(C) BuildCommDCBAndTimeoutA by Huntress Research Team

Created the Wednesday 20 March 2024. Updated 3 weeks, 6 days ago.

Description:

This code compiles a C program on Windows that tests if it's running in an emulation environment by attempting to configure a bogus device string with BuildCommDCBAndTimeouts; if the call succeeds, it terminates the program, suggesting it might not be running on a genuine Windows system.

Code

            // $ x86_64-w64-mingw32-gcc -o main.exe main.c

#include <windows.h>
#include <stdio.h>

int main()
{
    printf("[*] Running...\n");
    HANDLE currentProcess;

    // If we pass a bogus device string into this API call, the return value should always be zero to indicate failure.
    // The hypothesis here is that if this API call ever succeeds, it is in some kind of emulation environment that will allow a bogus device string.
    // https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-buildcommdcbandtimeoutsa

    // device string from the POC: "jhl46745fghb"
    // properly formatted device string: "COM1:9600,n,8,1"
    if (BuildCommDCBAndTimeouts("jhl46745fghb", NULL, NULL))
    {
        printf("[*] Nope.\n");
        currentProcess = GetCurrentProcess();
        TerminateProcess(currentProcess, 0);
    }

    printf("[+] Boom!\n");

    return 0;
}