-
Notifications
You must be signed in to change notification settings - Fork 232
/
BlockDlls.b.cpp
149 lines (109 loc) · 4.23 KB
/
BlockDlls.b.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
/*******************************************************************
I recently re-read a paper from Adam Chester titled:
"Protecting Your Malware with blockdlls and ACG"
link: https://blog.xpnsec.com/protecting-your-malware/
It was neat, I was curious how the APIs in this code
worked, so I decided to reverse them. The tl;dr is
that the functions used to block non-MS sign DLLs
is very-very easy to implement without using or
importing the functions:
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
I was able to recreate these functions in just
a few lines of C code and some IDA F5s.
Thanks to DTM, Jonas Lyk, and coldzer0 to helping me
trim the fat off these APIs. Under the hood these
functions do lots of unnecessary things (for our purpose)
and they helped speed up the process.
Anyway, nothing revolutionary, but its neat. :)
-smelly
*********************************************************************/
#include <Windows.h>
typedef struct _PROC_THREAD_ATTRIBUTE {
ULONG64 Attribute;
ULONG64 Size;
ULONG64 Value;
}PROC_THREAD_ATTRIBUTE, *PPROC_THREAD_ATTRIBUTE;
typedef struct _PROC_THREAD_ATTRIBUTE_LIST {
ULONG PresentFlags;
ULONG AttributeCount;
ULONG LastAttribute;
ULONG SpareUlong0;
struct _PROC_THREAD_ATTRIBUTE* ExtendedFlagsAttribute;
struct _PROC_THREAD_ATTRIBUTE Attributes[1];
}PROC_THREAD_ATTRIBUTE_LIST, * PPROC_THREAD_ATTRIBUTE_LIST;
BOOL RtlInitializeProcThreadAttributeList(LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList, DWORD dwAttributeCount, DWORD dwFlags, PSIZE_T lpSize)
{
BOOL bFlag = FALSE;
DWORD dwSize = ERROR_SUCCESS;
if (dwFlags || (dwAttributeCount > 0x1B))
{
SetLastError(ERROR_INVALID_PARAMETER);
return bFlag;
}
dwSize = (24 * (dwAttributeCount + 1));
if (lpAttributeList && *lpSize >= dwSize)
{
lpAttributeList->PresentFlags = 0;
lpAttributeList->ExtendedFlagsAttribute = 0;
lpAttributeList->AttributeCount = dwAttributeCount;
lpAttributeList->LastAttribute = 0;
bFlag = TRUE;
}
else
SetLastError(ERROR_INSUFFICIENT_BUFFER);
*lpSize = dwSize;
return bFlag;
}
SIZE_T RtlGetProcThreadAttributeListSize(VOID)
{
SIZE_T dwSize = 0;
RtlInitializeProcThreadAttributeList(NULL, 1, 0, &dwSize);
return dwSize;
}
VOID RtlUpdateProcThreadAttribute(LPPROC_THREAD_ATTRIBUTE_LIST AttributeList, DWORD_PTR Attribute, PVOID Policy, SIZE_T Size)
{
PPROC_THREAD_ATTRIBUTE ExtendedAttributes;
AttributeList->PresentFlags |= (1 << (Attribute & 0x0000FFFF));
ExtendedAttributes = AttributeList->Attributes;
ExtendedAttributes->Attribute = Attribute;
ExtendedAttributes->Size = Size;
ExtendedAttributes->Value = (ULONG64)Policy;
AttributeList->LastAttribute++;
return;
}
INT main(VOID)
{
DWORD dwError = ERROR_SUCCESS;
BOOL bFlag = FALSE;
PROCESS_INFORMATION Pi; ZeroMemory(&Pi, sizeof(PROCESS_INFORMATION));
STARTUPINFOEXW Si; ZeroMemory(&Si, sizeof(STARTUPINFOEXW));
Si.StartupInfo.cb = sizeof(STARTUPINFOEXW);
PPROC_THREAD_ATTRIBUTE_LIST ThreadAttributes = NULL;
SIZE_T dwAttributeSize = 0;
DWORD64 Policy = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON;
dwAttributeSize = RtlGetProcThreadAttributeListSize();
if (dwAttributeSize == 0)
goto EXIT_ROUTINE;
ThreadAttributes = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwAttributeSize);
if (ThreadAttributes == NULL)
goto EXIT_ROUTINE;
if (!RtlInitializeProcThreadAttributeList(ThreadAttributes, 1, 0, &dwAttributeSize))
goto EXIT_ROUTINE;
RtlUpdateProcThreadAttribute(ThreadAttributes, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &Policy, sizeof(DWORD64));
Si.lpAttributeList = ThreadAttributes;
if (!CreateProcessW((PWCHAR)L"C:\\Windows\\System32\\calc.exe", NULL, NULL, NULL, TRUE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &Si.StartupInfo, &Pi))
goto EXIT_ROUTINE;
WaitForSingleObject(Pi.hProcess, INFINITE);
bFlag = TRUE;
EXIT_ROUTINE:
if (!bFlag)
dwError = GetLastError();
if (ThreadAttributes)
HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, (PPROC_THREAD_ATTRIBUTE_LIST)ThreadAttributes);
if(Pi.hProcess)
CloseHandle(Pi.hProcess);
if(Pi.hThread)
CloseHandle(Pi.hThread);
return dwError;
}