XMT is covered by the GNU GPLv3 License

Third-party Licenses:

  • sRDI (GPLv3)
  • Monkey (MIT)
    • Only if Monkey support is compiled in and enabled.
  • Otto (MIT)
    • Only if Otto support is compiled in and enabled.
  • LogX (Apache v2)
  • Escape (Apache v2)

Directories

Path Synopsis
c2
Package c2 is the primary Command & Control (C2) endpoint for creating and managing a C2 Session or spinning up a C2 service.
Package c2 is the primary Command & Control (C2) endpoint for creating and managing a C2 Session or spinning up a C2 service.
cfg
Package cfg is used to generate Binary versions of C2 Profiles and can be used to create automatic Profile 'Groups' with multiple communication and encoding types to be used by a Single session.
Package cfg is used to generate Binary versions of C2 Profiles and can be used to create automatic Profile 'Groups' with multiple communication and encoding types to be used by a Single session.
cout
Package cout is a simple log handling solution for the c2 package.
Package cout is a simple log handling solution for the c2 package.
task
Package task is a simple collection of Task based functions that cane be tasked to Sessions by the Server.
Package task is a simple collection of Task based functions that cane be tasked to Sessions by the Server.
task/result
Package result contains many helper functions to gather matching output from Job result packets.
Package result contains many helper functions to gather matching output from Job result packets.
transform
Package transform contains built-in implementations of the 'c2.Transform' interface, which can be used to manupilate data that is passed between Sessions and C2 Servers.
Package transform contains built-in implementations of the 'c2.Transform' interface, which can be used to manupilate data that is passed between Sessions and C2 Servers.
wrapper
Package wrapper contains built-in implementations of the 'c2.Wrapper' interface, which can be used to wrap or encode data that is passed between Sessions and C2 Servers.
Package wrapper contains built-in implementations of the 'c2.Wrapper' interface, which can be used to wrap or encode data that is passed between Sessions and C2 Servers.
cmd
Package cmd contains functions that can be used to execute external processes.
Package cmd contains functions that can be used to execute external processes.
filter
Package filter is a separate container for the 'Filter' struct that can be used to target a specific process or one that matches an attribute set.
Package filter is a separate container for the 'Filter' struct that can be used to target a specific process or one that matches an attribute set.
script
Package script contains Script engines in separate packages to prevent loading if not needed/included.
Package script contains Script engines in separate packages to prevent loading if not needed/included.
com
Package com contains many helper functions for network communications.
Package com contains many helper functions for network communications.
limits
Package limits contains many options for setting Global limits on how the overall application behaves.
Package limits contains many options for setting Global limits on how the overall application behaves.
pipe
Package pipe contains a cross-device compatable Pipes/NamedPipes connection interface.
Package pipe contains a cross-device compatable Pipes/NamedPipes connection interface.
wc2
Package wc2 contains a HTTP/Web based communication channel, which follows the Golang 'net.Conn' interface and is very configurable.
Package wc2 contains a HTTP/Web based communication channel, which follows the Golang 'net.Conn' interface and is very configurable.
Package data provides interfaces and helper methods that can be used for data writing and reading.
Package data provides interfaces and helper methods that can be used for data writing and reading.
crypto
Package crypto contains helper functions and interfaces that can be used to easily read and write different types of encrypted data.
Package crypto contains helper functions and interfaces that can be used to easily read and write different types of encrypted data.
crypto/subtle
Package subtle is similar to the 'cipher/subtle', only needed for very specific crypto operations.
Package subtle is similar to the 'cipher/subtle', only needed for very specific crypto operations.
Package device contains many function that provide access to Operating System functions and resources.
Package device contains many function that provide access to Operating System functions and resources.
arch
Package arch contains platform architecture constants and a specific type that correlates to the current system architecture.
Package arch contains platform architecture constants and a specific type that correlates to the current system architecture.
local
Package local contains many functions and variables that contain information about the local device.
Package local contains many functions and variables that contain information about the local device.
local/tags
Package tags enables identification of the build tags and capabilities that are compiled into the current program.
Package tags enables identification of the build tags and capabilities that are compiled into the current program.
regedit
Package regedit is a helper package that allows easy access to the Windows registry on Windows systems and allows non-Windows systems to read data generated from registry entries.
Package regedit is a helper package that allows easy access to the Windows registry on Windows systems and allows non-Windows systems to read data generated from registry entries.
screen
Package screen is a helper package that contains generic functions that allow for taking ScreenShots of the current display (if supported).
Package screen is a helper package that contains generic functions that allow for taking ScreenShots of the current display (if supported).
unix
Package unix is a nix* specific package that assists with calling Unix/Linux/BSD specific functions and data gathering.
Package unix is a nix* specific package that assists with calling Unix/Linux/BSD specific functions and data gathering.
winapi
Package winapi is a Windows specific package that assists with handeling or accessing many advanced WinAPI functions.
Package winapi is a Windows specific package that assists with handeling or accessing many advanced WinAPI functions.
winapi/registry
Package registry contains code to handle common Windows registry operations.
Package registry contains code to handle common Windows registry operations.
winapi/svc
Package svc is a Windows specific Service interface.
Package svc is a Windows specific Service interface.
Package man is the implementation of the Guardian and Sentinel structs.
Package man is the implementation of the Guardian and Sentinel structs.
Package util is a very generic package that is used to contain simple functions that may be used in multiple packages, such as the simple random number generator.
Package util is a very generic package that is used to contain simple functions that may be used in multiple packages, such as the simple random number generator.
bugtrack
Package bugtrack enables the bug tracking system, which is comprised of a global logger that will write to Standard Error and on the filesystem in a temporary directory, "$TEMP" in *nix and "%TEMP%" on Windows, that is named "bugtrack-<PID>.log".
Package bugtrack enables the bug tracking system, which is comprised of a global logger that will write to Standard Error and on the filesystem in a temporary directory, "$TEMP" in *nix and "%TEMP%" on Windows, that is named "bugtrack-<PID>.log".
crypt
Package crypt is a builtin package that provides compile-time encoded string values to be decoded and used when first starting up.
Package crypt is a builtin package that provides compile-time encoded string values to be decoded and used when first starting up.
text
Package text is a simple package for generating random string values with complex requirements and regular expressions.
Package text is a simple package for generating random string values with complex requirements and regular expressions.
xerr
Package xerr is a simplistic (and more efficient) re-write of the "errors" built-in package.
Package xerr is a simplistic (and more efficient) re-write of the "errors" built-in package.
xmt-device module

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL