What is Crystal?

Could Crystal be the next go-to language for malware development?

Introduction

Most of the programs I write, whether that be malware or a tool, is usually written in Go. However, I recently came across this blog post from RastaMouse about a Crystal, a language I hadn't heard of before. Crystal has some really cool features that make it a prime candidate for writing malware. C-bindings, LLVM, inline assembly, cross-platform, the list of features this language has goes on and on. So lets explore and learn Crystal for malware development.

Getting Started

The obvious first step when starting with a new language, is to do the classic hello world. Crystal is pretty simple.

First you initialize a new Crystal app with the crystal init app command:

crystal init app hello-world

Next, in the generated src directory, you can print hello world with the following line of code:

puts("Hello, World!")

Finally you can run this with:

> crystal run hello-world.cr
Hello, World!

C-Bindings

One of the coolest features of Crystal is its ability for C-Bindings. By using @[Link("dll")] we can pass a library name to the linker.

Example:

@[Link("kernel32")]
lib Kernel32
    fun ExitProcess(exitCode : LibC::UInt) : NoReturn
end

Kernel32.ExitProcess 1337

We can than run the above:

PS C:\> crystal run c.cr
PS C:\> $LASTEXITCODE
1337

Running Assembly From Crystal

Crystal has the capability to run inline assembly with the asm keyword. An example from the documentation is:

dst = 0
asm("mov $$1234, $0" : "=r"(dst))
puts(dst)

Running this code outputs the following:

> crystal run asm.cr
1234

Conclusion

In conclusion, I think Crystal will be a very fun language to try and learn and utilize for malware and maybe some cool tools as well. If you want to read more about Crystal, you can find their documentation here.