From 8e362ebc3c07c6786914508a4d37f0dfec5959c7 Mon Sep 17 00:00:00 2001 From: daniel Date: Wed, 7 May 2025 08:31:50 -0700 Subject: initial commit --- verifier.cpp | 96 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 verifier.cpp (limited to 'verifier.cpp') diff --git a/verifier.cpp b/verifier.cpp new file mode 100644 index 0000000..9a2efd4 --- /dev/null +++ b/verifier.cpp @@ -0,0 +1,96 @@ +/* VerifierDll example: + * https://docs.microsoft.com/en-us/archive/blogs/reiley/a-debugging-approach-to-application-verifier + * + * Hooking example: + * https://github.com/ionescu007/HookingNirvana/blob/master/verif.dll/verif.c + * + * + * To use: + * New subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\whatever.exe + * GlobalGlag REG_DWORD 256 (0x00000100) + * VerifierDlls REG_SZ whatever.dll + * + * "whatever.dll" must be placed into System32 folder + * running "whatever.exe" will now import this DLL whenever it is run. + * + * This works on XP -> 10 + */ + +#include +#include "verifier.h" + + +typedef BOOL (WINAPI* PCLOSE_HANDLE)(HANDLE); +BOOL WINAPI CloseHandleHook(HANDLE hObject); + + +/* Thunks https://en.wikipedia.org/wiki/Thunk */ + + +/* Hook functions here. */ +static RTL_VERIFIER_THUNK_DESCRIPTOR aThunks[] = { + { "CloseHandle", NULL, (PVOID)(ULONG_PTR)CloseHandleHook}, + {NULL, NULL, NULL} +}; + +static RTL_VERIFIER_DLL_DESCRIPTOR atDLLs[] = { + { L"kernel32.dll", 0, NULL, aThunks}, // CloseHandle() + {NULL, 0, NULL, NULL} +}; + +static RTL_VERIFIER_PROVIDER_DESCRIPTOR tVpd = { sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR), atDLLs }; + + +/* CloseHandle() hook. This creates a file for demonstration + purposes. */ +BOOL WINAPI CloseHandleHook(HANDLE hObject) +{ + HANDLE h; + BOOL fRetVal = ((PCLOSE_HANDLE)(ULONG_PTR)(aThunks[0].ThunkOldAddress))(hObject); + h = CreateFile("C:\\users\\dmfr\\foo\\hooked.txt", GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL); + CloseHandle(h); + return fRetVal; +} + +/* This will run calc.exe when this verifierdll is loaded for + demonstration purposes. */ +void ModuleLoaded(void) +{ + STARTUPINFO info = { sizeof(info) }; + PROCESS_INFORMATION processInfo; + + CreateProcess("c:\\windows\\system32\\calc.exe", "", NULL, NULL, TRUE, 0, NULL, NULL, &info, &processInfo); +} + +BOOL ProcessVerifier(IN PVOID lpReserved) +{ + *((PRTL_VERIFIER_PROVIDER_DESCRIPTOR *)lpReserved) = &tVpd; + + CreateThread(0, 0, (LPTHREAD_START_ROUTINE) ModuleLoaded, 0, 0, 0); + + return TRUE; +} + + +/* DllMain() - Entry point. */ +BOOL WINAPI DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID lpReserved) +{ + HANDLE h; + UNREFERENCED_PARAMETER(hModule); + + switch (fdwReason) { + case DLL_PROCESS_VERIFIER: + /* Create a file to demonstrate that the DLL has loaded. */ + h = CreateFile("C:\\users\\dmfr\\foo\\opened.txt", GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL); + CloseHandle(h); + return ProcessVerifier(lpReserved); + + case DLL_PROCESS_ATTACH: + case DLL_THREAD_ATTACH: + case DLL_THREAD_DETACH: + case DLL_PROCESS_DETACH: + break; + } + + return TRUE; +} -- cgit v1.2.3