Compile After Delivery

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution before execution; typically via native utilities such as csc.exe or GCC/MinGW.

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex:EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with bundled compiler and execution framework.

Example:

The .NET Framework includes a mechanism called the Code Document Object Model (CodeDOM) that enables developers of programs that emit source code to generate source code in multiple programming languages at run time, based on a single model that represents the code to render. Sometimes developers need it, and .NET Framework makes it possible. For example, the following C# code compiles the C# code assigned to the "code" variable during execution and runs it.

Here is a sample code with C#

Any part from the "string code" section will get compiled and executed when the application runs.

Reference:

SpookFlare: Stay In Shadowswith knowledge comes power

PreviousSteganography NextIndicator Removal from Tools

Last updated 3 years ago