blob: ded5576afeba0654cf68fd395f37b7df51529f61 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
# VerifierDLLs
This is an example of a Windows Application Verifier. This Windows
feature lets developers import an arbitrary DLL into any application
upon execution for testing/debugging purposes. It can be abused as a
persistence mechanism, or to hook functions in a manner similar to
LD_PRELOAD on *nix systems.
https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2008/ms220948(v=vs.90)?redirectedfrom=MSDN
Verifier DLLs will be loaded with the fdwReason parameter of DllMain()
set to DLL_PROCESS_VERIFIER rather than DLL_PROCESS_ATTACH like a
traditional DLL.
Applicaion Verifiers have been abused as a persistence mechanism by
sdbbot malware:
https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader
```
If the bot is running with admin privileges on a Windows version
newer than Windows 7, persistence is established using the registry
“image file execution options” method. The loader DLL component is
written to “%SYSTEM%\mswinload0[.]dll” and added to the “VerifierDlls”
value for “winlogon[.]exe”.
```
## Compiling
`make.bat` will build this within a Developer Command Prompt.
Architecture matters. Use the appropriate Developer Command Prompt
shell and compiler to build this.
## Installing
1. Copy DLL to System32 folder
2. Add registry key:
`HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PROGRAM.EXE`
Values:
* GlobalFlags REG_DWORD 256
* VerifierDlls REG_SZ vrf.dll
With this example configuration, vrf.dll will be loaded by PROGRAM.EXE
each time it is ran.
|
