diff --git a/README.md b/README.md index 14da359..ff781f3 100644 --- a/README.md +++ b/README.md @@ -1 +1,27 @@ -# whocalls \ No newline at end of file +# What + +___whocalls___ is a simple Windows DLL that logs some info whenever it gets loaded. + +# Why + +For use in identifying and demonstrating DLL planting opportunities. + +(I can never find other people's implementations when I need them.) + +# How + +1. Customise the output filename in the source code. + +2. Compile to PE format. + + e.g. Using MinGW on Kali: + + `x86_64-w64-mingw32-gcc -shared -s -o whocalls.dll whocalls.c` + +3. Customise the DLL name and drop it somewhere. +3. Periodically review the log file. + +# Where + +That's up to you. + diff --git a/whocalls.c b/whocalls.c new file mode 100644 index 0000000..9823731 --- /dev/null +++ b/whocalls.c @@ -0,0 +1,47 @@ +#include +#include +#include + + +#if defined(__cplusplus) +extern "C" { +#endif + __declspec(dllexport) int DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved ) + { + + if (fdwReason != 1 && fdwReason !=2) { // DLL_PROCESS_ATTACH or DLL_THREAD_ATTACH + return 1; + } + + FILE *fp; + fp = fopen ("C:/HONKHONK.TXT", "a"); // You probably want to customise this... ;-) + + char hostname[255] = ""; + ZeroMemory(hostname, sizeof(hostname) ); + DWORD CompBuffer = 255; + GetComputerName(hostname, &CompBuffer); + + char username[255] = ""; + ZeroMemory(username, sizeof(username) ); + DWORD NameBuffer = 255; + GetUserName(username, &NameBuffer); + + char dllpath[65535]; + GetModuleFileName(hinstDLL, dllpath, sizeof(dllpath)); + + char exepath[65535]; + GetModuleFileName(NULL, exepath, sizeof(exepath)); + + SYSTEMTIME st; + GetSystemTime(&st); // This is UTC time. GetLocalTime, er, gets the local time + + fprintf(fp, "%s|%s|%s|%s|%d|%d/%d/%d %d:%d:%d:%d\n", hostname, username, dllpath, exepath, fdwReason, st.wDay, st.wMonth, st.wYear, st.wHour, st.wMinute, st.wSecond, st.wMilliseconds); + + + fclose (fp); + return 1; + } + +#if defined(__cplusplus) +} +#endif \ No newline at end of file