new pid getter method

enum processes via k32enumprocesses. fixed api forward previously used that wrapper to a define statement. readme update to reflect latest changes
2022-10-21 00:12:21 -05:00 · 2022-10-21 00:12:21 -05:00 · 36655dd995
parent 873caf4511
commit 36655dd995
4 changed files with 108 additions and 34 deletions
--- a/README.md
+++ b/README.md
@ -82,6 +82,7 @@ You're free to use this in any manner you please. You do not need to use this en
 | GetPidFromNtQuerySystemInformation | smelly__vx | Fingerprinting |
 | GetPidFromWindowsTerminalService | modexp | Fingerprinting |
 | GetPidFromWmiComInterface | aalimian and modexp | Fingerprinting |
+| GetPidFromEnumProcesses | smelly__vx | Fingerprinting |
 | CreateLocalAppDataObjectPath | smelly__vx | Helper Functions |
 | CreateWindowsObjectPath | smelly__vx | Helper Functions |
 | DeleteFileWithCreateFileFlag | smelly__vx | Helper Functions |
--- a/VX-API/GetPidFromEnumProcesses.cpp
+++ b/VX-API/GetPidFromEnumProcesses.cpp
@ -0,0 +1,91 @@
+#include "Win32Helper.h"
+
+#include <psapi.h>
+
+DWORD GetPidFromEnumProcessesW(_In_ PWCHAR ProcessNameWithExtension)
+{
+	HANDLE hProcess = NULL;
+
+	DWORD ProcessIdArray[1024] = { 0 };
+	DWORD ProcessIdArraySize = 0;
+	DWORD NumberOfBytesReturned = 0;
+
+	if (!K32EnumProcesses(ProcessIdArray, sizeof(ProcessIdArray), &NumberOfBytesReturned))
+		return FALSE;
+
+	ProcessIdArraySize = NumberOfBytesReturned / sizeof(DWORD);
+
+	for (DWORD dwIndex = 0; dwIndex < ProcessIdArraySize; dwIndex++)
+	{
+		HMODULE Module = NULL;
+		DWORD dwProcessId = ERROR_SUCCESS;
+		WCHAR ProcessStringName[MAX_PATH * sizeof(WCHAR)] = {0};
+
+		if (ProcessIdArray[dwIndex] == 0)
+			continue;
+
+		hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessIdArray[dwIndex]);
+		if (hProcess == NULL)
+			continue;
+
+		if (!K32EnumProcessModules(hProcess, &Module, sizeof(Module), &NumberOfBytesReturned))
+			continue;
+
+		if (K32GetModuleBaseNameW(hProcess, Module, ProcessStringName, sizeof(ProcessStringName) / sizeof(WCHAR)) == 0)
+			continue;
+
+		if (StringCompareW(ProcessNameWithExtension, ProcessStringName) == 0)
+			dwProcessId = GetProcessId(hProcess);
+
+		CloseHandle(hProcess);
+
+		if (dwProcessId != 0)
+			return dwProcessId;
+	}
+
+	return 0;
+}
+
+DWORD GetPidFromEnumProcessesA(_In_ PCHAR ProcessNameWithExtension)
+{
+	HANDLE hProcess = NULL;
+
+	DWORD ProcessIdArray[1024] = { 0 };
+	DWORD ProcessIdArraySize = 0;
+	DWORD NumberOfBytesReturned = 0;
+
+	if (!K32EnumProcesses(ProcessIdArray, sizeof(ProcessIdArray), &NumberOfBytesReturned))
+		return FALSE;
+
+	ProcessIdArraySize = NumberOfBytesReturned / sizeof(DWORD);
+
+	for (DWORD dwIndex = 0; dwIndex < ProcessIdArraySize; dwIndex++)
+	{
+		HMODULE Module = NULL;
+		DWORD dwProcessId = ERROR_SUCCESS;
+		CHAR ProcessStringName[MAX_PATH] = { 0 };
+
+		if (ProcessIdArray[dwIndex] == 0)
+			continue;
+
+		hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessIdArray[dwIndex]);
+		if (hProcess == NULL)
+			continue;
+
+		if (!K32EnumProcessModules(hProcess, &Module, sizeof(Module), &NumberOfBytesReturned))
+			continue;
+
+		if (K32GetModuleBaseNameA(hProcess, Module, ProcessStringName, sizeof(ProcessStringName) / sizeof(CHAR)) == 0)
+			continue;
+
+		if (StringCompareA(ProcessNameWithExtension, ProcessStringName) == 0)
+			dwProcessId = GetProcessId(hProcess);
+
+		CloseHandle(hProcess);
+
+		if (dwProcessId != 0)
+			return dwProcessId;
+	}
+
+	return 0;
+}
--- a/VX-API/IsProcessRunning.cpp
+++ b/VX-API/IsProcessRunning.cpp
@ -2,7 +2,7 @@

 #include <psapi.h>

-BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSensitive)
+BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension)
 {
 	HANDLE hProcess = NULL;

@ -10,7 +10,7 @@ BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSens
 	DWORD ProcessIdArraySize = 0;
 	DWORD NumberOfBytesReturned = 0;

-	if (!EnumProcesses(ProcessIdArray, sizeof(ProcessIdArray), &NumberOfBytesReturned))
+	if (!K32EnumProcesses(ProcessIdArray, sizeof(ProcessIdArray), &NumberOfBytesReturned))
 		return FALSE;

 	ProcessIdArraySize = NumberOfBytesReturned / sizeof(DWORD);
@ -27,33 +27,23 @@ BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSens
 		if (hProcess == NULL)
 			continue;

-		if (!EnumProcessModules(hProcess, &Module, sizeof(Module), &NumberOfBytesReturned))
+		if (!K32EnumProcessModules(hProcess, &Module, sizeof(Module), &NumberOfBytesReturned))
 			continue;

-		if (GetModuleBaseNameA(hProcess, Module, ProcessStringName, sizeof(ProcessStringName) / sizeof(WCHAR)) == 0)
+		if (K32GetModuleBaseNameA(hProcess, Module, ProcessStringName, sizeof(ProcessStringName) / sizeof(WCHAR)) == 0)
 			continue;

 		if (hProcess)
 			CloseHandle(hProcess);
-
-		if (!IsCaseSensitive)
-		{
-			PCHAR String1 = CaplockStringA(ProcessNameWithExtension);
-			PCHAR String2 = CaplockStringA(ProcessStringName);
-
-			if (StringCompareA(String1, String2) == 0)
+		
+		if (StringCompareA(ProcessNameWithExtension, ProcessStringName) == 0)
 				return TRUE;
-		}
-		else {
-			if (StringCompareA(ProcessStringName, ProcessNameWithExtension) == 0)
-				return TRUE;
-		}
 	}

 	return FALSE;
 }

-BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSensitive)
+BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension)
 {
 	HANDLE hProcess = NULL;

@ -61,7 +51,7 @@ BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSen
 	DWORD ProcessIdArraySize = 0;
 	DWORD NumberOfBytesReturned = 0;

-	if (!EnumProcesses(ProcessIdArray, sizeof(ProcessIdArray), &NumberOfBytesReturned))
+	if (!K32EnumProcesses(ProcessIdArray, sizeof(ProcessIdArray), &NumberOfBytesReturned))
 		return FALSE;

 	ProcessIdArraySize = NumberOfBytesReturned / sizeof(DWORD);
@ -78,27 +68,17 @@ BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSen
 		if (hProcess == NULL)
 			continue;

-		if (!EnumProcessModules(hProcess, &Module, sizeof(Module), &NumberOfBytesReturned))
+		if (!K32EnumProcessModules(hProcess, &Module, sizeof(Module), &NumberOfBytesReturned))
 			continue;

-		if (GetModuleBaseNameW(hProcess, Module, ProcessStringName, sizeof(ProcessStringName) / sizeof(WCHAR)) == 0)
+		if (K32GetModuleBaseNameW(hProcess, Module, ProcessStringName, sizeof(ProcessStringName) / sizeof(WCHAR)) == 0)
 			continue;

 		if (hProcess)
 			CloseHandle(hProcess);

-		if (!IsCaseSensitive)
-		{
-			PWCHAR String1 = CaplockStringW(ProcessNameWithExtension);
-			PWCHAR String2 = CaplockStringW(ProcessStringName);
-
-			if (StringCompareW(String1, String2) == 0)
-				return TRUE;
-		}
-		else {
-			if (StringCompareW(ProcessStringName, ProcessNameWithExtension) == 0)
-				return TRUE;
-		}
+		if (StringCompareW(ProcessStringName, ProcessNameWithExtension) == 0)
+			return TRUE;
 	}

 	return FALSE;
--- a/VX-API/Win32Helper.h
+++ b/VX-API/Win32Helper.h
@ -104,8 +104,8 @@ LCID GetCurrentLocaleFromTeb(VOID);
 DWORD GetNumberOfLinkedDlls(VOID);
 BOOL IsNvidiaGraphicsCardPresentA(VOID);
 BOOL IsNvidiaGraphicsCardPresentW(VOID);
-BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSensitive);
-BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSensitive);
+BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension);
+BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension);
 BOOL IsProcessRunningAsAdmin(VOID);
 ULONG GetOsMajorVersionFromPeb(VOID);
 ULONG GetOsMinorVersionFromPeb(VOID);
@ -116,6 +116,8 @@ DWORD GetPidFromNtQuerySystemInformationA(_In_ PCHAR BinaryNameWithFileExtension
 DWORD GetPidFromWindowsTerminalServiceW(_In_ PWCHAR BinaryNameWithFileExtension);
 DWORD GetPidFromWindowsTerminalServiceA(_In_ PCHAR BinaryNameWithFileExtension);
 DWORD GetPidFromWmiComInterface(_In_ PWCHAR BinaryNameWithFileExtension);
+DWORD GetPidFromEnumProcessesW(_In_ PWCHAR ProcessNameWithExtension);
+DWORD GetPidFromEnumProcessesA(_In_ PCHAR ProcessNameWithExtension);

 //malicious capabilities
 DWORD OleGetClipboardDataA(_Inout_ PCHAR Buffer);