Simple Example
Here is a simple example, in which we launch cmd.exe as a Doll client and prevent it from running any external commands.
More & detailed information on commands, expressions, etc. will be available on the project's wiki.
Launch PEDollController.exe. Click the Listen button to enable Controller listen for clients. A list of available IP addresses will show in the console window.
If you wish to run the Monitor (and the Doll clients) on the same machine as the Controller, click File-Launch Monitor on localhost (select platform as you wish).
Otherwise, copy Monitor_x86 or Monitor_x64 folder to the desired machine, run PEDollMonitor.exe there, and type in a IP address shown in the previous step.
After the Monitor has successfully initialized, the Controller come up with a message similar to follows:
New client from xx.xx.xx.xx:xxxx: #0 "COMPUTERNAME" (Monitor).
And a new tab named Monitor will appear.
In Monitor-Create a new Doll client-Command:, type cmd.exe. Then click Invoke in the groupbox. An instance of cmd.exe should appear on the machine the Monitor is running on, along with another Controller message:
New client from xx.xx.xx.xx:xxxx: #1 "cmd.exe" (Doll).
Double-click on the cmd.exe entry in GUI Available targets list. A tab named Doll will appear.
From now on the Monitor is not necessary to keep running - it can be closed.
cmd.exe run external commands by calling CreateProcessW.
Click Doll-Hooks-Add... and fill the Install a new hook... form as follows:
NOTE: If you're running a 32-bit cmd.exe, you will also need to check the Stack parameters checkbox and change Stack bytes: from 0 to 40. See FAQ for reason.
The strange string in "Before" actions textbox - --echo="{wstr(arg(0))}" --echo="{wstr(arg(1))}" - tells Controller to display the first two arguments (lpApplicationName and lpCommandLine in this case) as Unicode strings, before actually rejecting the call. This makes us know which command is PEDoll rejecting.
Install the hook by clicking OK.
By now the console cmd.exe is running in should still be pitch-black with no text in it. That's because PEDoll automatically breaks its clients. Click Invoke in the Suspend/resume execution groupbox to resume execution.
Try to run some external commands from the hooked cmd.exe, such like cmd, more or help. They will fail instantly with a desperate output from cmd.exe itself:
The system cannot execute the specified program.
Some messages will also appear in the Controller console each time a external command is (trying to) run:
Client "cmd.exe" hooked on #0 "CreateProcessW" - phase "before".
echo: "C:\Windows\system32\cmd.exe"
echo: "cmd"
verdict: Executing verdict "reject".
Client "cmd.exe" hooked on #0 "CreateProcessW" - phase "after".
verdict: Executing verdict "approve".
The lines prefixed with echo: are outputs from hook actions, a.k.a. the strange string in the "actions" textboxes.