From 7d6b7af2b0e34db78bbbbdc072c909436e0f8893 Mon Sep 17 00:00:00 2001 From: vxunderground <57078196+vxunderground@users.noreply.github.com> Date: Tue, 16 Nov 2021 10:19:04 -0600 Subject: [PATCH] Add files via upload --- BlockDlls.b.cpp | 149 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 149 insertions(+) create mode 100644 BlockDlls.b.cpp diff --git a/BlockDlls.b.cpp b/BlockDlls.b.cpp new file mode 100644 index 0000000..f0d51fd --- /dev/null +++ b/BlockDlls.b.cpp @@ -0,0 +1,149 @@ +/******************************************************************* + + I recently re-read a paper from Adam Chester titled: + "Protecting Your Malware with blockdlls and ACG" + link: https://blog.xpnsec.com/protecting-your-malware/ + + It was neat, I was curious how the APIs in this code + worked, so I decided to reverse them. The tl;dr is + that the functions used to block non-MS sign DLLs + is very-very easy to implement without using or + importing the functions: + + InitializeProcThreadAttributeList + UpdateProcThreadAttribute + + I was able to recreate these functions in just + a few lines of C code and some IDA F5s. + + Thanks to DTM, Jonas Lyk, and coldzer0 to helping me + trim the fat off these APIs. Under the hood these + functions do lots of unnecessary things (for our purpose) + and they helped speed up the process. + + Anyway, nothing revolutionary, but its neat. :) + + -smelly + +*********************************************************************/ + + +#include + +typedef struct _PROC_THREAD_ATTRIBUTE { + ULONG64 Attribute; + ULONG64 Size; + ULONG64 Value; +}PROC_THREAD_ATTRIBUTE, *PPROC_THREAD_ATTRIBUTE; + +typedef struct _PROC_THREAD_ATTRIBUTE_LIST { + ULONG PresentFlags; + ULONG AttributeCount; + ULONG LastAttribute; + ULONG SpareUlong0; + struct _PROC_THREAD_ATTRIBUTE* ExtendedFlagsAttribute; + struct _PROC_THREAD_ATTRIBUTE Attributes[1]; +}PROC_THREAD_ATTRIBUTE_LIST, * PPROC_THREAD_ATTRIBUTE_LIST; + +BOOL RtlInitializeProcThreadAttributeList(LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList, DWORD dwAttributeCount, DWORD dwFlags, PSIZE_T lpSize) +{ + BOOL bFlag = FALSE; + DWORD dwSize = ERROR_SUCCESS; + + if (dwFlags || (dwAttributeCount > 0x1B)) + { + SetLastError(ERROR_INVALID_PARAMETER); + return bFlag; + } + + dwSize = (24 * (dwAttributeCount + 1)); + + if (lpAttributeList && *lpSize >= dwSize) + { + lpAttributeList->PresentFlags = 0; + lpAttributeList->ExtendedFlagsAttribute = 0; + lpAttributeList->AttributeCount = dwAttributeCount; + lpAttributeList->LastAttribute = 0; + bFlag = TRUE; + } + else + SetLastError(ERROR_INSUFFICIENT_BUFFER); + + *lpSize = dwSize; + return bFlag; +} + +SIZE_T RtlGetProcThreadAttributeListSize(VOID) +{ + SIZE_T dwSize = 0; + + RtlInitializeProcThreadAttributeList(NULL, 1, 0, &dwSize); + + return dwSize; +} + +VOID RtlUpdateProcThreadAttribute(LPPROC_THREAD_ATTRIBUTE_LIST AttributeList, DWORD_PTR Attribute, PVOID Policy, SIZE_T Size) +{ + PPROC_THREAD_ATTRIBUTE ExtendedAttributes; + + AttributeList->PresentFlags |= (1 << (Attribute & 0x0000FFFF)); + + ExtendedAttributes = AttributeList->Attributes; + ExtendedAttributes->Attribute = Attribute; + ExtendedAttributes->Size = Size; + ExtendedAttributes->Value = (ULONG64)Policy; + AttributeList->LastAttribute++; + + return; +} + +INT main(VOID) +{ + DWORD dwError = ERROR_SUCCESS; + BOOL bFlag = FALSE; + + PROCESS_INFORMATION Pi; ZeroMemory(&Pi, sizeof(PROCESS_INFORMATION)); + STARTUPINFOEXW Si; ZeroMemory(&Si, sizeof(STARTUPINFOEXW)); + Si.StartupInfo.cb = sizeof(STARTUPINFOEXW); + PPROC_THREAD_ATTRIBUTE_LIST ThreadAttributes = NULL; + SIZE_T dwAttributeSize = 0; + DWORD64 Policy = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON; + + dwAttributeSize = RtlGetProcThreadAttributeListSize(); + if (dwAttributeSize == 0) + goto EXIT_ROUTINE; + + ThreadAttributes = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwAttributeSize); + if (ThreadAttributes == NULL) + goto EXIT_ROUTINE; + + if (!RtlInitializeProcThreadAttributeList(ThreadAttributes, 1, 0, &dwAttributeSize)) + goto EXIT_ROUTINE; + + RtlUpdateProcThreadAttribute(ThreadAttributes, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &Policy, sizeof(DWORD64)); + + Si.lpAttributeList = ThreadAttributes; + + if (!CreateProcessW((PWCHAR)L"C:\\Windows\\System32\\calc.exe", NULL, NULL, NULL, TRUE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &Si.StartupInfo, &Pi)) + goto EXIT_ROUTINE; + + WaitForSingleObject(Pi.hProcess, INFINITE); + + bFlag = TRUE; + +EXIT_ROUTINE: + + if (!bFlag) + dwError = GetLastError(); + + if (ThreadAttributes) + HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, (PPROC_THREAD_ATTRIBUTE_LIST)ThreadAttributes); + + if(Pi.hProcess) + CloseHandle(Pi.hProcess); + + if(Pi.hThread) + CloseHandle(Pi.hThread); + + return dwError; +} \ No newline at end of file