From 8e362ebc3c07c6786914508a4d37f0dfec5959c7 Mon Sep 17 00:00:00 2001 From: daniel Date: Wed, 7 May 2025 08:31:50 -0700 Subject: initial commit --- README.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 README.md (limited to 'README.md') diff --git a/README.md b/README.md new file mode 100644 index 0000000..ded5576 --- /dev/null +++ b/README.md @@ -0,0 +1,48 @@ +# VerifierDLLs + +This is an example of a Windows Application Verifier. This Windows +feature lets developers import an arbitrary DLL into any application +upon execution for testing/debugging purposes. It can be abused as a +persistence mechanism, or to hook functions in a manner similar to +LD_PRELOAD on *nix systems. + + +https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2008/ms220948(v=vs.90)?redirectedfrom=MSDN + +Verifier DLLs will be loaded with the fdwReason parameter of DllMain() +set to DLL_PROCESS_VERIFIER rather than DLL_PROCESS_ATTACH like a +traditional DLL. + +Applicaion Verifiers have been abused as a persistence mechanism by +sdbbot malware: + +https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader + +``` +If the bot is running with admin privileges on a Windows version +newer than Windows 7, persistence is established using the registry +“image file execution options” method. The loader DLL component is +written to “%SYSTEM%\mswinload0[.]dll” and added to the “VerifierDlls” +value for “winlogon[.]exe”. +``` + + + +## Compiling +`make.bat` will build this within a Developer Command Prompt. + +Architecture matters. Use the appropriate Developer Command Prompt +shell and compiler to build this. + +## Installing + +1. Copy DLL to System32 folder +2. Add registry key: +`HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PROGRAM.EXE` + +Values: +* GlobalFlags REG_DWORD 256 +* VerifierDlls REG_SZ vrf.dll + +With this example configuration, vrf.dll will be loaded by PROGRAM.EXE +each time it is ran. -- cgit v1.2.3