{"id":30305559,"url":"https://github.com/idigitalflame/xmt","last_synced_at":"2025-08-17T08:09:54.431Z","repository":{"id":37944592,"uuid":"187231043","full_name":"iDigitalFlame/XMT","owner":"iDigitalFlame","description":"eXtensiable Malware Toolkit: Full Featured Golang C2 Framework with Awesome Features","archived":false,"fork":false,"pushed_at":"2025-07-29T05:30:55.000Z","size":4507,"stargazers_count":100,"open_issues_count":1,"forks_count":21,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-08-14T22:44:39.542Z","etag":null,"topics":["go","golang","golang-library","golang-package","malware","offensive-security","redteam"],"latest_commit_sha":null,"homepage":"https://pkg.go.dev/github.com/iDigitalFlame/xmt","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/iDigitalFlame.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"iDigitalFlame","ko_fi":"idflame"}},"created_at":"2019-05-17T14:30:58.000Z","updated_at":"2025-07-29T05:28:10.000Z","dependencies_parsed_at":"2023-02-01T10:00:22.360Z","dependency_job_id":"878d1d82-9993-4d25-8501-c0568d884339","html_url":"https://github.com/iDigitalFlame/XMT","commit_stats":null,"previous_names":[],"tags_count":92,"template":false,"template_full_name":null,"purl":"pkg:github/iDigitalFlame/XMT","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iDigitalFlame%2FXMT","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iDigitalFlame%2FXMT/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iDigitalFlame%2FXMT/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iDigitalFlame%2FXMT/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/iDigitalFlame","download_url":"https://codeload.github.com/iDigitalFlame/XMT/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iDigitalFlame%2FXMT/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270820793,"owners_count":24651534,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-17T02:00:09.016Z","response_time":129,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","golang","golang-library","golang-package","malware","offensive-security","redteam"],"created_at":"2025-08-17T08:09:53.455Z","updated_at":"2025-08-17T08:09:54.404Z","avatar_url":"https://github.com/iDigitalFlame.png","language":"Go","funding_links":["https://github.com/sponsors/iDigitalFlame","https://ko-fi.com/idflame","https://ko-fi.com/Z8Z4121TDS"],"categories":[],"sub_categories":[],"readme":"# XMT: eXtensible Malware Toolkit\n\n[![Go Report Card](https://goreportcard.com/badge/github.com/iDigitalFlame/xmt)](https://goreportcard.com/report/github.com/iDigitalFlame/xmt)\n[![Go Reference](https://pkg.go.dev/badge/github.com/iDigitalFlame/xmt.svg)](https://pkg.go.dev/github.com/iDigitalFlame/xmt)\n[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)\n[![Code Analysis](https://github.com/iDigitalFlame/XMT/actions/workflows/checks.yaml/badge.svg)](https://github.com/iDigitalFlame/XMT/actions/workflows/checks.yaml)\n[![codecov](https://codecov.io/github/iDigitalFlame/XMT/branch/main/graph/badge.svg?token=REQESSIT7C)](https://codecov.io/github/iDigitalFlame/XMT)\n[![Latest](https://img.shields.io/github/v/tag/iDigitalFlame/XMT)](https://github.com/iDigitalFlame/XMT/releases)\n\nXMT is a full-featured C2 framework written in Golang that allows for control,\ndata exfiltration and some other cool functions. Can be used to make full C2\nclients/servers with little out-of-the-box changes.\n\n[ThunderStorm](https://github.com/iDigitalFlame/ThunderStorm) would be an implementation\nof this.\n\nThis framework also contains many utility functions, including:\n\n- Advanced Process Control (Windows)\n- Device Identification\n- User Identification\n- Windows \"Window\" utils\n- Efficient Data Marshaling interfaces\n- Easy Network communication resources\n- Super low file size! ~5mb completely using [JetStream](https://github.com/iDigitalFlame/ThunderStorm)\n- Backwards compatibility with systems as old as Windows Xp!\n\nThe pkg.go.dev site has some of the framework documentation and definitions\n[here](https://pkg.go.dev/github.com/iDigitalFlame/xmt).\n\n__DISCLAIMER: Please use for legal reasons only. I'm not responsible if you get__\n__in trouble for using this improperly or if someone owns your environment and is__\n__using XMT (or a derivative of it).__\n\n## Roadmap\n\n_Updated 02/17/23_ (I will update this soon!)\n\n- Reflective DLL Injection (Windows)\n- Updates to handeling x86 PEB (Windows)\n- Linux mem_fd loader\n- Thread Injection improvements\n- \"Device Check\" package\n  - Detect VM\n  - Anti-VM checks\n\nThese are some things that would be nice to have, but are not as important as the\nabove list:\n\n- Keylogging\n- MultiProxy support\n- X/Wayland/OSX Screenshot support\n- EDR Detection\n- Linux shellcode support\n- More thread injection options (Windows)\n\n## Go 1.23 Notes\n\nDue to the Golang team no longer allowing the usage of `go:linkname` _(unless you're_\n_a huge project like Docker)_, __ALL XMT BUILDS MUST INCLUDE THIS BUILD ARG__:\n\n```shell\n-ldflags '-checklinkname=0'\n```\n\nFor example, if you want to build a simple binary with XMT like:\n\n```shell\nGOOS=windows go build -o test.exe examples/main.go\n```\n\nYou must now include `-checklinkname=0` or __IT WILL NOT COMPILE__ like:\n\n```shell\nGOOS=windows go build -ldflags '-checklinkname=0' -o test.exe examples/main.go\n```\n\nI'm sorry if this breaks any building systems. ThunderStorm's JetStream/CloudSeed\nhas been updated to support this flag.\n\nDue to how XMT interacts with the runtime and requires functions that the Golang\ndevelopers will never export, removing the usage `go:linkname` is not possible.\n\n## Compatibility\n\nThis project is compatable with __ALL__ Golang versions starting from __go1.10__!\nYou can download the older versions of Golang from [the Golang website](https://go.dev/dl/).\n\nUnless convined otherwise, I plan to keep the compatibility down to Go1.10.\n__Since I don't control the Script engines, Scripts are bound to \u003e= go1.18__\n\n__The following depreciated build types will NOT be supported__\n\n- nacl/386\n- nacl/amd64p32\n- nacl/arm\n\n__The following depreciated build types WORK but are specific__\n\n- darwin/386 (\u003c= go1.14)\n- darwin/arm (\u003c= go1.14, needs CGO)\n\n### Older OS Support Issues\n\nSo far the only issues I've seen are:\n\n- Xp\n  - Lacks the \"CreateProcessWithTokenW\" so any processes created while impersonating\n    a user will fail. _(This does NOT affect Server 2003 WTF)_\n- Xp \u003c SP3\n  - Lacks the \"WinHttpGetDefaultProxyConfiguration\" function, which disables\n    automatic HTTP Proxy detection.\n- Xp and Server 2003\n  - Lacks the \"RegDeleteTree\" function so deleting non-empty Keys may fail.\n  - The concept of Token \"Integrity\" does not exist and users that are in the\n    \"Administrators\" group are considered elevated.\n  - Per the previous entry, the \"Untrust\" helper will NOT set the Token Integrity\n    _(since it doesn't exist!)_, but it will STILL remove Token permissions.\n  - Setting the parent process does __NOT__ work.\n- Vista, Server 2008 and older\n  - Cannot evade ETW logs as the function calls do not exist.\n- Windows 8.1, Server 2012 and older\n  - Cannot evade ASMI as it is only present in Windows 10 and newer.\n\n### Compiling for Go1.10 (pre-modules)\n\nGolang version 1.11 introduced the concept of Golang Modules and made dependency\nmanagement simple. Unfortunately, Go1.10 (the last to support Xp, 2003, 2008\nand Vista) does __not__.\n\nTo work around this, we can just _vendor_ the packages, since the only dependencies,\nare the following PurpleSec modules:\n\n- [LogX: github.com/PurpleSec/logx](https://github.com/PurpleSec/logx)\n- [Escape: github.com/PurpleSec/escape](https://github.com/PurpleSec/escape)\n\nWhich we already make backwards compatible :D\n\nThese dependencies can be downloaded and used with the following commands:\n\n```bash\ngo mod vendor\nmkdir \"deps\"\nmv \"vendor\" \"deps/src\"\nmkdir \"deps/src/github.com/iDigitalFlame\"\nln -s \"$(pwd)\" \"deps/src/github.com/iDigitalFlame/xmt\"\nexport GOPATH=\"$(pwd)/deps\"\nexport GOROOT=\"\u003cpath to downloaded Go1.10 folder\u003e\"\n```\n\n_(Yes, I know you CAN use \"-o\" to specific the vendor directory, but that isn't_\n_supported until go1.18!)_\n\nThis should allow you to compile using the fullpath of the Go1.10 Golang binary.\n_(As long as you set your `GOROOT` and `GOPATH` correctly)_\n\n## TODO\n\nThese are some things I need to work on.\n\n- Documentation\n- Build tags list\n\n## References / Hightlights / Presentations\n\nBSides Las Vegas 2022: So you Wanta Build a C2?\n\n[Video](https://www.youtube.com/watch?v=uAfGtGlHLxs) /\n[Slides](https://public.idigitalflame.com/docs/so_you_wanta_build_a_c2.pdf)\n\n## Bugs\n\n_Updated 02/17/23_\n\n- Potential KeyPair sync issue over long periods of time. __Still needs more testing__\n\nFeel free to submit issue tickets or pull requests if something is broken or\ndoesn't act right. (I don't bite, mostly owo)\n\n## Thanks and Credits\n\n- [Geoff Chappell](https://www.geoffchappell.com) for his insights into various Windows API stuff\n- Package Monkey by @skx [github.com/skx/monkey](https://github.com/skx/monkey)\n- Package Otto by @robertkrimen [github.com/robertkrimen/otto](https://github.com/robertkrimen/otto)\n- Intern method by @bradfitz [tailscale.com/blog/netaddr-new-ip-type-for-go/](https://tailscale.com/blog/netaddr-new-ip-type-for-go/)\n  - Also the IP struct code and info.\n- mTLS insights by @kofoworola [kofo.dev/how-to-mtls-in-golang](https://kofo.dev/how-to-mtls-in-golang)\n- DLL loader by @monoxgas [github.com/monoxgas/sRDI](https://github.com/monoxgas/sRDI)\n- Initial idea for MiniDump/DLL Reload by the Sliver C2 framework [github.com/BishopFox/sliver/](https://github.com/BishopFox/sliver/)\n- Untrust idea by @zha0gongz1 [golangexample.com/...](https://golangexample.com/without-closing-windows-defender-to-make-defender-useless-by-removing-its-token-privileges-and-lowering-the-token-integrity/)\n\n# Licenses\n\nXMT is covered by the GNU GPLv3 License\n\nThird-party Licenses:\n\n- [sRDI](https://raw.githubusercontent.com/monoxgas/sRDI/master/LICENSE) (GPLv3)\n- [Monkey](https://raw.githubusercontent.com/skx/monkey/master/LICENSE) (MIT)\n  - Only if [Monkey](https://github.com/skx/monkey) support is compiled in and enabled.\n- [Otto](https://raw.githubusercontent.com/robertkrimen/otto/master/LICENSE) (MIT)\n  - Only if [Otto](https://github.com/robertkrimen/otto) support is compiled in and enabled.\n- [LogX](https://raw.githubusercontent.com/PurpleSec/LogX/main/LICENSE) (Apache v2)\n- [Escape](https://raw.githubusercontent.com/PurpleSec/Escape/main/LICENSE) (Apache v2)\n\n[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Z8Z4121TDS)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fidigitalflame%2Fxmt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fidigitalflame%2Fxmt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fidigitalflame%2Fxmt/lists"}