XMT is a full-featured C2 framework written in Golang that allows for control, data exfiltration and some other cool functions. Can be used to make full C2 clients/servers with little out-of-the-box changes.
ThunderStorm would be an implementation of this.
This framework also contains many utility functions, including:
- Advanced Process Control (Windows)
- Device Identification
- User Identification
- Windows "Window" utils
- Efficient Data Marshaling interfaces
- Easy Network communication resources
- Super low file size! ~5mb completely using JetStream
- Backwards compatibility with systems as old as Windows Xp!
The pkg.go.dev site has some of the framework documentation and definitions here.
DISCLAIMER: Please use for legal reasons only. I'm not responsible if you get in trouble for using this improperly or if someone owns your environment and is using XMT (or a derivative of it).
Updated 02/17/23 (I will update this soon!)
- Reflective DLL Injection (Windows)
- Updates to handeling x86 PEB (Windows)
- Linux mem_fd loader
- Thread Injection improvements
- "Device Check" package
- Detect VM
- Anti-VM checks
These are some things that would be nice to have, but are not as important as the above list:
- Keylogging
- MultiProxy support
- X/Wayland/OSX Screenshot support
- EDR Detection
- Linux shellcode support
- More thread injection options (Windows)
Due to the Golang team no longer allowing the usage of go:linkname
(unless you're
a huge project like Docker), ALL XMT BUILDS MUST INCLUDE THIS BUILD ARG:
-ldflags '-checklinkname=0'
For example, if you want to build a simple binary with XMT like:
GOOS=windows go build -o test.exe examples/main.go
You must now include -checklinkname=0
or IT WILL NOT COMPILE like:
GOOS=windows go build -ldflags '-checklinkname=0' -o test.exe examples/main.go
I'm sorry if this breaks any building systems. ThunderStorm's JetStream/CloudSeed has been updated to support this flag.
Due to how XMT interacts with the runtime and requires functions that the Golang
developers will never export, removing the usage go:linkname
is not possible.
This project is compatable with ALL Golang versions starting from go1.10! You can download the older versions of Golang from the Golang website.
Unless convined otherwise, I plan to keep the compatibility down to Go1.10. Since I don't control the Script engines, Scripts are bound to >= go1.18
The following depreciated build types will NOT be supported
- nacl/386
- nacl/amd64p32
- nacl/arm
The following depreciated build types WORK but are specific
- darwin/386 (<= go1.14)
- darwin/arm (<= go1.14, needs CGO)
So far the only issues I've seen are:
- Xp
- Lacks the "CreateProcessWithTokenW" so any processes created while impersonating a user will fail. (This does NOT affect Server 2003 WTF)
- Xp < SP3
- Lacks the "WinHttpGetDefaultProxyConfiguration" function, which disables automatic HTTP Proxy detection.
- Xp and Server 2003
- Lacks the "RegDeleteTree" function so deleting non-empty Keys may fail.
- The concept of Token "Integrity" does not exist and users that are in the "Administrators" group are considered elevated.
- Per the previous entry, the "Untrust" helper will NOT set the Token Integrity (since it doesn't exist!), but it will STILL remove Token permissions.
- Setting the parent process does NOT work.
- Vista, Server 2008 and older
- Cannot evade ETW logs as the function calls do not exist.
- Windows 8.1, Server 2012 and older
- Cannot evade ASMI as it is only present in Windows 10 and newer.
Golang version 1.11 introduced the concept of Golang Modules and made dependency management simple. Unfortunately, Go1.10 (the last to support Xp, 2003, 2008 and Vista) does not.
To work around this, we can just vendor the packages, since the only dependencies, are the following PurpleSec modules:
Which we already make backwards compatible :D
These dependencies can be downloaded and used with the following commands:
go mod vendor
mkdir "deps"
mv "vendor" "deps/src"
mkdir "deps/src/github.com/iDigitalFlame"
ln -s "$(pwd)" "deps/src/github.com/iDigitalFlame/xmt"
export GOPATH="$(pwd)/deps"
export GOROOT="<path to downloaded Go1.10 folder>"
(Yes, I know you CAN use "-o" to specific the vendor directory, but that isn't supported until go1.18!)
This should allow you to compile using the fullpath of the Go1.10 Golang binary.
(As long as you set your GOROOT
and GOPATH
correctly)
These are some things I need to work on.
- Documentation
- Build tags list
BSides Las Vegas 2022: So you Wanta Build a C2?
Updated 02/17/23
- Potential KeyPair sync issue over long periods of time. Still needs more testing
Feel free to submit issue tickets or pull requests if something is broken or doesn't act right. (I don't bite, mostly owo)
- Geoff Chappell for his insights into various Windows API stuff
- Package Monkey by @skx github.com/skx/monkey
- Package Otto by @robertkrimen github.com/robertkrimen/otto
- Intern method by @bradfitz tailscale.com/blog/netaddr-new-ip-type-for-go/
- Also the IP struct code and info.
- mTLS insights by @kofoworola kofo.dev/how-to-mtls-in-golang
- DLL loader by @monoxgas github.com/monoxgas/sRDI
- Initial idea for MiniDump/DLL Reload by the Sliver C2 framework github.com/BishopFox/sliver/
- Untrust idea by @zha0gongz1 golangexample.com/...
XMT is covered by the GNU GPLv3 License
Third-party Licenses: