Skip to content

Installation

Before we get into how to use it, we first need to install our tool. There are a few ways to do that.

📦 Ways of installation

Here are all the ways you can install our tool. Just use whatever you like best.

Cargo and Windows SDK are required

Our tool is based on Rust and the Windows API, so if you're building it from crates.io or the source, you'll need the Windows SDK and Cargo.

With crates.io

To install it using crates.io, just enter this command in your preferred terminal:

cargo install malware-traces-generator

🛠 Build it from source

Here's what you need to do if you want to build from the source:

  1. Clone the repository
git clone https://github.com/frack113/MalwareTracesGenerator/
  1. Build and run the project!
cargo run --release

🌉 Cross compilation

Linux

There are a few ways to do this. The easiest is to use xwin and set Cargo to use these files when targeting the x86_64-pc-windows-msvc triple. You can use Wine to run the executable.

Here is a sample configuration:

config.toml
[target.x86_64-pc-windows-msvc]
linker = "lld"
runner = "wine"
rustflags = [
  "-Lnative=PATH_TO_XWIN/crt/lib/x86_64",
  "-Lnative=PATH_TO_XWIN/sdk/lib/um/x86_64",
  "-Lnative=PATH_TO_XWIN/sdk/lib/ucrt/x86_64"
]

You can put this file in your Cargo location or in the .cargo folder of your project, depending on what you want to achieve.

Mac

We don't use Mac in our team, so we're not sure how to handle cross-compilation of programs using Windows API.

🥷 Quick examples

Now that the tool is installed, we can start using it! The easiest way to do this is to generate a simple trace. For example, to generate a Parent Process Identifier Spoofing trace, you simply need to type this in your favorite terminal:

mtg traces processes spoofing "cargo.exe" "explorer.exe"

Alternatively, you can generate traces using a generation file. In this file you describe which traces you want to generate and with which configuration. Here is a simple example that generates two Parent Process Identifier Spoofing traces:

spoofing.toml
[metadata]
name = "Parent Process Identifier Spoofing"
version = "0.0.1"
references = []

[[traces]]# (1)!
[traces.spoofing]
executable = "cargo.exe"
parent_executable = "explorer.exe"

[[traces]]
[traces.spoofing]
executable = "cargo.exe"
parent_executable = "firefox.exe"
  1. You've got to put this line in before you declare a trace. It tells you about an array of tables called "traces". If you want more info, check out the generation file documentation.

Generation file

Generating a single trace can be useful, but our tool is really intended to be used via a generation file. With that, you can easily create complex scenarios that use multiple traces to mimic real and complex malware behaviors.

Order of execution

Keep in mind that traces are created top to bottom, as defined in their generation file.