// Constructing a large C/C++ Example private static IAttack LargeCCxxExample() { var samplesOutput = new SamplesOutput(); var attackName = "LargeCCxx"; var attack = new Attack(new IOutput[] { samplesOutput, }, name: attackName); // spawn notepad var createProcessSource1 = new CreateProcess("notepad"); // spawn calc var createProcessSource2 = new CreateProcess("calc"); // returns the we specified path var targetPathSource = new StaticTargetPathCCxxSource(@"C:\Users\Public\baby.txt"); // returns the data we specified var fileResourceSource = new StaticFileResourceCCxxSource(new byte[] { 0x65, 0x65, 0x65, 0x65 }); // Drop a file to disk (drop the file "C:\Users\Public\baby.txt" to disk with contents "AAAA") var writeFileSource = new WriteFileResourceCCxxSource <StaticTargetPathCCxxSource, StaticFileResourceCCxxSource>(targetPathSource, fileResourceSource); // Call a series C functions in order var functionCallsSource = new SequentialFunctionCallCCxxSource(new IParameterlessCFunction[] { createProcessSource1, writeFileSource }); // Limit to at most 1 running instance of this code at a time by creating a Global mutex. Only 1 process can have an open handle to a global mutex at a time var mutexSource = new MutexSingletonCCxxSource(functionCallsSource, mutexName: @"Global\SomeMutexName"); // Check a conditional statement, (check if a debugger is attached) var antidebuggerSource1 = new NotIsDebuggerPresentCCxxSource(); // Returns true if it's safe to execute (No debugger is attached) var antidebuggerSource2 = new RemoteDebuggerCCxxSource(); // Retruns true if it's safe to execute (No debugger is attached) var ifElseSource = new IfElseFunctionCallCCxxSource( "{0} && {1}", // If this boolean expression is true new IParameterlessCFunction[] { antidebuggerSource1, antidebuggerSource2 }, trueCaseFunction: mutexSource, // Then execute this falseCaseFunction: createProcessSource2); // Otherwise execute this var createThreadSource = new CreateThreadCCxxSource(ifElseSource); // Create a new thread and execute this var exeWinMainSource = new FunctionCallExeWinMainCCxxSource(createThreadSource); var exeSource = exeWinMainSource; // Summary, // In the main function (WinMain), // Create a thread // In the new thread, Check if a debugger is present using the IsDebuggerPresent technique and the CheckRemoteDebuggerPresent technique // If a debugger is attached, // spawn calc // Else // debuger is not attached // create a mutex. If the mutex is free, // Spawn notepad // Drop C:\Users\Public\baby.txt to disk var createProcessExeStaticLibrary = ((ICCxxCompiler <Win64ObjectFile>) new MyWarez.Plugins.Msvc.Compiler()).Compile(exeSource); var createProcessExe = ((ILinker <Win64ObjectFile, Executable>) new MyWarez.Plugins.Msvc.Linker()).Link(createProcessExeStaticLibrary); samplesOutput.Add("LargeCCxx.exe", createProcessExe); // Double click the to confirm that notepad spawns. // Open the sample in WinDbg to confirm that calc spawns when a debugger is attached attack.Generate(); return(attack); }
// C/C++ with MSVC Example private static IAttack CCxxMsvcExample() { var samplesOutput = new SamplesOutput(); var attackName = "CCxxMsvc"; var attack = new Attack(new IOutput[] { samplesOutput, }, name: attackName); var cmdline = "notepad"; // any commandline // CreateProcess is C/C++ code that will create a process using Kernel32!CreateProcessA var createProcessSource = new CreateProcess(cmdline); // FunctionCallExeWinMainCCxxSource is C/C++ code containing a template WinMain implentation that calls the inputs entry point function var createProcessExeSource = new FunctionCallExeWinMainCCxxSource(createProcessSource); // createProcessExeSource contains the code for WinMain AND the code to create a process from createProcessSource // C/C++ code can be compiled using the MSVC toolchain // StaticLibrary represents compiled code // Msvc.Compiler accepts Msvc.Compiler.Config as an argument. If None is specifed, then the default is used. The default is good for the majority of cases // (ICCxxCompiler<Win64ObjectFile>) means that this is a C/C++ Compiler that produces object files of type Win64ObjectFile (MSVC's object format for 64-bit code) var createProcessExeStaticLibrary = ((ICCxxCompiler <Win64ObjectFile>) new MyWarez.Plugins.Msvc.Compiler()).Compile(createProcessExeSource); // The Linker is used to create an executable using the compiled code from the compilation step // Msvc.Linker accepts Msvc.Linker.Config as an argument. If None is specifed, then the default is used. The default is good for the majority of cases // (ILinker<Win64ObjectFile, Executable>) means that this is a Linker that access object files of type Win64ObjectFile and produces executables of type Executable (.exe) var createProcessExe = ((ILinker <Win64ObjectFile, Executable>) new MyWarez.Plugins.Msvc.Linker()).Link(createProcessExeStaticLibrary); // The MSVC toolchain can also be used to create a DLL from C/C++ source // CreateProcess implements the interface ICFunction. ICFunction represents a callable (using the C calling convention) function. The property "Name" of ICFunction is representative of the function's (unmangled) symbol name var exportedFunctionName = ((ICFunction)createProcessSource).Name; // DLLs can export functions for other programs to call var createProcessDllSource = new SkeletonDllMainCCxxSource(createProcessSource, exportedFunctions: new[] { exportedFunctionName }); var createProcessDllStaticLibrary = ((ICCxxCompiler <Win64ObjectFile>) new MyWarez.Plugins.Msvc.Compiler()).Compile(createProcessDllSource); // Msvc.Linker must be explictly told what function(s) to export // (ILinker<Win64ObjectFile, Executable>) means that this is a Linker that access object files of type Win64ObjectFile and produces executables of type DynamicLinkLibrary (.dll) var createProcessLinkerConfig = new MyWarez.Plugins.Msvc.Linker.Config(exportedFunctions: createProcessDllSource.ExportedFunctions); var createProcessDll = ((ILinker <Win64ObjectFile, DynamicLinkLibrary>) new MyWarez.Plugins.Msvc.Linker(createProcessLinkerConfig)).Link(createProcessDllStaticLibrary); samplesOutput.Add("CCxxMsvcNotepad.exe", createProcessExe); // Double click to confirm that notepad spawns samplesOutput.Add("CCxxMsvcNotepad.dll", createProcessDll); // run: "rundll32 Sample8Notepad.dll,CreateProcessFunction" to confirm that notepad spawns attack.Generate(); return(attack); }