T1103 AppInit DLLs Persistence - CraigDonkin/Infrastructure GitHub Wiki

T1103 : AppInit DLLs Persistence

  • AppInit_DLLs value in Registry keys that are loaded by user32.dll into every process that loads user32.dll
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Winows NTCurrentVersion\Windows
  • Registry value should be AppInit_DLLs
    • REG_SZ
    • Contain path to the DLL
  • Disabled in Windows8+ when secure boot is enabled
  • Requires Administrator privileges
  • LoadAppInit_DLLs must be set to 1
  • RequireSignedAppInit_DLLs must be set to 0
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"

typedef int(__stdcall *pfMessageBox)(HWND    hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT    uType);

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
HMODULE hUser32;
pfMessageBox pMessageBox;
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
hUser32 = LoadLibrary(L"user32.dll");
pMessageBox = (pfMessageBox)GetProcAddress(hUser32, "MessageBoxW");
//pMessageBox(NULL, L"Hello world from DLL!", L"Hello world", 0x0);
MessageBox(NULL, L"Hello world from DLL!", L"Hello world", 0x0);
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

Example code from https://b3n7s.github.io/2018/10/27/AppInit-DLLs.html

⚠️ **GitHub.com Fallback** ⚠️