Empire icon indicating copy to clipboard operation
Empire copied to clipboard
verified publisher icon BC-SECURITY

[FEATURE REQUEST] C agent?

Open CodeXTF2 opened this issue 5 months ago • 6 comments

Description

Hi, just curious, is a C agent ever planned? It would allow for more advanced evasion techniques and memory obfuscation to be done more easily as compared to C# Go and powershell.

If not, is a custom agent spec planned?

Thanks!

Solution

C port of the agent, or custom agent spec docs

Alternatives

No response

Additional Context

Just a question :) Thanks!

CodeXTF2 avatar Nov 10 '25 11:11 CodeXTF2

I agree with the above and request the below:

Feature

Please consider adding the following features to the Empire agent, inspired by similar implementations in the Havoc Framework. These enhancements will improve the agent’s stealth, resilience, and execution flexibility.

1. Foliage Sleep Technique

  • Reference: [Havoc - Obf.c](https://github.com/HavocFramework/Havoc/blob/main/payloads/Demon/src/core/Obf.c)
  • Description: Implement the Foliage sleep obfuscation technique using RtlCreateTimer and other applicable Windows APIs. This method disguises sleep behavior to evade runtime analysis and sandbox detection.

2. Hardware Breakpoint (HwBp) Patching

  • Reference: [Havoc - HwBpEngine.c](https://github.com/HavocFramework/Havoc/blob/main/payloads/Demon/src/core/HwBpEngine.c)
  • Description: Integrate hardware breakpoint–based AMSI and ETW patching. This approach enables stealthier tampering with security hooks by leveraging debug registers instead of traditional memory patching, minimizing detection by heuristic engines.

3. Syscall Support (Direct and Indirect)

  • Reference: [Havoc - Syscalls.c](https://github.com/HavocFramework/Havoc/blob/main/payloads/Demon/src/core/Syscalls.c)
  • Description: Add support for both direct and indirect syscalls to bypass user-mode hooks and improve evasion against EDR solutions. This will enhance the reliability of critical operations such as memory allocation, injection, and thread creation.

✅ Summary

Implementing these features would significantly increase the stealth and resilience of the Empire agent against advanced detection mechanisms, aligning it more closely with modern red team and adversary simulation tradecraft.

ghost avatar Nov 10 '25 19:11 ghost

Feature Request: Add a Fully Featured C Agent for Adversary Emulation and Red Teaming

Hi team,

First off, I want to say the framework is already impressive — stable, well-structured, and clearly built with serious capability in mind. The only major piece missing is a C-based agent that matches the functionality and flexibility of industry-grade adversary emulation and red-team frameworks.

A mature C agent would bring massive value to operators performing adversary simulation, threat emulation, and penetration testing, and it’s one of the most requested components in the community right now.

Why it matters

Red teams and researchers increasingly need agents that demonstrate realistic tradecraft for training and defensive testing. Techniques such as sleep obfuscation (e.g., Ekko, Zilean, or Foliage), hardware breakpoints for AMSI/ETW patching, and indirect/direct syscalls are not niche anymore — they’re standard in modern frameworks. Supporting these makes the framework relevant for both offensive simulation and defensive research.

References for Implementation

If you don’t want to build everything from scratch, there are existing open-source projects with reusable code and permissive licenses:

  • MIT License: [AceLdr](https://github.com/kyleavery/AceLdr)
  • MIT License: [BokuLoader](https://github.com/boku7/BokuLoader)
  • GNU GPL v3.0: [Havoc (Demon Payload)](https://github.com/HavocFramework/Havoc/tree/main/payloads/Demon)

These can be used as architectural or code references within their license terms. Leveraging them would speed up development and align the project with current tradecraft standards.

Community and Sponsorship

I genuinely believe that adding a capable C agent would attract thousands of users and potential sponsors. There’s significant demand for a modern, open-source framework that keeps up with realistic adversary behavior. Implementing this would be a huge win for both red and blue teams — benefiting researchers, detection engineers, EDR developers, and SOC analysts alike.

Summary

A well-built C agent would complete the framework and solidify its place among the top-tier open-source tools in this space. It’s the only missing piece in an otherwise excellent project, and adding it would be a major step forward for the community.

ghost avatar Nov 10 '25 20:11 ghost

@Cx01N @vinnybod

ghost avatar Nov 16 '25 20:11 ghost

I agree, a C agent is something we need. I think the biggest thing holding us back is we don't have anyone on the team that is good at C. We are always looking for help if anyone wants to lend a hand.

Cx01N avatar Jan 17 '26 20:01 Cx01N

Is there any docs on developing custom empire agents, or a spec for one? documenting what is required from the implant by the server side would help a lot for people who can do implant dev but dont really want to go learn the server internals. Personally i wouldnt mind giving it a shot to at least make a barebones C agent as a starter to build on further if i get some time.

CodeXTF2 avatar Jan 17 '26 20:01 CodeXTF2

Thats probably a good idea for something for us to start. Currently, the docs give some info, but it could be much better.

Cx01N avatar Jan 21 '26 21:01 Cx01N