Windows C / BuildCommDCBAndTimeoutA
| Author | Huntress Research Team |
| Platform | Windows |
| Language | C |
| Technique | BuildCommDCBAndTimeoutA |
Description:
This code compiles a C program on Windows that tests if it's running in an emulation environment by attempting to configure a bogus device string with BuildCommDCBAndTimeouts; if the call succeeds, it terminates the program, suggesting it might not be running on a genuine Windows system.
Code
// $ x86_64-w64-mingw32-gcc -o main.exe main.c
#include <windows.h>
#include <stdio.h>
int main()
{
printf("[*] Running...\n");
HANDLE currentProcess;
// If we pass a bogus device string into this API call, the return value should always be zero to indicate failure.
// The hypothesis here is that if this API call ever succeeds, it is in some kind of emulation environment that will allow a bogus device string.
// https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-buildcommdcbandtimeoutsa
// device string from the POC: "jhl46745fghb"
// properly formatted device string: "COM1:9600,n,8,1"
if (BuildCommDCBAndTimeouts("jhl46745fghb", NULL, NULL))
{
printf("[*] Nope.\n");
currentProcess = GetCurrentProcess();
TerminateProcess(currentProcess, 0);
}
printf("[+] Boom!\n");
return 0;
}Created
March 20, 2024
Last Revised
April 22, 2024