As an example, one of the most basic malware to inject into a process to get a C2 beacon goes like this:
Get Handle of a process -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread
Now writing this in C/C++ is quite native as it can easily communicate with WinAPI. Are there any benefits in writing this in another programming language such as Golang or Rust to fight against EDR, not just an AV with static analysis checks? More specifically EDRs that are hooking and calling
JMP to those WinAPI calls?
My question comes from the rise of .NET and C# with a lot of use cases such as using LOLBAS csc.exe to compile on machine or
execute-assembly to load .NET assemblies in unmanaged codespace or process. However, this still use WinAPI by using P/Invoke (and now D/Invoke).
- Are there any benefits in using other programming language to call WinAPI function to fight against EDR?
- Are there any other ways of creating malware (e.g. dropper) besides calling WinAPI?
- Like with .NET and C#, will there be a new rise in existing (other) languages such as Go or Rust.