What is Crystal?
Could Crystal be the next go-to language for malware development?
Introduction
Most of the programs I write, whether that be malware or a tool, is usually written in Go. However, I recently came across this blog post from RastaMouse about a Crystal, a language I hadn't heard of before. Crystal has some really cool features that make it a prime candidate for writing malware. C-bindings, LLVM, inline assembly, cross-platform, the list of features this language has goes on and on. So lets explore and learn Crystal for malware development.
Getting Started
The obvious first step when starting with a new language, is to do the classic hello world. Crystal is pretty simple.
First you initialize a new Crystal app with the crystal init app command:
crystal init app hello-worldNext, in the generated src directory, you can print hello world with the following line of code:
puts("Hello, World!")Finally you can run this with:
> crystal run hello-world.cr
Hello, World!C-Bindings
One of the coolest features of Crystal is its ability for C-Bindings. By using @[Link("dll")] we can pass a library name to the linker.
Example:
@[Link("kernel32")]
lib Kernel32
fun ExitProcess(exitCode : LibC::UInt) : NoReturn
end
Kernel32.ExitProcess 1337We can than run the above:
PS C:\> crystal run c.cr
PS C:\> $LASTEXITCODE
1337Running Assembly From Crystal
Crystal has the capability to run inline assembly with the asm keyword. An example from the documentation is:
dst = 0
asm("mov $$1234, $0" : "=r"(dst))
puts(dst)Running this code outputs the following:
> crystal run asm.cr
1234Conclusion
In conclusion, I think Crystal will be a very fun language to try and learn and utilize for malware and maybe some cool tools as well. If you want to read more about Crystal, you can find their documentation here.
References
Last updated