summaryrefslogtreecommitdiff
path: root/verifier.cpp
blob: 9a2efd4ce0dd9874951471e8ec6227bb229fb32a (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

/* VerifierDll example:
 * https://docs.microsoft.com/en-us/archive/blogs/reiley/a-debugging-approach-to-application-verifier
 *
 * Hooking example:
 * https://github.com/ionescu007/HookingNirvana/blob/master/verif.dll/verif.c
 *
 *
 * To use:
 * New subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\whatever.exe
 *             GlobalGlag    REG_DWORD    256 (0x00000100)
 *             VerifierDlls  REG_SZ       whatever.dll
 *
 * "whatever.dll" must be placed into System32 folder
 * running "whatever.exe" will now import this DLL whenever it is run.
 *
 * This works on XP -> 10
 */

#include <Windows.h>
#include "verifier.h"


typedef BOOL	(WINAPI* PCLOSE_HANDLE)(HANDLE);
BOOL			WINAPI CloseHandleHook(HANDLE hObject);


/* Thunks https://en.wikipedia.org/wiki/Thunk */


/* Hook functions here. */
static RTL_VERIFIER_THUNK_DESCRIPTOR aThunks[] = {
	{ "CloseHandle", NULL, (PVOID)(ULONG_PTR)CloseHandleHook},
	{NULL, NULL, NULL}
};

static RTL_VERIFIER_DLL_DESCRIPTOR atDLLs[] = {
	{ L"kernel32.dll", 0, NULL, aThunks},		// CloseHandle()
	{NULL, 0, NULL, NULL}
};

static RTL_VERIFIER_PROVIDER_DESCRIPTOR tVpd = { sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR), atDLLs };


/* CloseHandle() hook. This creates a file for demonstration
   purposes. */
BOOL WINAPI CloseHandleHook(HANDLE hObject)
{
	HANDLE h;
	BOOL fRetVal = ((PCLOSE_HANDLE)(ULONG_PTR)(aThunks[0].ThunkOldAddress))(hObject);
	h = CreateFile("C:\\users\\dmfr\\foo\\hooked.txt", GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);
	CloseHandle(h);
	return fRetVal;
}

/* This will run calc.exe when this verifierdll is loaded for
   demonstration purposes. */
void ModuleLoaded(void)
{
	STARTUPINFO info = { sizeof(info) };
	PROCESS_INFORMATION processInfo;

	CreateProcess("c:\\windows\\system32\\calc.exe", "", NULL, NULL, TRUE, 0, NULL, NULL, &info, &processInfo);
}

BOOL ProcessVerifier(IN PVOID lpReserved)
{
	*((PRTL_VERIFIER_PROVIDER_DESCRIPTOR *)lpReserved) = &tVpd;

	CreateThread(0, 0, (LPTHREAD_START_ROUTINE) ModuleLoaded, 0, 0, 0);

	return TRUE;
}


/* DllMain() - Entry point. */
BOOL WINAPI DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID lpReserved)
{
	HANDLE h;
	UNREFERENCED_PARAMETER(hModule);

	switch (fdwReason) {
		case DLL_PROCESS_VERIFIER:
			/* Create a file to demonstrate that the DLL has loaded. */
			h = CreateFile("C:\\users\\dmfr\\foo\\opened.txt", GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);
			CloseHandle(h);
			return ProcessVerifier(lpReserved);

		case DLL_PROCESS_ATTACH:
		case DLL_THREAD_ATTACH:
		case DLL_THREAD_DETACH:
		case DLL_PROCESS_DETACH:
			break;
	}

	return TRUE;
}
generated by cgit v1.2.3 (git 2.39.1) at 2026-01-03 01:17:46 +0000