AppCert DLLs

AppCert DLLs are loaded during the first call of any of these WinApis: CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec

To set this up:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls" /V "AppCert" /T REG_EXPAND_SZ /D "c:\executable.dll" /F

Our appcert dll code looks like this

#include <ntstatus.h>
#include <windows.h>
#include <stdio.h>

#define APPCERT_IMAGE_OK_TO_RUN   0x00000001L
#define APPCERT_CREATION_ALLOWED  0x00000002L
#define APPCERT_CREATION_DENIED   0x00000003L

extern "C" {  __declspec(dllexport) NTSTATUS NTAPI CreateProcessNotify(
	LPCWSTR lpApplicationName,
	ULONG uNotifyReason
	)
}
	
NTSTATUS NTAPI CreateProcessNotify(LPCWSTR lpApplicationName, ULONG ulReason) {
	NTSTATUS ntStatus = STATUS_SUCCESS;
	// implement shellcode execution
	return ntStatus;
}
	
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved ) {

	switch ( fdwReason ) {
		case DLL_PROCESS_ATTACH:
						break;
		case DLL_THREAD_ATTACH:
						break;
		case DLL_THREAD_DETACH:
						break;
		case DLL_PROCESS_DETACH:
						break;
		}
	return TRUE;
}


/*
	switch (uNotifyReason)
	{
	case APPCERT_IMAGE_OK_TO_RUN:
		OutputDebugStringA("APPCERT_IMAGE_OK_TO_RUN");
		return STATUS_SUCCESS;

	case APPCERT_CREATION_ALLOWED:
		OutputDebugStringA("APPCERT_CREATION_ALLOWED");
		return STATUS_SUCCESS;

	case APPCERT_CREATION_DENIED:
		OutputDebugStringA("APPCERT_CREATION_DENIED");
		return STATUS_SUCCESS;

	default:
		OutputDebugStringA("APPCERT_UNKNOWN");
		return STATUS_SUCCESS;
	}
}
*/