Programming language for Remote Access Toolkit


#1

Hey,

I was just wondering which programming language would be the proper one to use for a RAT.

One would obviously want the program to be hard to reverse engineer but also to be deployed on different systems (cross-platform). Network traffic should be hidden as good as possible too.

My (some what) educated guess here is that Java would make sense for a cross-platform tool but is pretty easy to reverse engineer. C/C++ could be hard to reverse engineer but hard to write cross-platform. C# could be a good option but I don’t know enough about this language.

Are there any other languages that would make sense or what do you guys think?


(EternalEclipse) #2

It depends on the purpose of this RAT and the techniques you intend to use. Using low level languages like C or C++ is not going to automatically make reverse engineering your binary harder. The key here is to understand what scenarios it’s designed to evade (Getting caught by AV, Network analysis, Manual reverse engineering), thinking about what techniques you want to use and then looking at your options.

If you want to do low-level stuff like import and section encryption, in-memory image loading, API hooks, code injection etc then yeah, C / C++ with some Assembly modules is probably the easiest way to go because they communicate directly with the native OS interfaces. Any of that stuff is obviously going to be OS-specific but you can encapsulate these parts.

C# and Powershell are not very far away from these interfaces, the CLR is very flexible and you can call any Windows API you’d like and load native code. There are PE and shellcode loaders for them, it just requires dealing with another layer of abstraction, casting data types, pointers and such. Detecting and dealing with different .Net versions is also quite a hassle. As for Powershell, it suffers from the same problems but at least your code runs under a recognized process.

I’d also consider Rust and Go, since they are both low-level (Rust is equivalent to C, Go has a GC and does some things in the background but still basically compiles to native code), modern, have good libraries / docs and nice wrappers for network and IO.


#3

Reversing C applications is usually easier than one written in an object oriented language.


(Leader & Offsec Engineer) #4

Go!

Go is largely under-valued IMO in the malware space as it can be fully cross-compiled.


#5

That’s really interesting. Go didn’t come to my mind here but I wanted to learn it anyways. Thanks for all the responses!


(fxbg) #6

Java and any .NET related language is definitely not the choice here. But it has already been said, it’s not so much about the language. I read a topic on here the other day that was exactly like this thread, I suggest doing a little bit of searching on this forum. Also, I suggest you look into something about RSA or PGP since the unlocking whatever is on the end of the RAT is what people want.

Recently there was a counterfeiter involved in a shootout, he died, but the Secret Service is still trying to unlock his computers because of the encryption on them. The same principles could apply to any malware. The encryption is the key. (no pun intended)


#7

I might be wrong but it looks like there are two issues with your question:

  1. You don’t know what you want except that you want to infect as many people as possible, for whatever (malicious?) reason,
  2. You don’t know how you want it because you don’t understand the underlying technology.

I’m going to assume you haven’t properly thought out your scope and your threat model, though you may just be hiding it from us to, say, conceal intent. Repeating what @EternalEclipse has already stated, there are multiple solutions to one problem, that’s what engineering is, coming up with multiple solutions for a single problem. What’s also engineering is the process of designing the solution to tackle the issue sufficiently and effectively. Each problem has its own unique set of circumstances and rules and so everything “depends” on the situation - there is usually no universal and generic answer. It seems that you’ve addressed none of these before asking for assistance, so I ask you, what exactly do you want us to say? We don’t even know what you’re looking for. Do you know what you’re looking for?

From what I know, Go’s OS API libraries aren’t quite mature or developed and so unless you want to spend time to define things yourself, I can’t see it as being a decent language to go towards for malware development except maybe for the sole purpose of creating a unique sample. If anything, I’d say Rust is the more appropriate language(?)


(Leader & Offsec Engineer) #8

Any sources to suggest Go is not mature?

Do you mean like WinAPI?

@fraq


#9

Late last year when I was looking to learn Go, I browsed around to find some libraries for WinAPI and didn’t really find many that were, or seemed, complete. I might be wrong. ¯\_(ツ)_/¯


(EternalEclipse) #10

The w32 bindings are quite reliable actually. It should be noted that as of now Go DLLs are officially supported and easy to generate, and other APIs received a decent makeover and things keep improving.

I agree Go has some downsides, especially when it comes to things like messing with the loader things get pretty involved. Rust is superior in that aspect.


(Full Snack Developer) #11

I’ve not used Go’s windows bindings extensively yet. Just when I cross-compile a pure-Go app.


(mirage) #12

Go language is good, but its output file is large.