Table of contents
Executive summary 2
Analysis and findings 2
Thread activity – sub_1282EA7 function 37
Thread activity – sub_1287677 function 37
Thread activity – sub_1284468 function 41
Thread activity – sub_12841D3 function 44
Running with the -smode parameter 48
Running with the -silent parameter 51
Running with the -path parameter 51
Running with the -nolan parameter 51
Running with the -nolocal parameter 51
Running with the -fast parameter 51
Running with the -full parameter 51
Indicators of Compromise 51
Appendix 52

Whilst this article is designed to stand on its own, if you’re interested, you can find my previous articles on these topics here, here, here and here. Surprisingly, despite all this research being over a decade old, it’s still completely relevant today. The more things change, the more they stay the same, I guess?

hook, refers to a technique used to advance the use of api intercept and process windows messages. Such as a keyboard hook, the Trojans have a lot of this stuff, monitor your keyboard.

Lockd: This is the main Gargoyle component
sRDI-Master: This has been slightly re worked to provide a free mechanism.
test.profile: This sample profile shows required options to work
ShellcodeRDI.py: This is the altered python generator with the new sRDI assembly

DLHell is a tool for performing local and remote DCOM Windows DLL proxying. It can intercept DLLs on remote objects to execute arbitrary commands. The tool supports various authentication methods and provides capabilities for local and remote DLL proxying, as well as DCOM DLL proxying.

Security software and EDR systems register their process creation callbacks in this array using functions such as PsSetCreateProcessNotifyRoutine, PsSetCreateProcessNotifyRoutineEx, and PsSetCreateProcessNotifyRoutineEx2. Each of these functions allows drivers to add their specific callbacks to the array, enabling them to monitor process creation events effectively.