functionality additions + readme

new functions, improved readme, ++
2022-10-21 12:50:24 -05:00 · 2022-10-21 12:50:24 -05:00 · 08fb26bb51
parent da95e71727
commit 08fb26bb51
13 changed files with 416 additions and 32 deletions
--- a/README.md
+++ b/README.md
@ -2,6 +2,8 @@
 managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter](https://twitter.com/vxunderground) | download malware samples at the [VXUG/samples](https://samples.vx-underground.org/) page
  
 # VX-API
+
+Version: 2022.210
  
 The VX-API is a collection of malicious functionality to aid in malware development. It is recommended you clone and/or download this entire repo then open the Visual Studio solution file to easily explore functionality and concepts.

@ -83,6 +85,7 @@ You're free to use this in any manner you please. You do not need to use this en
 | GetPidFromWindowsTerminalService | modexp | Fingerprinting |
 | GetPidFromWmiComInterface | aalimian and modexp | Fingerprinting |
 | GetPidFromEnumProcesses | smelly__vx | Fingerprinting |
+| GetPidFromPidBruteForcing | modexp | Fingerprinting |
 | CreateLocalAppDataObjectPath | smelly__vx | Helper Functions |
 | CreateWindowsObjectPath | smelly__vx | Helper Functions |
 | DeleteFileWithCreateFileFlag | smelly__vx | Helper Functions |
@ -100,6 +103,7 @@ You're free to use this in any manner you please. You do not need to use this en
 | SetProcessPrivilegeToken | Microsoft | Helper Functions |
 | UrlDownloadToFileSynchronous | Hans Passant | Helper Functions |
 | IsDllLoaded | smelly__vx | Helper Functions | 
+| TryLoadDllMultiMethod | smelly__vx | Helper Functions |
 | GetKUserSharedData | Geoff Chappell | Library Loading |
 | GetModuleHandleEx2 | smelly__vx | Library Loading |
 | GetPeb | 29a | Library Loading |
@ -132,7 +136,6 @@ You're free to use this in any manner you please. You do not need to use this en
 | RegQueryValueExW | modexp | Performance data |
 | NtDeviceIoControlFile | modexp | TCP table |
 | EvtQuery | modexp | Security Event Log |
-| Brute force PID | modexp | incr |
 | NtMapViewOfSection lsass | modexp | NtMapViewOfSection |
 | IcmpSendEcho | N/A | Sync PING |
 | IcmpSendEcho2Ex | N/A | Async PING w/ APC |
@ -145,5 +148,19 @@ You're free to use this in any manner you please. You do not need to use this en
 # Notes
 | Function Name | Original Author | Note |
 | ------------- | --------------- | ------- |
+| ~~RtlInitEmptyUnicodeString~~ | ~~N/A~~ | ~~Needs revision~~ |
+| StringToken | N/A | Needs revision, buggy |
+| CreateMd5HashFromFilePath | N/A | Import |
+| HashFileByMsiFileHashTable | N/A | TryDllMultiMethod |
+| CreateFileFromDsCopyFromSharedFileW | N/A | Never unloads dll |
+| CreateProcessFromIShellDispatchInvoke | N/A | TryDllMultiMethod |
+| UnusedSubroutineGetShellViewForDesktop | N/A | TryDllMultiMethod |
+| DelayedExecutionExecuteOnDisplayOff | N/A | TryDllMultiMethod |
+| GetPidFromEnumProcesses | N/A | TryDllMultiMethod |
+| GetPidFromWindowsTerminalService | N/A | TryDllMultiMethod |
+| IsProcessRunning | N/A | TryDllMultiMethod |
+| GetCurrentUserSid | N/A | TryDllMultiMethod |
+| RecursiveFindFile | N/A | TryDllMultiMethod |
+| UrlDownloadToFileSynchronous | N/A | TryDllMultiMethod |
 | CreateProcessByNotepadProxy | x86matthew | Removed, unstable |
 | SystemFunction036 | MSDN | Removed, unstable |
--- a/VX-API/ByteArrayToCharArray.cpp
+++ b/VX-API/ByteArrayToCharArray.cpp
@ -3,15 +3,11 @@
 VOID ByteArrayToCharArrayA(_Inout_ PCHAR Destination, _In_ PBYTE Source, _In_ DWORD Length)
 {
 	for (DWORD dwX = 0; dwX < Length; dwX++)
-	{
 		Destination[dwX] = (BYTE)Source[dwX];
-	}
 }

 VOID ByteArrayToCharArrayW(_Inout_ PWCHAR Destination, _In_ PBYTE Source, _In_ DWORD Length)
 {
 	for (DWORD dwX = 0; dwX < Length; dwX++)
-	{
 		Destination[dwX] = (BYTE)Source[dwX];
-	}
 }
--- a/VX-API/CharArrayToByteArray.cpp
+++ b/VX-API/CharArrayToByteArray.cpp
@ -3,15 +3,11 @@
 VOID CharArrayToByteArrayA(_In_ PCHAR Char, _Inout_ PBYTE Byte, _In_ DWORD Length)
 {
 	for (DWORD dwX = 0; dwX < Length; dwX++)
-	{
 		Byte[dwX] = (BYTE)Char[dwX];
-	}
 }

 VOID CharArrayToByteArrayW(_In_ PWCHAR Char, _Inout_ PBYTE Byte, _In_ DWORD Length)
 {
 	for (DWORD dwX = 0; dwX < Length; dwX++)
-	{
 		Byte[dwX] = (BYTE)Char[dwX];
-	}
 }
--- a/VX-API/FunctionDeclaration.h
+++ b/VX-API/FunctionDeclaration.h
@ -13,8 +13,8 @@ typedef ULONG(NTAPI* RTLNTSTATUSTODOSERROR)(NTSTATUS);
 typedef NTSTATUS(NTAPI* NTCREATEUSERPROCESS)(PHANDLE,PHANDLE, ACCESS_MASK, ACCESS_MASK, POBJECT_ATTRIBUTES, POBJECT_ATTRIBUTES, ULONG, ULONG, PRTL_USER_PROCESS_PARAMETERS, PPS_CREATE_INFO, PPS_ATTRIBUTE_LIST);
 typedef NTSTATUS(NTAPI* RTLCREATEPROCESSPARAMETERSEX)(PRTL_USER_PROCESS_PARAMETERS*, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING,	PUNICODE_STRING, PVOID,	PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, ULONG);
 typedef NTSTATUS(NTAPI* RTLDESTROYPROCESSPARAMETERS)(PRTL_USER_PROCESS_PARAMETERS);
-typedef NTSTATUS(NTAPI* RTLENTERCRITICALSECTION)(PRTL_CRITICAL_SECTION CriticalSection);
-typedef NTSTATUS(NTAPI* RTLLEAVECRITICALSECTION)(PRTL_CRITICAL_SECTION CriticalSection);
+typedef NTSTATUS(NTAPI* RTLENTERCRITICALSECTION)(PRTL_CRITICAL_SECTION);
+typedef NTSTATUS(NTAPI* RTLLEAVECRITICALSECTION)(PRTL_CRITICAL_SECTION);



@ -47,6 +47,7 @@ typedef HRESULT(WINAPI* DSCOPYFROMSHAREDFILE)(LPCWSTR, LPCWSTR);
 typedef LPWSTR(WINAPI* PATHCOMBINEA)(LPCSTR, LPCSTR, LPCSTR);
 typedef LPWSTR(WINAPI* PATHCOMBINEW)(LPCWSTR, LPCWSTR, LPCWSTR);
 typedef HRESULT(WINAPI* IUNKNOWN_QUERYSERVICE)(IUnknown*, REFGUID, REFIID, PVOID*);
+typedef VOID(WINAPI* PATHSTRIPPATHW)(LPWSTR);



@ -77,4 +78,8 @@ typedef VOID(WINAPI* WTSFREEMEMORY)(PVOID);
 ADVAPI32 IMPORT
 *******************************************/
 typedef BOOL(WINAPI* CONVERTSIDTOSTRINGSIDW)(PSID, LPWSTR*);
-typedef BOOL(WINAPI* CONVERTSIDTOSTRINGSIDA)(PSID, LPSTR*);
+typedef BOOL(WINAPI* CONVERTSIDTOSTRINGSIDA)(PSID, LPSTR*);
+typedef SC_HANDLE(WINAPI* OPENSCMANAGERW)(LPCWSTR, LPCWSTR, DWORD);
+typedef SC_HANDLE(WINAPI* OPENSERVICEW)(SC_HANDLE, LPCWSTR, DWORD);
+typedef SC_HANDLE(WINAPI* QUERYSERVICESTATUSEX)(SC_HANDLE, SC_STATUS_TYPE, LPBYTE, DWORD, LPDWORD);
+typedef BOOL(WINAPI* CLOSESERVICEHANDLE)(SC_HANDLE);
--- a/VX-API/GetPidFromPidBruteForcingW.cpp
+++ b/VX-API/GetPidFromPidBruteForcingW.cpp
@ -0,0 +1,107 @@
+#include "Win32Helper.h"
+
+DWORD GetPidFromPidBruteForcingW(_In_ PWCHAR ProcessNameWithExtension)
+{
+	DWORD ProcessId = ERROR_SUCCESS;
+	SYSTEM_PROCESS_IMAGE_NAME_INFORMATION SystemProcessInformation = { 0 };
+	NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
+	PATHSTRIPPATHW PathStripPathW = NULL;
+	HMODULE hModule = NULL, hShlwapi = NULL;
+	BOOL bUnload = FALSE;
+
+	hModule = TryLoadDllMultiMethodW((PWCHAR)L"ntdll.dll");
+	hShlwapi = TryLoadDllMultiMethodW((PWCHAR)L"shlwapi.dll");
+
+	if (!hModule || !hShlwapi)
+		goto EXIT_ROUTINE;
+
+	NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddressA((DWORD64)hModule, "NtQuerySystemInformation");
+	PathStripPathW = (PATHSTRIPPATHW)GetProcAddressA((DWORD64)hShlwapi, "PathStripPathW");
+	if (!NtQuerySystemInformation || !PathStripPathW)
+		goto EXIT_ROUTINE;
+
+	for (DWORD dwProcessIdAddress = 0x00000008; dwProcessIdAddress < 0xFFFFFFFC; dwProcessIdAddress += 0x00000004)
+	{
+		WCHAR ImageName[MAX_PATH * sizeof(WCHAR)] = { 0 };
+		NTSTATUS Status = STATUS_SUCCESS;
+
+		if (ProcessId != ERROR_SUCCESS)
+			break;
+		
+		SystemProcessInformation.ProcessId = LongToHandle(dwProcessIdAddress);
+		SystemProcessInformation.ImageName.Buffer = ImageName;
+		SystemProcessInformation.ImageName.Length = 0;
+		SystemProcessInformation.ImageName.MaximumLength = sizeof(ImageName);
+
+		Status = NtQuerySystemInformation(SystemProcessIdInformation, &SystemProcessInformation, sizeof(SystemProcessInformation), NULL);
+		if (!NT_SUCCESS(Status))
+			continue;
+
+		PathStripPathW(SystemProcessInformation.ImageName.Buffer);
+
+		if (StringCompareW(ProcessNameWithExtension, SystemProcessInformation.ImageName.Buffer) == ERROR_SUCCESS)
+			ProcessId = dwProcessIdAddress;
+	}
+
+EXIT_ROUTINE:
+
+	if (hShlwapi)
+		FreeLibrary(hShlwapi);
+
+	return ProcessId;
+}
+
+DWORD GetPidFromPidBruteForcingA(_In_ PCHAR ProcessNameWithExtension)
+{
+	DWORD ProcessId = ERROR_SUCCESS;
+	SYSTEM_PROCESS_IMAGE_NAME_INFORMATION SystemProcessInformation = { 0 };
+	NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
+	PATHSTRIPPATHW PathStripPathW = NULL;
+	HMODULE hModule = NULL, hShlwapi = NULL;
+	BOOL bUnload = FALSE;
+	WCHAR BinaryNameString[MAX_PATH * sizeof(WCHAR)] = { 0 };
+
+	if (CharStringToWCharString(BinaryNameString, ProcessNameWithExtension, StringLengthA(ProcessNameWithExtension)) == 0)
+		goto EXIT_ROUTINE;
+
+	hModule = TryLoadDllMultiMethodW((PWCHAR)L"ntdll.dll");
+	hShlwapi = TryLoadDllMultiMethodW((PWCHAR)L"shlwapi.dll");
+
+	if (!hModule || !hShlwapi)
+		goto EXIT_ROUTINE;
+
+	NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddressA((DWORD64)hModule, "NtQuerySystemInformation");
+	PathStripPathW = (PATHSTRIPPATHW)GetProcAddressA((DWORD64)hShlwapi, "PathStripPathW");
+	if (!NtQuerySystemInformation || !PathStripPathW)
+		goto EXIT_ROUTINE;
+
+	for (DWORD dwProcessIdAddress = 0x00000008; dwProcessIdAddress < 0xFFFFFFFC; dwProcessIdAddress += 0x00000004)
+	{
+		WCHAR ImageName[MAX_PATH * sizeof(WCHAR)] = { 0 };
+		NTSTATUS Status = STATUS_SUCCESS;
+
+		if (ProcessId != ERROR_SUCCESS)
+			break;
+
+		SystemProcessInformation.ProcessId = LongToHandle(dwProcessIdAddress);
+		SystemProcessInformation.ImageName.Buffer = ImageName;
+		SystemProcessInformation.ImageName.Length = 0;
+		SystemProcessInformation.ImageName.MaximumLength = sizeof(ImageName);
+
+		Status = NtQuerySystemInformation(SystemProcessIdInformation, &SystemProcessInformation, sizeof(SystemProcessInformation), NULL);
+		if (!NT_SUCCESS(Status))
+			continue;
+
+		PathStripPathW(SystemProcessInformation.ImageName.Buffer);
+
+		if (StringCompareW(BinaryNameString, SystemProcessInformation.ImageName.Buffer) == ERROR_SUCCESS)
+			ProcessId = dwProcessIdAddress;
+	}
+
+EXIT_ROUTINE:
+
+	if (hShlwapi)
+		FreeLibrary(hShlwapi);
+
+	return ProcessId;
+}
--- a/VX-API/Internal.h
+++ b/VX-API/Internal.h
@ -389,6 +389,237 @@ typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE
 	EndAlternatives = 2
 } ALTERNATIVE_ARCHITECTURE_TYPE;

+typedef enum _SYSTEM_INFORMATION_CLASS {
+	SystemBasicInformation = 0,
+	SystemCpuInformation = 1,
+	SystemPerformanceInformation = 2,
+	SystemTimeOfDayInformation = 3, /* was SystemTimeInformation */
+	SystemPathInformation = 4,
+	SystemProcessInformation = 5,
+	SystemCallCountInformation = 6,
+	SystemDeviceInformation = 7,
+	SystemProcessorPerformanceInformation = 8,
+	SystemFlagsInformation = 9,
+	SystemCallTimeInformation = 10,
+	SystemModuleInformation = 11,
+	SystemLocksInformation = 12,
+	SystemStackTraceInformation = 13,
+	SystemPagedPoolInformation = 14,
+	SystemNonPagedPoolInformation = 15,
+	SystemHandleInformation = 16,
+	SystemObjectInformation = 17,
+	SystemPageFileInformation = 18,
+	SystemVdmInstemulInformation = 19,
+	SystemVdmBopInformation = 20,
+	SystemFileCacheInformation = 21,
+	SystemPoolTagInformation = 22,
+	SystemInterruptInformation = 23,
+	SystemDpcBehaviorInformation = 24,
+	SystemFullMemoryInformation = 25,
+	SystemNotImplemented6 = 25,
+	SystemLoadGdiDriverInformation = 26,
+	SystemUnloadGdiDriverInformation = 27,
+	SystemTimeAdjustmentInformation = 28,
+	SystemTimeAdjustment = 28,
+	SystemSummaryMemoryInformation = 29,
+	SystemMirrorMemoryInformation = 30,
+	SystemPerformanceTraceInformation = 31,
+	SystemObsolete0 = 32,
+	SystemExceptionInformation = 33,
+	SystemCrashDumpStateInformation = 34,
+	SystemKernelDebuggerInformation = 35,
+	SystemContextSwitchInformation = 36,
+	SystemRegistryQuotaInformation = 37,
+	SystemExtendServiceTableInformation = 38,
+	SystemPrioritySeparation = 39,
+	SystemVerifierAddDriverInformation = 40,
+	SystemVerifierRemoveDriverInformation = 41,
+	SystemProcessorIdleInformation = 42,
+	SystemLegacyDriverInformation = 43,
+	SystemCurrentTimeZoneInformation = 44,
+	SystemLookasideInformation = 45,
+	SystemTimeSlipNotification = 46,
+	SystemSessionCreate = 47,
+	SystemSessionDetach = 48,
+	SystemSessionInformation = 49,
+	SystemRangeStartInformation = 50,
+	SystemVerifierInformation = 51,
+	SystemVerifierThunkExtend = 52,
+	SystemSessionProcessesInformation = 53,
+	SystemLoadGdiDriverInSystemSpace = 54,
+	SystemNumaProcessorMap = 55,
+	SystemPrefetcherInformation = 56,
+	SystemExtendedProcessInformation = 57,
+	SystemRecommendedSharedDataAlignment = 58,
+	SystemComPlusPackage = 59,
+	SystemNumaAvailableMemory = 60,
+	SystemProcessorPowerInformation = 61,
+	SystemEmulationBasicInformation = 62,
+	SystemEmulationProcessorInformation = 63,
+	SystemExtendedHandleInformation = 64,
+	SystemLostDelayedWriteInformation = 65,
+	SystemBigPoolInformation = 66,
+	SystemSessionPoolTagInformation = 67,
+	SystemSessionMappedViewInformation = 68,
+	SystemHotpatchInformation = 69,
+	SystemObjectSecurityMode = 70,
+	SystemWatchdogTimerHandler = 71,
+	SystemWatchdogTimerInformation = 72,
+	SystemLogicalProcessorInformation = 73,
+	SystemWow64SharedInformationObsolete = 74,
+	SystemRegisterFirmwareTableInformationHandler = 75,
+	SystemFirmwareTableInformation = 76,
+	SystemModuleInformationEx = 77,
+	SystemVerifierTriageInformation = 78,
+	SystemSuperfetchInformation = 79,
+	SystemMemoryListInformation = 80,
+	SystemFileCacheInformationEx = 81,
+	SystemThreadPriorityClientIdInformation = 82,
+	SystemProcessorIdleCycleTimeInformation = 83,
+	SystemVerifierCancellationInformation = 84,
+	SystemProcessorPowerInformationEx = 85,
+	SystemRefTraceInformation = 86,
+	SystemSpecialPoolInformation = 87,
+	SystemProcessIdInformation = 88,
+	SystemErrorPortInformation = 89,
+	SystemBootEnvironmentInformation = 90,
+	SystemHypervisorInformation = 91,
+	SystemVerifierInformationEx = 92,
+	SystemTimeZoneInformation = 93,
+	SystemImageFileExecutionOptionsInformation = 94,
+	SystemCoverageInformation = 95,
+	SystemPrefetchPatchInformation = 96,
+	SystemVerifierFaultsInformation = 97,
+	SystemSystemPartitionInformation = 98,
+	SystemSystemDiskInformation = 99,
+	SystemProcessorPerformanceDistribution = 100,
+	SystemNumaProximityNodeInformation = 101,
+	SystemDynamicTimeZoneInformation = 102,
+	SystemCodeIntegrityInformation = 103,
+	SystemProcessorMicrocodeUpdateInformation = 104,
+	SystemProcessorBrandString = 105,
+	SystemVirtualAddressInformation = 106,
+	SystemLogicalProcessorInformationEx = 107,
+	SystemProcessorCycleTimeInformation = 108,
+	SystemStoreInformation = 109,
+	SystemRegistryAppendString = 110,
+	SystemAitSamplingValue = 111,
+	SystemVhdBootInformation = 112,
+	SystemCpuQuotaInformation = 113,
+	SystemNativeBasicInformation = 114,
+	SystemErrorPortTimeouts = 115,
+	SystemLowPriorityIoInformation = 116,
+	SystemTpmBootEntropyInformation = 117,
+	SystemVerifierCountersInformation = 118,
+	SystemPagedPoolInformationEx = 119,
+	SystemSystemPtesInformationEx = 120,
+	SystemNodeDistanceInformation = 121,
+	SystemAcpiAuditInformation = 122,
+	SystemBasicPerformanceInformation = 123,
+	SystemQueryPerformanceCounterInformation = 124,
+	SystemSessionBigPoolInformation = 125,
+	SystemBootGraphicsInformation = 126,
+	SystemScrubPhysicalMemoryInformation = 127,
+	SystemBadPageInformation = 128,
+	SystemProcessorProfileControlArea = 129,
+	SystemCombinePhysicalMemoryInformation = 130,
+	SystemEntropyInterruptTimingInformation = 131,
+	SystemConsoleInformation = 132,
+	SystemPlatformBinaryInformation = 133,
+	SystemPolicyInformation = 134,
+	SystemHypervisorProcessorCountInformation = 135,
+	SystemDeviceDataInformation = 136,
+	SystemDeviceDataEnumerationInformation = 137,
+	SystemMemoryTopologyInformation = 138,
+	SystemMemoryChannelInformation = 139,
+	SystemBootLogoInformation = 140,
+	SystemProcessorPerformanceInformationEx = 141,
+	SystemCriticalProcessErrorLogInformation = 142,
+	SystemSecureBootPolicyInformation = 143,
+	SystemPageFileInformationEx = 144,
+	SystemSecureBootInformation = 145,
+	SystemEntropyInterruptTimingRawInformation = 146,
+	SystemPortableWorkspaceEfiLauncherInformation = 147,
+	SystemFullProcessInformation = 148,
+	SystemKernelDebuggerInformationEx = 149,
+	SystemBootMetadataInformation = 150,
+	SystemSoftRebootInformation = 151,
+	SystemElamCertificateInformation = 152,
+	SystemOfflineDumpConfigInformation = 153,
+	SystemProcessorFeaturesInformation = 154,
+	SystemRegistryReconciliationInformation = 155,
+	SystemEdidInformation = 156,
+	SystemManufacturingInformation = 157,
+	SystemEnergyEstimationConfigInformation = 158,
+	SystemHypervisorDetailInformation = 159,
+	SystemProcessorCycleStatsInformation = 160,
+	SystemVmGenerationCountInformation = 161,
+	SystemTrustedPlatformModuleInformation = 162,
+	SystemKernelDebuggerFlags = 163,
+	SystemCodeIntegrityPolicyInformation = 164,
+	SystemIsolatedUserModeInformation = 165,
+	SystemHardwareSecurityTestInterfaceResultsInformation = 166,
+	SystemSingleModuleInformation = 167,
+	SystemAllowedCpuSetsInformation = 168,
+	SystemVsmProtectionInformation = 169,
+	SystemInterruptCpuSetsInformation = 170,
+	SystemSecureBootPolicyFullInformation = 171,
+	SystemCodeIntegrityPolicyFullInformation = 172,
+	SystemAffinitizedInterruptProcessorInformation = 173,
+	SystemRootSiloInformation = 174,
+	SystemCpuSetInformation = 175,
+	SystemCpuSetTagInformation = 176,
+	SystemWin32WerStartCallout = 177,
+	SystemSecureKernelProfileInformation = 178,
+	SystemCodeIntegrityPlatformManifestInformation = 179,
+	SystemInterruptSteeringInformation = 180,
+	SystemSupportedProcessorArchitectures = 181,
+	SystemMemoryUsageInformation = 182,
+	SystemCodeIntegrityCertificateInformation = 183,
+	SystemPhysicalMemoryInformation = 184,
+	SystemControlFlowTransition = 185,
+	SystemKernelDebuggingAllowed = 186,
+	SystemActivityModerationExeState = 187,
+	SystemActivityModerationUserSettings = 188,
+	SystemCodeIntegrityPoliciesFullInformation = 189,
+	SystemCodeIntegrityUnlockInformation = 190,
+	SystemIntegrityQuotaInformation = 191,
+	SystemFlushInformation = 192,
+	SystemProcessorIdleMaskInformation = 193,
+	SystemSecureDumpEncryptionInformation = 194,
+	SystemWriteConstraintInformation = 195,
+	SystemKernelVaShadowInformation = 196,
+	SystemHypervisorSharedPageInformation = 197,
+	SystemFirmwareBootPerformanceInformation = 198,
+	SystemCodeIntegrityVerificationInformation = 199,
+	SystemFirmwarePartitionInformation = 200,
+	SystemSpeculationControlInformation = 201,
+	SystemDmaGuardPolicyInformation = 202,
+	SystemEnclaveLaunchControlInformation = 203,
+	SystemWorkloadAllowedCpuSetsInformation = 204,
+	SystemCodeIntegrityUnlockModeInformation = 205,
+	SystemLeapSecondInformation = 206,
+	SystemFlags2Information = 207,
+	SystemSecurityModelInformation = 208,
+	SystemCodeIntegritySyntheticCacheInformation = 209,
+	SystemFeatureConfigurationInformation = 210,
+	SystemFeatureConfigurationSectionInformation = 211,
+	SystemFeatureUsageSubscriptionInformation = 212,
+	SystemSecureSpeculationControlInformation = 213,
+	SystemSpacesBootInformation = 214,
+	SystemFwRamdiskInformation = 215,
+	SystemWheaIpmiHardwareInformation = 216,
+	SystemDifSetRuleClassInformation = 217,
+	SystemDifClearRuleClassInformation = 218,
+	SystemDifApplyPluginVerificationOnDriver = 219,
+	SystemDifRemovePluginVerificationOnDriver = 220,
+	SystemShadowStackInformation = 221,
+	SystemBuildVersionInformation = 222,
+#ifdef __WINESRC__
+	SystemWineVersionInformation = 1000,
+#endif
+} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
+
 typedef struct _KUSER_SHARED_DATA {
 	ULONG                         TickCountLowDeprecated;
 	ULONG                         TickCountMultiplier;
@ -508,18 +739,6 @@ typedef struct _KUSER_SHARED_DATA {
 	ULONG                         Spare;
 } KUSER_SHARED_DATA, * PKUSER_SHARED_DATA;

-typedef enum _SYSTEM_INFORMATION_CLASS {
-	SystemBasicInformation = 0,
-	SystemPerformanceInformation = 2,
-	SystemTimeOfDayInformation = 3,
-	SystemProcessInformation = 5,
-	SystemProcessorPerformanceInformation = 8,
-	SystemInterruptInformation = 23,
-	SystemExceptionInformation = 33,
-	SystemRegistryQuotaInformation = 37,
-	SystemLookasideInformation = 45
-} SYSTEM_INFORMATION_CLASS;
-
 typedef struct _SYSTEM_PROCESS_INFORMATION{
 	ULONG NextEntryOffset;
 	ULONG NumberOfThreads;
@ -749,4 +968,11 @@ typedef struct _KEY_VALUE_PARTIAL_INFORMATION {
 	ULONG Type;
 	ULONG DataLength;
 	UCHAR Data[1];
-} KEY_VALUE_PARTIAL_INFORMATION, * PKEY_VALUE_PARTIAL_INFORMATION;
+} KEY_VALUE_PARTIAL_INFORMATION, * PKEY_VALUE_PARTIAL_INFORMATION;
+
+typedef struct _SYSTEM_PROCESS_ID_INFORMATION{
+	HANDLE ProcessId;
+	UNICODE_STRING ImageName;
+} SYSTEM_PROCESS_IMAGE_NAME_INFORMATION, *PSYSTEM_PROCESS_IMAGE_NAME_INFORMATION;
+
+
--- a/VX-API/Main.cpp
+++ b/VX-API/Main.cpp
@ -23,7 +23,7 @@ int main(VOID)
 {
 	DWORD dwError = ERROR_SUCCESS;

-	MpfGetLsaPidFromRegistry();
+	dwError = GetPidFromPidBruteForcingW((PWCHAR)L"cmd.exe");

 	return dwError;
 }
--- a/VX-API/RtlInitEmptyUnicodeString.cpp
+++ b/VX-API/RtlInitEmptyUnicodeString.cpp
@ -1,10 +1,10 @@
 #include "StringManipulation.h"

-VOID RtlInitEmptyUnicodeString(_Inout_ PUNICODE_STRING UnicodeString, _In_ PWCHAR Buffer, _In_ USHORT BufferSize)
+VOID RtlInitEmptyUnicodeString(_Inout_ PUNICODE_STRING UnicodeString)
 {
 	UnicodeString->Length = 0;
-	UnicodeString->MaximumLength = BufferSize;
-	UnicodeString->Buffer = Buffer;
+	UnicodeString->MaximumLength = sizeof(UNICODE_STRING);
+	UnicodeString->Buffer = NULL;

 	return;
 }
--- a/VX-API/StringManipulation.h
+++ b/VX-API/StringManipulation.h
@ -25,10 +25,10 @@ PCHAR StringTerminateStringAtCharA(_Inout_ PCHAR String, _In_ INT Character);
 PWCHAR StringTerminateStringAtCharW(_Inout_ PWCHAR String, _In_ INT Character);
 PCHAR StringTokenA(_In_ PCHAR String, _In_ CONST PCHAR Delim);
 PWCHAR StringTokenW(_In_ PWCHAR String, _In_ CONST PWCHAR Delim);
-VOID CharArrayToByteArrayA(PCHAR Char, PBYTE Byte, DWORD Length);
-VOID CharArrayToByteArrayW(PWCHAR Char, PBYTE Byte, DWORD Length);
+VOID CharArrayToByteArrayA(_In_ PCHAR Char, _Inout_ PBYTE Byte, _In_ DWORD Length);
+VOID CharArrayToByteArrayW(_In_ PWCHAR Char, _Inout_ PBYTE Byte, _In_ DWORD Length);
 VOID RtlInitUnicodeString(_Inout_ PUNICODE_STRING DestinationString, _In_ PCWSTR SourceString);
-VOID RtlInitEmptyUnicodeString(_Inout_ PUNICODE_STRING UnicodeString, _In_ PWCHAR Buffer, _In_ USHORT BufferSize);
+VOID RtlInitEmptyUnicodeString(_Inout_ PUNICODE_STRING UnicodeString);
 SIZE_T CharStringToWCharString(_Inout_ PWCHAR Destination, _In_ PCHAR Source, _In_ SIZE_T MaximumAllowed);
 SIZE_T WCharStringToCharString(_Inout_ PCHAR Destination, _In_ PWCHAR Source, _In_ SIZE_T MaximumAllowed);
 VOID ByteArrayToCharArrayA(_Inout_ PCHAR Destination, _In_ PBYTE Source, _In_ DWORD Length);
--- a/VX-API/TryLoadDllMultiMethod.cpp
+++ b/VX-API/TryLoadDllMultiMethod.cpp
@ -0,0 +1,25 @@
+#include "Win32Helper.h"
+
+HMODULE TryLoadDllMultiMethodW(_In_ PWCHAR DllName)
+{
+	HMODULE hModule;
+
+	if (!IsDllLoadedW(DllName))
+		hModule = LoadLibraryW(DllName);
+	else
+		hModule = GetModuleHandleEx2W(DllName);
+
+	return hModule;
+}
+
+HMODULE TryLoadDllMultiMethodA(_In_ PCHAR DllName)
+{
+	HMODULE hModule;
+
+	if (!IsDllLoadedA(DllName))
+		hModule = LoadLibraryA(DllName);
+	else
+		hModule = GetModuleHandleEx2A(DllName);
+
+	return hModule;
+}
--- a/VX-API/VX-API.vcxproj
+++ b/VX-API/VX-API.vcxproj
@ -168,6 +168,7 @@
    <ClCompile Include="GetPeb.cpp" />
    <ClCompile Include="GetPidFromEnumProcesses.cpp" />
    <ClCompile Include="GetPidFromNtQuerySystemInformation.cpp" />
+    <ClCompile Include="GetPidFromPidBruteForcingW.cpp" />
    <ClCompile Include="GetPidFromWindowsTerminalService.cpp" />
    <ClCompile Include="GetPidFromWmiComInterface.cpp" />
    <ClCompile Include="GetProcAddress.cpp" />
@ -226,6 +227,7 @@
    <ClCompile Include="StringRemoveSubstring.cpp" />
    <ClCompile Include="StringTerminateStringAtChar.cpp" />
    <ClCompile Include="StringToken.cpp" />
+    <ClCompile Include="TryLoadDllMultiMethod.cpp" />
    <ClCompile Include="UacBypassFodHelperMethod.cpp" />
    <ClCompile Include="UrlDownloadToFileSynchronous.cpp" />
    <ClCompile Include="WCharStringToCharString.cpp" />
--- a/VX-API/VX-API.vcxproj.filters
+++ b/VX-API/VX-API.vcxproj.filters
@ -366,6 +366,12 @@
    <ClCompile Include="MpfGetLsaPidFromRegistry.cpp">
      <Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
    </ClCompile>
+    <ClCompile Include="GetPidFromPidBruteForcingW.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
+    </ClCompile>
+    <ClCompile Include="TryLoadDllMultiMethod.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
+    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="Internal.h">
--- a/VX-API/Win32Helper.h
+++ b/VX-API/Win32Helper.h
@ -99,6 +99,8 @@ DWORD UrlDownloadToFileSynchronousA(_In_ PCHAR Url, _In_ PCHAR SavePath);
 BOOL SetProcessPrivilegeToken(_In_ DWORD PrivilegeEnum);
 BOOL IsDllLoadedW(_In_ LPCWSTR DllName);
 BOOL IsDllLoadedA(_In_ LPCSTR DllName);
+HMODULE TryLoadDllMultiMethodW(_In_ PWCHAR DllName);
+HMODULE TryLoadDllMultiMethodA(_In_ PCHAR DllName);

 //fingerprinting
 LCID GetCurrentLocaleFromTeb(VOID);
@ -120,6 +122,8 @@ DWORD GetPidFromWmiComInterfaceW(_In_ PWCHAR BinaryNameWithFileExtension);
 DWORD GetPidFromWmiComInterfaceA(_In_ PCHAR BinaryNameWithFileExtension);
 DWORD GetPidFromEnumProcessesW(_In_ PWCHAR ProcessNameWithExtension);
 DWORD GetPidFromEnumProcessesA(_In_ PCHAR ProcessNameWithExtension);
+DWORD GetPidFromPidBruteForcingW(_In_ PWCHAR ProcessNameWithExtension);
+DWORD GetPidFromPidBruteForcingA(_In_ PCHAR ProcessNameWithExtension);

 //malicious capabilities
 DWORD OleGetClipboardDataA(_Inout_ PCHAR Buffer);