mirror of https://github.com/vxunderground/VX-API
new pid getter method
enum processes via k32enumprocesses. fixed api forward previously used that wrapper to a define statement. readme update to reflect latest changes
This commit is contained in:
parent
873caf4511
commit
36655dd995
|
@ -82,6 +82,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| GetPidFromNtQuerySystemInformation | smelly__vx | Fingerprinting |
|
||||
| GetPidFromWindowsTerminalService | modexp | Fingerprinting |
|
||||
| GetPidFromWmiComInterface | aalimian and modexp | Fingerprinting |
|
||||
| GetPidFromEnumProcesses | smelly__vx | Fingerprinting |
|
||||
| CreateLocalAppDataObjectPath | smelly__vx | Helper Functions |
|
||||
| CreateWindowsObjectPath | smelly__vx | Helper Functions |
|
||||
| DeleteFileWithCreateFileFlag | smelly__vx | Helper Functions |
|
||||
|
|
|
@ -0,0 +1,91 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
#include <psapi.h>
|
||||
|
||||
DWORD GetPidFromEnumProcessesW(_In_ PWCHAR ProcessNameWithExtension)
|
||||
{
|
||||
HANDLE hProcess = NULL;
|
||||
|
||||
DWORD ProcessIdArray[1024] = { 0 };
|
||||
DWORD ProcessIdArraySize = 0;
|
||||
DWORD NumberOfBytesReturned = 0;
|
||||
|
||||
if (!K32EnumProcesses(ProcessIdArray, sizeof(ProcessIdArray), &NumberOfBytesReturned))
|
||||
return FALSE;
|
||||
|
||||
ProcessIdArraySize = NumberOfBytesReturned / sizeof(DWORD);
|
||||
|
||||
for (DWORD dwIndex = 0; dwIndex < ProcessIdArraySize; dwIndex++)
|
||||
{
|
||||
HMODULE Module = NULL;
|
||||
DWORD dwProcessId = ERROR_SUCCESS;
|
||||
WCHAR ProcessStringName[MAX_PATH * sizeof(WCHAR)] = {0};
|
||||
|
||||
if (ProcessIdArray[dwIndex] == 0)
|
||||
continue;
|
||||
|
||||
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessIdArray[dwIndex]);
|
||||
if (hProcess == NULL)
|
||||
continue;
|
||||
|
||||
if (!K32EnumProcessModules(hProcess, &Module, sizeof(Module), &NumberOfBytesReturned))
|
||||
continue;
|
||||
|
||||
if (K32GetModuleBaseNameW(hProcess, Module, ProcessStringName, sizeof(ProcessStringName) / sizeof(WCHAR)) == 0)
|
||||
continue;
|
||||
|
||||
if (StringCompareW(ProcessNameWithExtension, ProcessStringName) == 0)
|
||||
dwProcessId = GetProcessId(hProcess);
|
||||
|
||||
CloseHandle(hProcess);
|
||||
|
||||
if (dwProcessId != 0)
|
||||
return dwProcessId;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
DWORD GetPidFromEnumProcessesA(_In_ PCHAR ProcessNameWithExtension)
|
||||
{
|
||||
HANDLE hProcess = NULL;
|
||||
|
||||
DWORD ProcessIdArray[1024] = { 0 };
|
||||
DWORD ProcessIdArraySize = 0;
|
||||
DWORD NumberOfBytesReturned = 0;
|
||||
|
||||
if (!K32EnumProcesses(ProcessIdArray, sizeof(ProcessIdArray), &NumberOfBytesReturned))
|
||||
return FALSE;
|
||||
|
||||
ProcessIdArraySize = NumberOfBytesReturned / sizeof(DWORD);
|
||||
|
||||
for (DWORD dwIndex = 0; dwIndex < ProcessIdArraySize; dwIndex++)
|
||||
{
|
||||
HMODULE Module = NULL;
|
||||
DWORD dwProcessId = ERROR_SUCCESS;
|
||||
CHAR ProcessStringName[MAX_PATH] = { 0 };
|
||||
|
||||
if (ProcessIdArray[dwIndex] == 0)
|
||||
continue;
|
||||
|
||||
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessIdArray[dwIndex]);
|
||||
if (hProcess == NULL)
|
||||
continue;
|
||||
|
||||
if (!K32EnumProcessModules(hProcess, &Module, sizeof(Module), &NumberOfBytesReturned))
|
||||
continue;
|
||||
|
||||
if (K32GetModuleBaseNameA(hProcess, Module, ProcessStringName, sizeof(ProcessStringName) / sizeof(CHAR)) == 0)
|
||||
continue;
|
||||
|
||||
if (StringCompareA(ProcessNameWithExtension, ProcessStringName) == 0)
|
||||
dwProcessId = GetProcessId(hProcess);
|
||||
|
||||
CloseHandle(hProcess);
|
||||
|
||||
if (dwProcessId != 0)
|
||||
return dwProcessId;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
#include <psapi.h>
|
||||
|
||||
BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSensitive)
|
||||
BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension)
|
||||
{
|
||||
HANDLE hProcess = NULL;
|
||||
|
||||
|
@ -10,7 +10,7 @@ BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSens
|
|||
DWORD ProcessIdArraySize = 0;
|
||||
DWORD NumberOfBytesReturned = 0;
|
||||
|
||||
if (!EnumProcesses(ProcessIdArray, sizeof(ProcessIdArray), &NumberOfBytesReturned))
|
||||
if (!K32EnumProcesses(ProcessIdArray, sizeof(ProcessIdArray), &NumberOfBytesReturned))
|
||||
return FALSE;
|
||||
|
||||
ProcessIdArraySize = NumberOfBytesReturned / sizeof(DWORD);
|
||||
|
@ -27,33 +27,23 @@ BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSens
|
|||
if (hProcess == NULL)
|
||||
continue;
|
||||
|
||||
if (!EnumProcessModules(hProcess, &Module, sizeof(Module), &NumberOfBytesReturned))
|
||||
if (!K32EnumProcessModules(hProcess, &Module, sizeof(Module), &NumberOfBytesReturned))
|
||||
continue;
|
||||
|
||||
if (GetModuleBaseNameA(hProcess, Module, ProcessStringName, sizeof(ProcessStringName) / sizeof(WCHAR)) == 0)
|
||||
if (K32GetModuleBaseNameA(hProcess, Module, ProcessStringName, sizeof(ProcessStringName) / sizeof(WCHAR)) == 0)
|
||||
continue;
|
||||
|
||||
if (hProcess)
|
||||
CloseHandle(hProcess);
|
||||
|
||||
if (!IsCaseSensitive)
|
||||
{
|
||||
PCHAR String1 = CaplockStringA(ProcessNameWithExtension);
|
||||
PCHAR String2 = CaplockStringA(ProcessStringName);
|
||||
|
||||
if (StringCompareA(String1, String2) == 0)
|
||||
|
||||
if (StringCompareA(ProcessNameWithExtension, ProcessStringName) == 0)
|
||||
return TRUE;
|
||||
}
|
||||
else {
|
||||
if (StringCompareA(ProcessStringName, ProcessNameWithExtension) == 0)
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSensitive)
|
||||
BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension)
|
||||
{
|
||||
HANDLE hProcess = NULL;
|
||||
|
||||
|
@ -61,7 +51,7 @@ BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSen
|
|||
DWORD ProcessIdArraySize = 0;
|
||||
DWORD NumberOfBytesReturned = 0;
|
||||
|
||||
if (!EnumProcesses(ProcessIdArray, sizeof(ProcessIdArray), &NumberOfBytesReturned))
|
||||
if (!K32EnumProcesses(ProcessIdArray, sizeof(ProcessIdArray), &NumberOfBytesReturned))
|
||||
return FALSE;
|
||||
|
||||
ProcessIdArraySize = NumberOfBytesReturned / sizeof(DWORD);
|
||||
|
@ -78,27 +68,17 @@ BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSen
|
|||
if (hProcess == NULL)
|
||||
continue;
|
||||
|
||||
if (!EnumProcessModules(hProcess, &Module, sizeof(Module), &NumberOfBytesReturned))
|
||||
if (!K32EnumProcessModules(hProcess, &Module, sizeof(Module), &NumberOfBytesReturned))
|
||||
continue;
|
||||
|
||||
if (GetModuleBaseNameW(hProcess, Module, ProcessStringName, sizeof(ProcessStringName) / sizeof(WCHAR)) == 0)
|
||||
if (K32GetModuleBaseNameW(hProcess, Module, ProcessStringName, sizeof(ProcessStringName) / sizeof(WCHAR)) == 0)
|
||||
continue;
|
||||
|
||||
if (hProcess)
|
||||
CloseHandle(hProcess);
|
||||
|
||||
if (!IsCaseSensitive)
|
||||
{
|
||||
PWCHAR String1 = CaplockStringW(ProcessNameWithExtension);
|
||||
PWCHAR String2 = CaplockStringW(ProcessStringName);
|
||||
|
||||
if (StringCompareW(String1, String2) == 0)
|
||||
return TRUE;
|
||||
}
|
||||
else {
|
||||
if (StringCompareW(ProcessStringName, ProcessNameWithExtension) == 0)
|
||||
return TRUE;
|
||||
}
|
||||
if (StringCompareW(ProcessStringName, ProcessNameWithExtension) == 0)
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
|
|
|
@ -104,8 +104,8 @@ LCID GetCurrentLocaleFromTeb(VOID);
|
|||
DWORD GetNumberOfLinkedDlls(VOID);
|
||||
BOOL IsNvidiaGraphicsCardPresentA(VOID);
|
||||
BOOL IsNvidiaGraphicsCardPresentW(VOID);
|
||||
BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSensitive);
|
||||
BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSensitive);
|
||||
BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension);
|
||||
BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension);
|
||||
BOOL IsProcessRunningAsAdmin(VOID);
|
||||
ULONG GetOsMajorVersionFromPeb(VOID);
|
||||
ULONG GetOsMinorVersionFromPeb(VOID);
|
||||
|
@ -116,6 +116,8 @@ DWORD GetPidFromNtQuerySystemInformationA(_In_ PCHAR BinaryNameWithFileExtension
|
|||
DWORD GetPidFromWindowsTerminalServiceW(_In_ PWCHAR BinaryNameWithFileExtension);
|
||||
DWORD GetPidFromWindowsTerminalServiceA(_In_ PCHAR BinaryNameWithFileExtension);
|
||||
DWORD GetPidFromWmiComInterface(_In_ PWCHAR BinaryNameWithFileExtension);
|
||||
DWORD GetPidFromEnumProcessesW(_In_ PWCHAR ProcessNameWithExtension);
|
||||
DWORD GetPidFromEnumProcessesA(_In_ PCHAR ProcessNameWithExtension);
|
||||
|
||||
//malicious capabilities
|
||||
DWORD OleGetClipboardDataA(_Inout_ PCHAR Buffer);
|
||||
|
|
Loading…
Reference in New Issue