Skip to content

Instantly share code, notes, and snippets.

@w4kfu

w4kfu/dllinjshim.cpp

Last active June 17, 2024 02:12
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save w4kfu/95a87764db7029e03f09d78f7273c4f4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save w4kfu/95a87764db7029e03f09d78f7273c4f4 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. w4kfu revised this gist Oct 29, 2018. 1 changed file with 21 additions and 0 deletions.
    21 changes: 21 additions & 0 deletions dllinjshim.cpp
    View file
    Original file line number Diff line number Diff line change
    @@ -6,6 +6,27 @@
    > dllinjshim.exe
    > sdbinst moo.sdb
    /!\ On Windows 10 there is a new function `SdbIsKnownShimDll` called
    in `SdbGetDllPath` which will check the DLL name against the following list:
    - "AcGenral.dll"
    - "AcLayers.dll"
    - "AcRes.dll"
    - "AcSpecfc.dll"
    - "AcWinRT.dll"
    - "acwow64.dll"
    - "AcXtrnal.dll"
    - "KeyboardFilterShim.dll"
    - "MasterShim.dll"
    - "depdetct"
    - "uacdetct"
    - "luadgmgt.dll"
    - "luapriv.dll"
    - "EMET.dll"
    - "EMET64.dll"
    - "LogExts.dll"
    - "LogShim.dll"
    ------------------------------------
    */
  2. w4kfu created this gist Oct 14, 2016.
    186 changes: 186 additions & 0 deletions dllinjshim.cpp
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,186 @@
    /*
    -------- dllinjshim.cpp --------
    > cl /Fe:dllinjshim.exe dllinjshim.cpp
    > dllinjshim.exe
    > sdbinst moo.sdb
    ------------------------------------
    */

    #include <windows.h>
    #include <stdio.h>

    #define INJECTED_DLL_NAME L"moo.dll"

    #define EXECUTABLE_NAME L"calc.exe"
    #define OS_PLATFORM 4 /* 0x1 : 32-bit ; 0x04 : 64-bit */


    #define TAGID_NULL 0

    #define TAG_TYPE_LIST 0x7000
    #define TAG_DATABASE (0x1 | TAG_TYPE_LIST)
    #define TAG_LIBRARY (0x2 | TAG_TYPE_LIST)
    #define TAG_INEXCLUDE (0x3 | TAG_TYPE_LIST)
    #define TAG_SHIM (0x4 | TAG_TYPE_LIST)
    #define TAG_EXE (0x7 | TAG_TYPE_LIST)
    #define TAG_MATCHING_FILE (0x8 | TAG_TYPE_LIST)
    #define TAG_SHIM_REF (0x9 | TAG_TYPE_LIST)

    #define TAG_TYPE_DWORD 0x4000
    #define TAG_OS_PLATFORM (0x23| TAG_TYPE_DWORD)

    #define TAG_TYPE_STRINGREF 0x6000
    #define TAG_NAME (0x1 | TAG_TYPE_STRINGREF)
    #define TAG_MODULE (0x3 | TAG_TYPE_STRINGREF)
    #define TAG_APP_NAME (0x6 | TAG_TYPE_STRINGREF)
    #define TAG_DLLFILE (0xA | TAG_TYPE_STRINGREF)

    #define TAG_TYPE_BINARY 0x9000
    #define TAG_EXE_ID (0x4 | TAG_TYPE_BINARY)
    #define TAG_DATABASE_ID (0x7 | TAG_TYPE_BINARY)

    #define TAG_TYPE_NULL 0x1000
    #define TAG_INCLUDE (0x1 | TAG_TYPE_NULL)

    typedef enum _PATH_TYPE {
    DOS_PATH,
    NT_PATH
    } PATH_TYPE;

    typedef HANDLE PDB;
    typedef DWORD TAG;
    typedef DWORD INDEXID;
    typedef DWORD TAGID;

    typedef struct tagATTRINFO {
    TAG tAttrID;
    DWORD dwFlags;
    union {
    ULONGLONG ullAttr;
    DWORD dwAttr;
    TCHAR *lpAttr;
    };
    } ATTRINFO, *PATTRINFO;

    typedef PDB (WINAPI *SdbCreateDatabasePtr)(LPCWSTR, PATH_TYPE);
    typedef VOID (WINAPI *SdbCloseDatabaseWritePtr)(PDB);
    typedef TAGID (WINAPI *SdbBeginWriteListTagPtr)(PDB, TAG);
    typedef BOOL (WINAPI *SdbEndWriteListTagPtr)(PDB, TAGID);
    typedef BOOL (WINAPI *SdbWriteStringTagPtr)(PDB, TAG, LPCWSTR);
    typedef BOOL (WINAPI *SdbWriteDWORDTagPtr)(PDB, TAG, DWORD);
    typedef BOOL (WINAPI *SdbWriteBinaryTagPtr)(PDB, TAG, PBYTE, DWORD);
    typedef BOOL (WINAPI *SdbWriteNULLTagPtr)(PDB, TAG);

    typedef struct _APPHELP_API {
    SdbCreateDatabasePtr SdbCreateDatabase;
    SdbCloseDatabaseWritePtr SdbCloseDatabaseWrite;
    SdbBeginWriteListTagPtr SdbBeginWriteListTag;
    SdbEndWriteListTagPtr SdbEndWriteListTag;
    SdbWriteStringTagPtr SdbWriteStringTag;
    SdbWriteDWORDTagPtr SdbWriteDWORDTag;
    SdbWriteBinaryTagPtr SdbWriteBinaryTag;
    SdbWriteNULLTagPtr SdbWriteNULLTag;
    } APPHELP_API, *PAPPHELP_API;

    BOOL static LoadAppHelpFunctions(HMODULE hAppHelp, PAPPHELP_API pAppHelp) {
    if (!(pAppHelp->SdbBeginWriteListTag = (SdbBeginWriteListTagPtr)GetProcAddress(hAppHelp, "SdbBeginWriteListTag"))) {
    fprintf(stderr, "[-] GetProcAddress(..., \"SdbBeginWriteListTag\")\n");
    return FALSE;
    }
    if (!(pAppHelp->SdbCloseDatabaseWrite = (SdbCloseDatabaseWritePtr)GetProcAddress(hAppHelp, "SdbCloseDatabaseWrite"))) {
    fprintf(stderr, "[-] GetProcAddress(..., \"SdbCloseDatabaseWrite\")\n");
    return FALSE;
    }
    if (!(pAppHelp->SdbCreateDatabase = (SdbCreateDatabasePtr)GetProcAddress(hAppHelp, "SdbCreateDatabase"))) {
    fprintf(stderr, "[-] GetProcAddress(..., \"SdbCreateDatabase\")\n");
    return FALSE;
    }
    if (!(pAppHelp->SdbEndWriteListTag = (SdbEndWriteListTagPtr)GetProcAddress(hAppHelp, "SdbEndWriteListTag"))) {
    fprintf(stderr, "[-] GetProcAddress(..., \"SdbEndWriteListTag\")\n");
    return FALSE;
    }
    if (!(pAppHelp->SdbWriteBinaryTag = (SdbWriteBinaryTagPtr)GetProcAddress(hAppHelp, "SdbWriteBinaryTag"))) {
    fprintf(stderr, "[-] GetProcAddress(..., \"SdbWriteBinaryTag\")\n");
    return FALSE;
    }
    if (!(pAppHelp->SdbWriteDWORDTag = (SdbWriteDWORDTagPtr)GetProcAddress(hAppHelp, "SdbWriteDWORDTag"))) {
    fprintf(stderr, "[-] GetProcAddress(..., \"SdbWriteDWORDTag\")\n");
    return FALSE;
    }
    if (!(pAppHelp->SdbWriteStringTag = (SdbWriteStringTagPtr)GetProcAddress(hAppHelp, "SdbWriteStringTag"))) {
    fprintf(stderr, "[-] GetProcAddress(..., \"SdbWriteStringTag\")\n");
    return FALSE;
    }
    if (!(pAppHelp->SdbWriteNULLTag = (SdbWriteNULLTagPtr)GetProcAddress(hAppHelp, "SdbWriteNULLTag"))) {
    fprintf(stderr, "[-] GetProcAddress(..., \"SdbWriteNULLTag\")\n");
    return FALSE;
    }
    return TRUE;
    }

    BOOL static DoStuff(PAPPHELP_API pAppHelp)
    {
    PDB db = NULL;
    TAGID tIdDatabase;
    TAGID tIdLibrary;
    TAGID tIdShim;
    TAGID tIdInexclude;
    TAGID tIdExe;
    TAGID tIdMatchingFile;
    TAGID tIdShimRef;

    db = pAppHelp->SdbCreateDatabase(L"moo.sdb", DOS_PATH);
    if (db == NULL) {
    fprintf(stderr, "[-] SdbCreateDatabase failed : %lu\n", GetLastError());
    return FALSE;
    }
    tIdDatabase = pAppHelp->SdbBeginWriteListTag(db, TAG_DATABASE);
    pAppHelp->SdbWriteDWORDTag(db, TAG_OS_PLATFORM, OS_PLATFORM);
    pAppHelp->SdbWriteStringTag(db, TAG_NAME, L"moo_Database");
    pAppHelp->SdbWriteBinaryTag(db, TAG_DATABASE_ID, "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42", 0x10);
    tIdLibrary = pAppHelp->SdbBeginWriteListTag(db, TAG_LIBRARY);
    tIdShim = pAppHelp->SdbBeginWriteListTag(db, TAG_SHIM);
    pAppHelp->SdbWriteStringTag(db, TAG_NAME, L"moo_Shim");
    pAppHelp->SdbWriteStringTag(db, TAG_DLLFILE, INJECTED_DLL_NAME);
    tIdInexclude = pAppHelp->SdbBeginWriteListTag(db, TAG_INEXCLUDE);
    pAppHelp->SdbWriteNULLTag(db, TAG_INCLUDE);
    pAppHelp->SdbWriteStringTag(db, TAG_MODULE, L"*");
    pAppHelp->SdbEndWriteListTag(db, tIdInexclude);
    pAppHelp->SdbEndWriteListTag(db, tIdShim);
    pAppHelp->SdbEndWriteListTag(db, tIdLibrary);
    tIdExe = pAppHelp->SdbBeginWriteListTag(db, TAG_EXE);
    pAppHelp->SdbWriteStringTag(db, TAG_NAME, EXECUTABLE_NAME);
    pAppHelp->SdbWriteStringTag(db, TAG_APP_NAME, L"moo_Apps");
    pAppHelp->SdbWriteBinaryTag(db, TAG_EXE_ID, "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41", 0x10);
    tIdMatchingFile = pAppHelp->SdbBeginWriteListTag(db, TAG_MATCHING_FILE);
    pAppHelp->SdbWriteStringTag(db, TAG_NAME, L"*");
    pAppHelp->SdbEndWriteListTag(db, tIdMatchingFile);
    tIdShimRef = pAppHelp->SdbBeginWriteListTag(db, TAG_SHIM_REF);
    pAppHelp->SdbWriteStringTag(db, TAG_NAME, L"moo_Shim");
    pAppHelp->SdbEndWriteListTag(db, tIdShimRef);
    pAppHelp->SdbEndWriteListTag(db, tIdExe);
    pAppHelp->SdbEndWriteListTag(db, tIdDatabase);
    pAppHelp->SdbCloseDatabaseWrite(db);
    return TRUE;
    }

    int main(int argc, char *argv[]) {
    APPHELP_API api = {0};
    HMODULE hAppHelp = NULL;

    hAppHelp = LoadLibraryA("apphelp.dll");
    if (hAppHelp == NULL) {
    fprintf(stderr, "[-] LoadLibrary failed %lu\n", GetLastError());
    return 1;
    }
    if (LoadAppHelpFunctions(hAppHelp, &api) == FALSE) {
    printf("[-] Failed to load apphelp api %lu!\n", GetLastError());
    return 1;
    }
    DoStuff(&api);
    return 0;
    }
    33 changes: 33 additions & 0 deletions moo.cpp
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,33 @@
    /*
    -------- moo.cpp --------
    > cl /LD /Fe:moo.dll moo.cpp
    > copy moo.dll "C:\Windows\AppPatch\AppPatch64\moo.dll"
    -------------------------
    */

    #define EXPORT_FUNC extern "C" __declspec(dllexport)

    EXPORT_FUNC int GetHookAPIs(PVOID a, PVOID b, PVOID c)
    {
    return 0x01;
    }

    EXPORT_FUNC int NotifyShims(PVOID a, PVOID b)
    {
    return 0x01;
    }

    BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
    {
    UNREFERENCED_PARAMETER(hinstDLL);
    UNREFERENCED_PARAMETER(lpReserved);

    if (fdwReason == DLL_PROCESS_ATTACH) {
    return TRUE;
    }
    return TRUE;
    }