## Target - `C:\Windows\System32\RuntimeBroker.exe` loads `umpdc.dll` - Best to load at `DllMain` -> `PROCESS_DETACH` ## Exports ```cpp #pragma comment (linker, "/export:PdcSleep=C:\\windows\\system32\\umpdc.PdcSleep") #pragma comment (linker, "/export:PdcAcquireRwLockExclusive=C:\\windows\\system32\\umpdc.PdcAcquireRwLockExclusive") #pragma comment (linker, "/export:PdcActivationClientActivityRequest=C:\\windows\\system32\\umpdc.PdcActivationClientActivityRequest") #pragma comment (linker, "/export:PdcActivationClientRegister=C:\\windows\\system32\\umpdc.PdcActivationClientRegister") #pragma comment (linker, "/export:PdcActivationClientUnregister=C:\\windows\\system32\\umpdc.PdcActivationClientUnregister") #pragma comment (linker, "/export:PdcAllocate=C:\\windows\\system32\\umpdc.PdcAllocate") #pragma comment (linker, "/export:PdcFree=C:\\windows\\system32\\umpdc.PdcFree") #pragma comment (linker, "/export:PdcNotificationClientAcknowledge=C:\\windows\\system32\\umpdc.PdcNotificationClientAcknowledge") #pragma comment (linker, "/export:PdcNotificationClientRegister=C:\\windows\\system32\\umpdc.PdcNotificationClientRegister") #pragma comment (linker, "/export:PdcNotificationClientUnregister=C:\\windows\\system32\\umpdc.PdcNotificationClientUnregister") #pragma comment (linker, "/export:PdcPortClose=C:\\windows\\system32\\umpdc.PdcPortClose") #pragma comment (linker, "/export:PdcPortOpen=C:\\windows\\system32\\umpdc.PdcPortOpen") #pragma comment (linker, "/export:PdcPortSendMessage=C:\\windows\\system32\\umpdc.PdcPortSendMessage") #pragma comment (linker, "/export:PdcPortSendMessageSynchronously=C:\\windows\\system32\\umpdc.PdcPortSendMessageSynchronously") #pragma comment (linker, "/export:PdcPpmProfileClientRegister=C:\\windows\\system32\\umpdc.PdcPpmProfileClientRegister") #pragma comment (linker, "/export:PdcPpmProfileClientUnregister=C:\\windows\\system32\\umpdc.PdcPpmProfileClientUnregister") #pragma comment (linker, "/export:PdcPpmProfileDisable=C:\\windows\\system32\\umpdc.PdcPpmProfileDisable") #pragma comment (linker, "/export:PdcPpmProfileEnable=C:\\windows\\system32\\umpdc.PdcPpmProfileEnable") #pragma comment (linker, "/export:PdcReleaseRwLockExclusive=C:\\windows\\system32\\umpdc.PdcReleaseRwLockExclusive") #pragma comment (linker, "/export:PdcResiliencyClientAcknowledge=C:\\windows\\system32\\umpdc.PdcResiliencyClientAcknowledge") #pragma comment (linker, "/export:PdcResiliencyClientRegister=C:\\windows\\system32\\umpdc.PdcResiliencyClientRegister") #pragma comment (linker, "/export:PdcResiliencyClientUnregister=C:\\windows\\system32\\umpdc.PdcResiliencyClientUnregister") #pragma comment (linker, "/export:PdcRwLockInitialize=C:\\windows\\system32\\umpdc.PdcRwLockInitialize") #pragma comment (linker, "/export:PdcSignalClientPulse=C:\\windows\\system32\\umpdc.PdcSignalClientPulse") #pragma comment (linker, "/export:PdcSignalClientRegister=C:\\windows\\system32\\umpdc.PdcSignalClientRegister") #pragma comment (linker, "/export:PdcSignalClientSetActive=C:\\windows\\system32\\umpdc.PdcSignalClientSetActive") #pragma comment (linker, "/export:PdcSignalClientUnregister=C:\\windows\\system32\\umpdc.PdcSignalClientUnregister") #pragma comment (linker, "/export:PdcTaskClientRegister=C:\\windows\\system32\\umpdc.PdcTaskClientRegister") #pragma comment (linker, "/export:PdcTaskClientRequest=C:\\windows\\system32\\umpdc.PdcTaskClientRequest") #pragma comment (linker, "/export:PdcTaskClientUnregister=C:\\windows\\system32\\umpdc.PdcTaskClientUnregister") #pragma comment (linker, "/export:Pdcv2ActivationClientActivate=C:\\windows\\system32\\umpdc.Pdcv2ActivationClientActivate") #pragma comment (linker, "/export:Pdcv2ActivationClientDeactivate=C:\\windows\\system32\\umpdc.Pdcv2ActivationClientDeactivate") #pragma comment (linker, "/export:Pdcv2ActivationClientRegister=C:\\windows\\system32\\umpdc.Pdcv2ActivationClientRegister") #pragma comment (linker, "/export:Pdcv2ActivationClientRenewActivation=C:\\windows\\system32\\umpdc.Pdcv2ActivationClientRenewActivation") #pragma comment (linker, "/export:Pdcv2ActivationClientSetBrokeredProcessId=C:\\windows\\system32\\umpdc.Pdcv2ActivationClientSetBrokeredProcessId") #pragma comment (linker, "/export:Pdcv2ActivationClientUnregister=C:\\windows\\system32\\umpdc.Pdcv2ActivationClientUnregister") #pragma comment (linker, "/export:SleepstudyHelperBlockerActiveDereference=C:\\windows\\system32\\umpdc.SleepstudyHelperBlockerActiveDereference") #pragma comment (linker, "/export:SleepstudyHelperBlockerActiveReference=C:\\windows\\system32\\umpdc.SleepstudyHelperBlockerActiveReference") #pragma comment (linker, "/export:SleepstudyHelperBuildBlocker=C:\\windows\\system32\\umpdc.SleepstudyHelperBuildBlocker") #pragma comment (linker, "/export:SleepstudyHelperCreateBlockerFromGuid=C:\\windows\\system32\\umpdc.SleepstudyHelperCreateBlockerFromGuid") #pragma comment (linker, "/export:SleepstudyHelperCreateLibrary=C:\\windows\\system32\\umpdc.SleepstudyHelperCreateLibrary") #pragma comment (linker, "/export:SleepstudyHelperDestroyBlocker=C:\\windows\\system32\\umpdc.SleepstudyHelperDestroyBlocker") #pragma comment (linker, "/export:SleepstudyHelperDestroyBlockerBuilder=C:\\windows\\system32\\umpdc.SleepstudyHelperDestroyBlockerBuilder") #pragma comment (linker, "/export:SleepstudyHelperDestroyLibrary=C:\\windows\\system32\\umpdc.SleepstudyHelperDestroyLibrary") #pragma comment (linker, "/export:SleepstudyHelperGetBlockerGuid=C:\\windows\\system32\\umpdc.SleepstudyHelperGetBlockerGuid") #pragma comment (linker, "/export:SleepstudyHelperSetBlockerFriendlyName=C:\\windows\\system32\\umpdc.SleepstudyHelperSetBlockerFriendlyName") #pragma comment (linker, "/export:SleepstudyHelperSetBlockerParentHandle=C:\\windows\\system32\\umpdc.SleepstudyHelperSetBlockerParentHandle") #pragma comment (linker, "/export:SleepstudyHelperSetBlockerVisible=C:\\windows\\system32\\umpdc.SleepstudyHelperSetBlockerVisible") ``` ## Source