# VerifierDLLs

This is an example of a Windows Application Verifier. This Windows
feature lets developers import an arbitrary DLL into any application
upon execution for testing/debugging purposes. It can be abused as a
persistence mechanism, or to hook functions in a manner similar to
LD_PRELOAD on *nix systems.


https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2008/ms220948(v=vs.90)?redirectedfrom=MSDN

Verifier DLLs will be loaded with the fdwReason parameter of DllMain()
set to DLL_PROCESS_VERIFIER rather than DLL_PROCESS_ATTACH like a
traditional DLL.

Applicaion Verifiers have been abused as a persistence mechanism by
sdbbot malware:

https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader

```
If the bot is running with admin privileges on a Windows version
newer than Windows 7, persistence is established using the registry
“image file execution options” method. The loader DLL component is
written to “%SYSTEM%\mswinload0[.]dll” and added to the “VerifierDlls”
value for “winlogon[.]exe”.
```



## Compiling
`make.bat` will build this within a Developer Command Prompt.

Architecture matters. Use the appropriate Developer Command Prompt
shell and compiler to build this.

## Installing

1. Copy DLL to System32 folder
2. Add registry key:
`HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PROGRAM.EXE`

Values:
* GlobalFlags  REG_DWORD   256
* VerifierDlls REG_SZ      vrf.dll

With this example configuration, vrf.dll will be loaded by PROGRAM.EXE
each time it is ran.