As an attacker or defender developing software, one obviously needs to decide which language makes the most sense to use. Ideally, a language won’t be chosen simply because it is what the developer is most comfortable with. Rather, a language should be chosen based on answering a series of questions such as the following:
- What are my primary target execution environments? \t
- What is the state of detection and logging for payloads written in this language? \t
- To what level does my software need to maintain stealth (for example, memory residence)? \t
- How well is the language supported for both the client side and the server side? \t
- Is there a sizable community developing in this language? \t
- What is the learning curve and how maintainable is the language?
C# has some compelling answers to these questions. As to the question about the target execution environment, .NET should be an obvious candidate for consideration in a Microsoft-heavy environment because it has been packaged with Windows for years. However, with the open-sourcing of .NET, C# is now a language that can drive a mature runtime on every operating system. Naturally, it should be considered an extremely enticing language for true cross-platform support.