1 files changed, 48 insertions, 0 deletions

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..ded5576
--- /dev/null
+++ b/README.md
@@ -0,0 +1,48 @@
+# VerifierDLLs
+
+This is an example of a Windows Application Verifier. This Windows
+feature lets developers import an arbitrary DLL into any application
+upon execution for testing/debugging purposes. It can be abused as a
+persistence mechanism, or to hook functions in a manner similar to
+LD_PRELOAD on *nix systems.
+
+
+https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2008/ms220948(v=vs.90)?redirectedfrom=MSDN
+
+Verifier DLLs will be loaded with the fdwReason parameter of DllMain()
+set to DLL_PROCESS_VERIFIER rather than DLL_PROCESS_ATTACH like a
+traditional DLL.
+
+Applicaion Verifiers have been abused as a persistence mechanism by
+sdbbot malware:
+
+https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader
+
+```
+If the bot is running with admin privileges on a Windows version
+newer than Windows 7, persistence is established using the registry
+“image file execution options” method. The loader DLL component is
+written to “%SYSTEM%\mswinload0[.]dll” and added to the “VerifierDlls”
+value for “winlogon[.]exe”.
+```
+
+
+
+## Compiling
+`make.bat` will build this within a Developer Command Prompt.
+
+Architecture matters. Use the appropriate Developer Command Prompt
+shell and compiler to build this.
+
+## Installing
+
+1. Copy DLL to System32 folder
+2. Add registry key:
+`HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PROGRAM.EXE`
+
+Values:
+* GlobalFlags  REG_DWORD   256
+* VerifierDlls REG_SZ      vrf.dll
+
+With this example configuration, vrf.dll will be loaded by PROGRAM.EXE
+each time it is ran.