mirror of https://github.com/vxunderground/VX-API
vxunderground
parent
36655dd995
commit
5226cc3ab5
|
|
@ -120,6 +120,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| MpfComVssDeleteShadowVolumeBackups | am0nsec | Malicious Capability |
|
||||
| OleGetClipboardData | Microsoft | Malicious Capability |
|
||||
| UacBypassFodHelperMethod | winscripting.blog | Malicious Capability |
|
||||
| MpfGetLsaPidFromRegistry | modexp | Malicious Capability |
|
||||
|
||||
# Todo list
|
||||
| Functionality | Author | Note |
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
BOOL AdfOpenProcessOnCsrss(VOID)
|
||||
{
|
||||
typedef DWORD(WINAPI* CSRGETPROCESSID)(VOID);
|
||||
HMODULE hNtdll = NULL;
|
||||
CSRGETPROCESSID CsrGetProcessId = NULL;
|
||||
HANDLE hCsrHandle = NULL;
|
||||
|
|
|
|||
|
|
@ -2,20 +2,10 @@
|
|||
|
||||
BOOL CheckRemoteDebuggerPresent2(_In_ HANDLE hHandle, _Inout_ PBOOL pbDebuggerPresent)
|
||||
{
|
||||
typedef enum _PROCESSINFOCLASS
|
||||
{
|
||||
ProcessBasicInformation = 0,
|
||||
ProcessDebugPort = 7,
|
||||
ProcessWow64Information = 26,
|
||||
ProcessImageFileName = 27,
|
||||
ProcessBreakOnTermination = 29
|
||||
} PROCESSINFOCLASS;
|
||||
|
||||
typedef NTSTATUS(NTAPI* NTQUERYINFORMATIONPROCESS)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
|
||||
*pbDebuggerPresent = FALSE;
|
||||
NTQUERYINFORMATIONPROCESS NtQueryInformationProcess = NULL;
|
||||
NTSTATUS Status = 0;
|
||||
DWORD dwProcessDebugPort = 0, dwReturnValue = 0;
|
||||
*pbDebuggerPresent = FALSE;
|
||||
|
||||
if (hHandle == NULL)
|
||||
return FALSE;
|
||||
|
|
|
|||
|
|
@ -2,26 +2,7 @@
|
|||
|
||||
BOOL CreateFileFromDsCopyFromSharedFileW(_In_ PWCHAR NewFileName, _In_ PWCHAR FileToClone)
|
||||
{
|
||||
typedef struct __DATA_SHARE_SCOPE_ENTRY {
|
||||
INT ScopeType;
|
||||
PWCHAR ScopeValue;
|
||||
}DATA_SHARE_SCOPE_ENTRY, * PDATA_SHARE_SCOPE_ENTRY;
|
||||
|
||||
typedef struct __DATA_SHARE_SCOPE {
|
||||
INT ScopeCount;
|
||||
DATA_SHARE_SCOPE_ENTRY Entries[20];
|
||||
}DATA_SHARE_SCOPE, * PDATA_SHARE_SCOPE;
|
||||
|
||||
typedef struct __DATA_SHARE_CTRL {
|
||||
INT SharePermission;
|
||||
INT ShareMode;
|
||||
DATA_SHARE_SCOPE Scope;
|
||||
}DATA_SHARE_CTRL, * PDATA_SHARE_CTRL;
|
||||
|
||||
typedef HRESULT(WINAPI* DSCREATESHAREDFILETOKEN)(LPCWSTR, PDATA_SHARE_CTRL, INT, INT, WCHAR**);
|
||||
typedef HRESULT(WINAPI* DSCOPYFROMSHAREDFILE)(LPCWSTR, LPCWSTR);
|
||||
|
||||
DATA_SHARE_CTRL Share; ZeroMemoryEx(&Share, sizeof(DATA_SHARE_CTRL));
|
||||
DATA_SHARE_CTRL Share = { 0 };
|
||||
LPWSTR SidString = NULL;
|
||||
DSCREATESHAREDFILETOKEN DsCreateSharedFileToken = NULL;
|
||||
DSCOPYFROMSHAREDFILE DsCopyFromSharedFile = NULL;
|
||||
|
|
@ -77,26 +58,7 @@ EXIT_ROUTINE:
|
|||
|
||||
BOOL CreateFileFromDsCopyFromSharedFileA(_In_ PCHAR NewFileName, _In_ PCHAR FileToClone)
|
||||
{
|
||||
typedef struct __DATA_SHARE_SCOPE_ENTRY {
|
||||
INT ScopeType;
|
||||
PWCHAR ScopeValue;
|
||||
}DATA_SHARE_SCOPE_ENTRY, * PDATA_SHARE_SCOPE_ENTRY;
|
||||
|
||||
typedef struct __DATA_SHARE_SCOPE {
|
||||
INT ScopeCount;
|
||||
DATA_SHARE_SCOPE_ENTRY Entries[20];
|
||||
}DATA_SHARE_SCOPE, * PDATA_SHARE_SCOPE;
|
||||
|
||||
typedef struct __DATA_SHARE_CTRL {
|
||||
INT SharePermission;
|
||||
INT ShareMode;
|
||||
DATA_SHARE_SCOPE Scope;
|
||||
}DATA_SHARE_CTRL, * PDATA_SHARE_CTRL;
|
||||
|
||||
typedef HRESULT(WINAPI* DSCREATESHAREDFILETOKEN)(LPCWSTR, PDATA_SHARE_CTRL, INT, INT, WCHAR**);
|
||||
typedef HRESULT(WINAPI* DSCOPYFROMSHAREDFILE)(LPCWSTR, LPCWSTR);
|
||||
|
||||
DATA_SHARE_CTRL Share; ZeroMemoryEx(&Share, sizeof(DATA_SHARE_CTRL));
|
||||
DATA_SHARE_CTRL Share = { 0 };
|
||||
LPWSTR SidString = NULL;
|
||||
DSCREATESHAREDFILETOKEN DsCreateSharedFileToken = NULL;
|
||||
DSCOPYFROMSHAREDFILE DsCopyFromSharedFile = NULL;
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@ const static GUID IClassFactorClsid = { 0x13709620, 0xc279, 0x11ce, { 0xa4, 0x9e
|
|||
|
||||
DWORD CreateProcessFromIShellDispatchInvokeW(_In_ PWCHAR BinaryPath)
|
||||
{
|
||||
typedef HRESULT(WINAPI* DLLGETCLASSOBJECT)(REFCLSID, REFIID, LPVOID*);
|
||||
HRESULT Result = S_OK;
|
||||
HMODULE hModule = NULL;
|
||||
DLLGETCLASSOBJECT DllGetClassObject = NULL;
|
||||
|
|
@ -74,7 +73,6 @@ EXIT_ROUTINE:
|
|||
|
||||
DWORD CreateProcessFromIShellDispatchInvokeA(_In_ PCHAR BinaryPath)
|
||||
{
|
||||
typedef HRESULT(WINAPI* DLLGETCLASSOBJECT)(REFCLSID, REFIID, LPVOID*);
|
||||
HRESULT Result = S_OK;
|
||||
HMODULE hModule = NULL;
|
||||
DLLGETCLASSOBJECT DllGetClassObject = NULL;
|
||||
|
|
|
|||
|
|
@ -47,7 +47,6 @@ EXIT_ROUTINE:
|
|||
|
||||
HRESULT UnusedSubroutineGetShellViewForDesktop(REFIID Riid, PVOID* ShellView)
|
||||
{
|
||||
typedef HRESULT(WINAPI* IUNKNOWN_QUERYSERVICE)(IUnknown*, REFGUID, REFIID, PVOID*);
|
||||
IUNKNOWN_QUERYSERVICE QueryServiceUsingIUnknown = NULL;
|
||||
HMODULE hModule = NULL;
|
||||
HRESULT Result = S_OK;
|
||||
|
|
|
|||
|
|
@ -1,168 +1,12 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
#define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff
|
||||
#define PS_ATTRIBUTE_THREAD 0x00010000
|
||||
#define PS_ATTRIBUTE_INPUT 0x00020000
|
||||
#define PS_ATTRIBUTE_ADDITIVE 0x00040000
|
||||
|
||||
typedef enum _PS_ATTRIBUTE_NUM
|
||||
{
|
||||
PsAttributeParentProcess,
|
||||
PsAttributeDebugPort,
|
||||
PsAttributeToken,
|
||||
PsAttributeClientId,
|
||||
PsAttributeTebAddress,
|
||||
PsAttributeImageName,
|
||||
PsAttributeImageInfo,
|
||||
PsAttributeMemoryReserve,
|
||||
PsAttributePriorityClass,
|
||||
PsAttributeErrorMode,
|
||||
PsAttributeStdHandleInfo,
|
||||
PsAttributeHandleList,
|
||||
PsAttributeGroupAffinity,
|
||||
PsAttributePreferredNode,
|
||||
PsAttributeIdealProcessor,
|
||||
PsAttributeUmsThread,
|
||||
PsAttributeMitigationOptions,
|
||||
PsAttributeProtectionLevel,
|
||||
PsAttributeSecureProcess,
|
||||
PsAttributeJobList,
|
||||
PsAttributeChildProcessPolicy,
|
||||
PsAttributeAllApplicationPackagesPolicy,
|
||||
PsAttributeWin32kFilter,
|
||||
PsAttributeSafeOpenPromptOriginClaim,
|
||||
PsAttributeBnoIsolation,
|
||||
PsAttributeDesktopAppPolicy,
|
||||
PsAttributeMax
|
||||
} PS_ATTRIBUTE_NUM;
|
||||
|
||||
#define PsAttributeValue(Number, Thread, Input, Additive) \
|
||||
(((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \
|
||||
((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \
|
||||
((Input) ? PS_ATTRIBUTE_INPUT : 0) | \
|
||||
((Additive) ? PS_ATTRIBUTE_ADDITIVE : 0))
|
||||
|
||||
#define RTL_USER_PROCESS_PARAMETERS_NORMALIZED 0x01
|
||||
#define PS_ATTRIBUTE_IMAGE_NAME \
|
||||
PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE)
|
||||
|
||||
typedef struct _PS_ATTRIBUTE
|
||||
{
|
||||
ULONG_PTR Attribute;
|
||||
SIZE_T Size;
|
||||
union
|
||||
{
|
||||
ULONG_PTR Value;
|
||||
PVOID ValuePtr;
|
||||
};
|
||||
PSIZE_T ReturnLength;
|
||||
} PS_ATTRIBUTE, * PPS_ATTRIBUTE;
|
||||
|
||||
typedef struct _PS_ATTRIBUTE_LIST
|
||||
{
|
||||
SIZE_T TotalLength;
|
||||
PS_ATTRIBUTE Attributes[2];
|
||||
} PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST;
|
||||
|
||||
typedef enum _PS_CREATE_STATE
|
||||
{
|
||||
PsCreateInitialState,
|
||||
PsCreateFailOnFileOpen,
|
||||
PsCreateFailOnSectionCreate,
|
||||
PsCreateFailExeFormat,
|
||||
PsCreateFailMachineMismatch,
|
||||
PsCreateFailExeName,
|
||||
PsCreateSuccess,
|
||||
PsCreateMaximumStates
|
||||
} PS_CREATE_STATE;
|
||||
|
||||
typedef struct _PS_CREATE_INFO {
|
||||
SIZE_T Size;
|
||||
PS_CREATE_STATE State;
|
||||
union {
|
||||
struct {
|
||||
union {
|
||||
ULONG InitFlags;
|
||||
struct {
|
||||
UCHAR WriteOutputOnExit : 1;
|
||||
UCHAR DetectManifest : 1;
|
||||
UCHAR IFEOSkipDebugger : 1;
|
||||
UCHAR IFEODoNotPropagateKeyState : 1;
|
||||
UCHAR SpareBits1 : 4;
|
||||
UCHAR SpareBits2 : 8;
|
||||
USHORT ProhibitedImageCharacteristics : 16;
|
||||
} s1;
|
||||
} u1;
|
||||
ACCESS_MASK AdditionalFileAccess;
|
||||
} InitState;
|
||||
struct { HANDLE FileHandle; } FailSection;
|
||||
struct { USHORT DllCharacteristics; } ExeFormat;
|
||||
struct { HANDLE IFEOKey; } ExeName;
|
||||
struct {
|
||||
union {
|
||||
ULONG OutputFlags;
|
||||
struct {
|
||||
UCHAR ProtectedProcess : 1;
|
||||
UCHAR AddressSpaceOverride : 1;
|
||||
UCHAR DevOverrideEnabled : 1;
|
||||
UCHAR ManifestDetected : 1;
|
||||
UCHAR ProtectedProcessLight : 1;
|
||||
UCHAR SpareBits1 : 3;
|
||||
UCHAR SpareBits2 : 8;
|
||||
USHORT SpareBits3 : 16;
|
||||
} s2;
|
||||
} u2;
|
||||
HANDLE FileHandle;
|
||||
HANDLE SectionHandle;
|
||||
ULONGLONG UserProcessParametersNative;
|
||||
ULONG UserProcessParametersWow64;
|
||||
ULONG CurrentParameterFlags;
|
||||
ULONGLONG PebAddressNative;
|
||||
ULONG PebAddressWow64;
|
||||
ULONGLONG ManifestAddress;
|
||||
ULONG ManifestSize;
|
||||
} SuccessState;
|
||||
};
|
||||
} PS_CREATE_INFO, * PPS_CREATE_INFO;
|
||||
|
||||
|
||||
DWORD CreateProcessViaNtCreateUserProcessA(PCHAR BinaryPath)
|
||||
{
|
||||
typedef NTSTATUS(NTAPI* NTCREATEUSERPROCESS)(
|
||||
PHANDLE,
|
||||
PHANDLE,
|
||||
ACCESS_MASK,
|
||||
ACCESS_MASK,
|
||||
POBJECT_ATTRIBUTES,
|
||||
POBJECT_ATTRIBUTES,
|
||||
ULONG,
|
||||
ULONG,
|
||||
PRTL_USER_PROCESS_PARAMETERS,
|
||||
PPS_CREATE_INFO,
|
||||
PPS_ATTRIBUTE_LIST
|
||||
);
|
||||
|
||||
typedef NTSTATUS(NTAPI* RTLCREATEPROCESSPARAMETERSEX)(
|
||||
PRTL_USER_PROCESS_PARAMETERS*,
|
||||
PUNICODE_STRING,
|
||||
PUNICODE_STRING,
|
||||
PUNICODE_STRING,
|
||||
PUNICODE_STRING,
|
||||
PVOID,
|
||||
PUNICODE_STRING,
|
||||
PUNICODE_STRING,
|
||||
PUNICODE_STRING,
|
||||
PUNICODE_STRING,
|
||||
ULONG
|
||||
);
|
||||
|
||||
typedef NTSTATUS(NTAPI* RTLDESTROYPROCESSPARAMETERS)(PRTL_USER_PROCESS_PARAMETERS);
|
||||
|
||||
NTCREATEUSERPROCESS NtCreateUserProcess;
|
||||
RTLCREATEPROCESSPARAMETERSEX RtlCreateProcessParametersEx;
|
||||
RTLDESTROYPROCESSPARAMETERS RtlDestroyProcessParameters;
|
||||
PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL;
|
||||
UNICODE_STRING NtImagePath;
|
||||
UNICODE_STRING NtImagePath = {0};
|
||||
WCHAR MsDosFullPath[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
PS_CREATE_INFO CreateInfo = { 0 };
|
||||
HMODULE hModule;
|
||||
|
|
@ -223,41 +67,11 @@ DWORD CreateProcessViaNtCreateUserProcessA(PCHAR BinaryPath)
|
|||
|
||||
DWORD CreateProcessViaNtCreateUserProcessW(PWCHAR BinaryPath)
|
||||
{
|
||||
typedef NTSTATUS(NTAPI* NTCREATEUSERPROCESS)(
|
||||
PHANDLE,
|
||||
PHANDLE,
|
||||
ACCESS_MASK,
|
||||
ACCESS_MASK,
|
||||
POBJECT_ATTRIBUTES,
|
||||
POBJECT_ATTRIBUTES,
|
||||
ULONG,
|
||||
ULONG,
|
||||
PRTL_USER_PROCESS_PARAMETERS,
|
||||
PPS_CREATE_INFO,
|
||||
PPS_ATTRIBUTE_LIST
|
||||
);
|
||||
|
||||
typedef NTSTATUS(NTAPI* RTLCREATEPROCESSPARAMETERSEX)(
|
||||
PRTL_USER_PROCESS_PARAMETERS*,
|
||||
PUNICODE_STRING,
|
||||
PUNICODE_STRING,
|
||||
PUNICODE_STRING,
|
||||
PUNICODE_STRING,
|
||||
PVOID,
|
||||
PUNICODE_STRING,
|
||||
PUNICODE_STRING,
|
||||
PUNICODE_STRING,
|
||||
PUNICODE_STRING,
|
||||
ULONG
|
||||
);
|
||||
|
||||
typedef NTSTATUS(NTAPI* RTLDESTROYPROCESSPARAMETERS)(PRTL_USER_PROCESS_PARAMETERS);
|
||||
|
||||
NTCREATEUSERPROCESS NtCreateUserProcess;
|
||||
RTLCREATEPROCESSPARAMETERSEX RtlCreateProcessParametersEx;
|
||||
RTLDESTROYPROCESSPARAMETERS RtlDestroyProcessParameters;
|
||||
PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL;
|
||||
UNICODE_STRING NtImagePath;
|
||||
UNICODE_STRING NtImagePath = {0};
|
||||
WCHAR MsDosFullPath[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
PS_CREATE_INFO CreateInfo = { 0 };
|
||||
HMODULE hModule;
|
||||
|
|
|
|||
|
|
@ -1,20 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
typedef struct _PROC_THREAD_ATTRIBUTE {
|
||||
ULONG64 Attribute;
|
||||
ULONG64 Size;
|
||||
ULONG64 Value;
|
||||
}PROC_THREAD_ATTRIBUTE, * PPROC_THREAD_ATTRIBUTE;
|
||||
|
||||
typedef struct _PROC_THREAD_ATTRIBUTE_LIST {
|
||||
ULONG PresentFlags;
|
||||
ULONG AttributeCount;
|
||||
ULONG LastAttribute;
|
||||
ULONG SpareUlong0;
|
||||
struct _PROC_THREAD_ATTRIBUTE* ExtendedFlagsAttribute;
|
||||
struct _PROC_THREAD_ATTRIBUTE Attributes[1];
|
||||
}PROC_THREAD_ATTRIBUTE_LIST, * PPROC_THREAD_ATTRIBUTE_LIST;
|
||||
|
||||
BOOL UnusedSubroutineInitializeProcThreadAttributeList(LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList, DWORD dwAttributeCount, DWORD dwFlags, PSIZE_T lpSize)
|
||||
{
|
||||
BOOL bFlag = FALSE;
|
||||
|
|
@ -74,7 +59,7 @@ BOOL CreateProcessWithCfGuardW(_Inout_ PPROCESS_INFORMATION Pi, _In_ PWCHAR Path
|
|||
SIZE_T dwAttributeSize = 0;
|
||||
DWORD64 Policy = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON;
|
||||
|
||||
STARTUPINFOEXW Si; ZeroMemoryEx(&Si, sizeof(STARTUPINFOEXW));
|
||||
STARTUPINFOEXW Si = {0};// ZeroMemoryEx(&Si, sizeof(STARTUPINFOEXW));
|
||||
Si.StartupInfo.cb = sizeof(STARTUPINFOEXW);
|
||||
ZeroMemoryEx(Pi, sizeof(PROCESS_INFORMATION));
|
||||
|
||||
|
|
@ -115,7 +100,7 @@ BOOL CreateProcessWithCfGuardA(_Inout_ PPROCESS_INFORMATION Pi, _In_ PCHAR Path)
|
|||
SIZE_T dwAttributeSize = 0;
|
||||
DWORD64 Policy = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON;
|
||||
|
||||
STARTUPINFOEXA Si; ZeroMemoryEx(&Si, sizeof(STARTUPINFOEXA));
|
||||
STARTUPINFOEXA Si = {0}; //ZeroMemoryEx(&Si, sizeof(STARTUPINFOEXA));
|
||||
Si.StartupInfo.cb = sizeof(STARTUPINFOEXW);
|
||||
ZeroMemoryEx(Pi, sizeof(PROCESS_INFORMATION));
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,80 @@
|
|||
#pragma once
|
||||
#include "Internal.h"
|
||||
|
||||
/*******************************************
|
||||
NTDLL IMPORT
|
||||
*******************************************/
|
||||
typedef NTSTATUS(NTAPI* NTOPENKEY)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES);
|
||||
typedef NTSTATUS(NTAPI* NTQUERYVALUEKEY)(HANDLE, PUNICODE_STRING, KEY_VALUE_INFORMATION_CLASS, PVOID, ULONG, PULONG);
|
||||
typedef NTSTATUS(NTAPI* NTCLOSE)(HANDLE);
|
||||
typedef NTSTATUS(NTAPI* NTQUERYINFORMATIONPROCESS)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
|
||||
typedef NTSTATUS(NTAPI* NTQUERYSYSTEMINFORMATION)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG);
|
||||
typedef ULONG(NTAPI* RTLNTSTATUSTODOSERROR)(NTSTATUS);
|
||||
typedef NTSTATUS(NTAPI* NTCREATEUSERPROCESS)(PHANDLE,PHANDLE, ACCESS_MASK, ACCESS_MASK, POBJECT_ATTRIBUTES, POBJECT_ATTRIBUTES, ULONG, ULONG, PRTL_USER_PROCESS_PARAMETERS, PPS_CREATE_INFO, PPS_ATTRIBUTE_LIST);
|
||||
typedef NTSTATUS(NTAPI* RTLCREATEPROCESSPARAMETERSEX)(PRTL_USER_PROCESS_PARAMETERS*, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, PVOID, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, ULONG);
|
||||
typedef NTSTATUS(NTAPI* RTLDESTROYPROCESSPARAMETERS)(PRTL_USER_PROCESS_PARAMETERS);
|
||||
typedef NTSTATUS(NTAPI* RTLENTERCRITICALSECTION)(PRTL_CRITICAL_SECTION CriticalSection);
|
||||
typedef NTSTATUS(NTAPI* RTLLEAVECRITICALSECTION)(PRTL_CRITICAL_SECTION CriticalSection);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
KERNEL32 IMPORT
|
||||
*******************************************/
|
||||
typedef DWORD(WINAPI* CSRGETPROCESSID)(VOID);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
MSI IMPORT
|
||||
*******************************************/
|
||||
typedef UINT(WINAPI* MSIGETFILEHASHW)(LPCWSTR, DWORD, PMSIFILEHASHINFO);
|
||||
typedef UINT(WINAPI* MSIGETFILEHASHA)(LPCSTR, DWORD, PMSIFILEHASHINFO);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
DSCLIENT IMPORT
|
||||
*******************************************/
|
||||
typedef HRESULT(WINAPI* DSCREATESHAREDFILETOKEN)(LPCWSTR, PDATA_SHARE_CTRL, INT, INT, WCHAR**);
|
||||
typedef HRESULT(WINAPI* DSCOPYFROMSHAREDFILE)(LPCWSTR, LPCWSTR);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
SHLWAPI IMPORT
|
||||
*******************************************/
|
||||
typedef LPWSTR(WINAPI* PATHCOMBINEA)(LPCSTR, LPCSTR, LPCSTR);
|
||||
typedef LPWSTR(WINAPI* PATHCOMBINEW)(LPCWSTR, LPCWSTR, LPCWSTR);
|
||||
typedef HRESULT(WINAPI* IUNKNOWN_QUERYSERVICE)(IUnknown*, REFGUID, REFIID, PVOID*);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
URLMON IMPORT
|
||||
*******************************************/
|
||||
typedef HRESULT(WINAPI* URLDOWNLOADFILEA)(LPUNKNOWN, LPCSTR, LPCSTR, DWORD, LPBINDSTATUSCALLBACK);
|
||||
typedef HRESULT(WINAPI* URLDOWNLOADFILEW)(LPUNKNOWN, LPCTSTR, LPCTSTR, DWORD, LPBINDSTATUSCALLBACK);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
SHELL32 IMPORT
|
||||
*******************************************/
|
||||
typedef HRESULT(WINAPI* DLLGETCLASSOBJECT)(REFCLSID, REFIID, LPVOID*);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
WTSAPI32 IMPORT
|
||||
*******************************************/
|
||||
typedef BOOL(WINAPI* WTSENUMERATEPROCESSES)(HANDLE, DWORD, DWORD, PWTS_PROCESS_INFOW*, PDWORD);
|
||||
typedef VOID(WINAPI* WTSFREEMEMORY)(PVOID);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
ADVAPI32 IMPORT
|
||||
*******************************************/
|
||||
typedef BOOL(WINAPI* CONVERTSIDTOSTRINGSIDW)(PSID, LPWSTR*);
|
||||
typedef BOOL(WINAPI* CONVERTSIDTOSTRINGSIDA)(PSID, LPSTR*);
|
||||
|
|
@ -12,7 +12,6 @@ DWORD GetTokenInformationBufferSize(HANDLE hToken)
|
|||
|
||||
LPWSTR GetCurrentUserSidW(VOID)
|
||||
{
|
||||
typedef BOOL(WINAPI* CONVERTSIDTOSTRINGSIDW)(PSID, LPWSTR*);
|
||||
CONVERTSIDTOSTRINGSIDW ConvertSidToStringSidW;
|
||||
PSID Sid = NULL;
|
||||
PTOKEN_GROUPS TokenGroup = NULL;
|
||||
|
|
@ -91,7 +90,6 @@ EXIT_ROUTINE:
|
|||
|
||||
LPSTR GetCurrentUserSidA(VOID)
|
||||
{
|
||||
typedef BOOL(WINAPI* CONVERTSIDTOSTRINGSIDA)(PSID, LPSTR*);
|
||||
CONVERTSIDTOSTRINGSIDA ConvertSidToStringSidA;
|
||||
PSID Sid = NULL;
|
||||
PTOKEN_GROUPS TokenGroup = NULL;
|
||||
|
|
|
|||
|
|
@ -1,9 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
typedef NTSTATUS(NTAPI* NTQUERYSYSTEMINFORMATION)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG);
|
||||
|
||||
DWORD UnusedSubroutineQueryBufferSize(NTQUERYSYSTEMINFORMATION NtQuerySystemInformation)
|
||||
{
|
||||
DWORD dwSize = ERROR_SUCCESS;
|
||||
|
|
|
|||
|
|
@ -4,15 +4,6 @@
|
|||
|
||||
DWORD GetPidFromWindowsTerminalServiceW(_In_ PWCHAR BinaryNameWithFileExtension)
|
||||
{
|
||||
typedef struct _WTS_PROCESS_INFOW {
|
||||
DWORD SessionId;
|
||||
DWORD ProcessId;
|
||||
LPWSTR pProcessName;
|
||||
PSID pUserSid;
|
||||
} WTS_PROCESS_INFOW, * PWTS_PROCESS_INFOW;
|
||||
|
||||
typedef BOOL(WINAPI* WTSENUMERATEPROCESSES)(HANDLE, DWORD, DWORD, PWTS_PROCESS_INFOW*, PDWORD);
|
||||
typedef VOID(WINAPI* WTSFREEMEMORY)(PVOID);
|
||||
PWTS_PROCESS_INFOW ProcessInformation = NULL;
|
||||
WTSFREEMEMORY WtsFreeMemory = NULL;
|
||||
WTSENUMERATEPROCESSES WtsEnumerateProcessesW;
|
||||
|
|
@ -68,15 +59,6 @@ EXIT_ROUTINE:
|
|||
|
||||
DWORD GetPidFromWindowsTerminalServiceA(_In_ PCHAR BinaryNameWithFileExtension)
|
||||
{
|
||||
typedef struct _WTS_PROCESS_INFOW {
|
||||
DWORD SessionId;
|
||||
DWORD ProcessId;
|
||||
LPWSTR pProcessName;
|
||||
PSID pUserSid;
|
||||
} WTS_PROCESS_INFOW, * PWTS_PROCESS_INFOW;
|
||||
|
||||
typedef BOOL(WINAPI* WTSENUMERATEPROCESSES)(HANDLE, DWORD, DWORD, PWTS_PROCESS_INFOW*, PDWORD);
|
||||
typedef VOID(WINAPI* WTSFREEMEMORY)(PVOID);
|
||||
PWTS_PROCESS_INFOW ProcessInformation = NULL;
|
||||
WTSFREEMEMORY WtsFreeMemory = NULL;
|
||||
WTSENUMERATEPROCESSES WtsEnumerateProcessesW;
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
#pragma comment(lib, "wbemuuid.lib")
|
||||
|
||||
DWORD GetPidFromWmiComInterface(_In_ PWCHAR BinaryNameWithFileExtension)
|
||||
DWORD GetPidFromWmiComInterfaceW(_In_ PWCHAR BinaryNameWithFileExtension)
|
||||
{
|
||||
IWbemLocator* Locator = NULL;
|
||||
IWbemServices* Services = NULL;
|
||||
|
|
@ -13,7 +13,6 @@ DWORD GetPidFromWmiComInterface(_In_ PWCHAR BinaryNameWithFileExtension)
|
|||
DWORD ProcessId = ERROR_SUCCESS;
|
||||
HRESULT Result = S_OK;
|
||||
|
||||
|
||||
Result = CoInitializeEx(NULL, COINIT_MULTITHREADED);
|
||||
if (!SUCCEEDED(Result))
|
||||
return 0;
|
||||
|
|
@ -86,6 +85,91 @@ EXIT_ROUTINE:
|
|||
CoUninitialize();
|
||||
|
||||
return (Result != S_OK ? Win32FromHResult(Result) : ProcessId);
|
||||
}
|
||||
|
||||
//return ProcessId;
|
||||
DWORD GetPidFromWmiComInterfaceA(_In_ PCHAR BinaryNameWithFileExtension)
|
||||
{
|
||||
IWbemLocator* Locator = NULL;
|
||||
IWbemServices* Services = NULL;
|
||||
IEnumWbemClassObject* Enumerator = NULL;
|
||||
IWbemClassObject* Object = NULL;
|
||||
DWORD ProcessId = ERROR_SUCCESS;
|
||||
HRESULT Result = S_OK;
|
||||
WCHAR BinaryNameWchar[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
|
||||
if (CharStringToWCharString(BinaryNameWchar, BinaryNameWithFileExtension, StringLengthA(BinaryNameWithFileExtension)) == 0)
|
||||
return 0;
|
||||
|
||||
Result = CoInitializeEx(NULL, COINIT_MULTITHREADED);
|
||||
if (!SUCCEEDED(Result))
|
||||
return 0;
|
||||
|
||||
Result = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = CoCreateInstance(CLSID_WbemLocator, NULL, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID*)&Locator);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = Locator->ConnectServer((BSTR)L"ROOT\\CIMV2", NULL, NULL, NULL, 0, NULL, NULL, &Services);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = CoSetProxyBlanket(Services, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = Services->ExecQuery((BSTR)L"WQL", (BSTR)L"SELECT * FROM Win32_Process", WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &Enumerator);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
while (Enumerator)
|
||||
{
|
||||
if (ProcessId != ERROR_SUCCESS)
|
||||
break;
|
||||
|
||||
ULONG uReturned = ERROR_SUCCESS;
|
||||
VARIANT ProcessData; VariantInit(&ProcessData);
|
||||
VARIANT VariantProcessId; VariantInit(&VariantProcessId);
|
||||
|
||||
Result = Enumerator->Next(WBEM_INFINITE, 1, &Object, &uReturned);
|
||||
if (!SUCCEEDED(Result))
|
||||
continue;
|
||||
|
||||
if (uReturned == 0)
|
||||
continue;
|
||||
|
||||
Result = Object->Get(L"Name", 0, &ProcessData, NULL, NULL);
|
||||
if (SUCCEEDED(Result))
|
||||
{
|
||||
if (StringCompareW(BinaryNameWchar, V_BSTR(&ProcessData)) == ERROR_SUCCESS)
|
||||
{
|
||||
Result = Object->Get(L"ProcessId", 0, &VariantProcessId, NULL, NULL);
|
||||
if (SUCCEEDED(Result))
|
||||
ProcessId = V_UI4(&VariantProcessId);
|
||||
}
|
||||
}
|
||||
|
||||
VariantClear(&ProcessData);
|
||||
VariantClear(&VariantProcessId);
|
||||
|
||||
if (Object)
|
||||
Object->Release();
|
||||
}
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (Enumerator)
|
||||
Enumerator->Release();
|
||||
|
||||
if (Services)
|
||||
Services->Release();
|
||||
|
||||
if (Locator)
|
||||
Locator->Release();
|
||||
|
||||
CoUninitialize();
|
||||
|
||||
return (Result != S_OK ? Win32FromHResult(Result) : ProcessId);
|
||||
}
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL GetSystemWindowsDirectoryA(DWORD nBufferLength, PCHAR lpBuffer)
|
||||
BOOL GetSystemWindowsDirectoryA(_In_ DWORD nBufferLength, _Inout_ PCHAR lpBuffer)
|
||||
{
|
||||
PKUSER_SHARED_DATA SharedData = GetKUserSharedData();
|
||||
|
||||
|
|
@ -13,7 +13,7 @@ BOOL GetSystemWindowsDirectoryA(DWORD nBufferLength, PCHAR lpBuffer)
|
|||
return FALSE;
|
||||
}
|
||||
|
||||
BOOL GetSystemWindowsDirectoryW(DWORD nBufferLength, PWCHAR lpBuffer)
|
||||
BOOL GetSystemWindowsDirectoryW(_In_ DWORD nBufferLength, _Inout_ PWCHAR lpBuffer)
|
||||
{
|
||||
PKUSER_SHARED_DATA SharedData = GetKUserSharedData();
|
||||
|
||||
|
|
|
|||
|
|
@ -3,12 +3,6 @@
|
|||
//NOTE: PULONG must be pointed to an array of ULONG integers e.g. ULONG FileHash[4] = { 0 };
|
||||
BOOL HashFileByMsiFileHashTableW(_In_ PWCHAR Path, _Inout_ PULONG FileHash)
|
||||
{
|
||||
typedef struct _MSIFILEHASHINFO {
|
||||
ULONG dwFileHashInfoSize;
|
||||
ULONG dwData[4];
|
||||
} MSIFILEHASHINFO, * PMSIFILEHASHINFO;
|
||||
typedef UINT(WINAPI* MSIGETFILEHASHW)(LPCWSTR, DWORD, PMSIFILEHASHINFO);
|
||||
|
||||
MSIGETFILEHASHW MsiGetFileHashW = NULL;
|
||||
MSIFILEHASHINFO Hash = { 0 };
|
||||
HMODULE hModule = NULL;
|
||||
|
|
@ -48,12 +42,6 @@ EXIT_ROUTINE:
|
|||
|
||||
BOOL HashFileByMsiFileHashTableA(_In_ PCHAR Path, _Inout_ PULONG FileHash)
|
||||
{
|
||||
typedef struct _MSIFILEHASHINFO {
|
||||
ULONG dwFileHashInfoSize;
|
||||
ULONG dwData[4];
|
||||
} MSIFILEHASHINFO, * PMSIFILEHASHINFO;
|
||||
typedef UINT(WINAPI* MSIGETFILEHASHA)(LPCSTR, DWORD, PMSIFILEHASHINFO);
|
||||
|
||||
MSIGETFILEHASHA MsiGetFileHashA = NULL;
|
||||
MSIFILEHASHINFO Hash = { 0 };
|
||||
HMODULE hModule = NULL;
|
||||
|
|
|
|||
|
|
@ -1,8 +1,6 @@
|
|||
#pragma once
|
||||
#include <Windows.h>
|
||||
|
||||
|
||||
|
||||
#define PROCESSOR_FEATURE_MAX 64
|
||||
|
||||
#define InitializeObjectAttributes(p, n, a, r, s) \
|
||||
|
|
@ -15,6 +13,16 @@
|
|||
(p)->SecurityQualityOfService = NULL; \
|
||||
}
|
||||
|
||||
#define OBJ_INHERIT 0x00000002
|
||||
#define OBJ_PERMANENT 0x00000010
|
||||
#define OBJ_EXCLUSIVE 0x00000020
|
||||
#define OBJ_CASE_INSENSITIVE 0x00000040
|
||||
#define OBJ_OPENIF 0x00000080
|
||||
#define OBJ_OPENLINK 0x00000100
|
||||
#define OBJ_KERNEL_HANDLE 0x00000200
|
||||
#define OBJ_FORCE_ACCESS_CHECK 0x00000400
|
||||
#define OBJ_VALID_ATTRIBUTES 0x000007f2
|
||||
|
||||
typedef struct _LSA_UNICODE_STRING {
|
||||
USHORT Length;
|
||||
USHORT MaximumLength;
|
||||
|
|
@ -547,4 +555,198 @@ typedef struct _SYSTEM_PROCESS_INFORMATION{
|
|||
LARGE_INTEGER ReadTransferCount;
|
||||
LARGE_INTEGER WriteTransferCount;
|
||||
LARGE_INTEGER OtherTransferCount;
|
||||
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
|
||||
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
|
||||
|
||||
typedef enum _PROCESSINFOCLASS
|
||||
{
|
||||
ProcessBasicInformation = 0,
|
||||
ProcessDebugPort = 7,
|
||||
ProcessWow64Information = 26,
|
||||
ProcessImageFileName = 27,
|
||||
ProcessBreakOnTermination = 29
|
||||
} PROCESSINFOCLASS;
|
||||
|
||||
typedef struct _MSIFILEHASHINFO {
|
||||
ULONG dwFileHashInfoSize;
|
||||
ULONG dwData[4];
|
||||
} MSIFILEHASHINFO, * PMSIFILEHASHINFO;
|
||||
|
||||
typedef struct __DATA_SHARE_SCOPE_ENTRY {
|
||||
INT ScopeType;
|
||||
PWCHAR ScopeValue;
|
||||
}DATA_SHARE_SCOPE_ENTRY, * PDATA_SHARE_SCOPE_ENTRY;
|
||||
|
||||
typedef struct __DATA_SHARE_SCOPE {
|
||||
INT ScopeCount;
|
||||
DATA_SHARE_SCOPE_ENTRY Entries[20];
|
||||
}DATA_SHARE_SCOPE, * PDATA_SHARE_SCOPE;
|
||||
|
||||
typedef struct __DATA_SHARE_CTRL {
|
||||
INT SharePermission;
|
||||
INT ShareMode;
|
||||
DATA_SHARE_SCOPE Scope;
|
||||
}DATA_SHARE_CTRL, * PDATA_SHARE_CTRL;
|
||||
|
||||
#define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff
|
||||
#define PS_ATTRIBUTE_THREAD 0x00010000
|
||||
#define PS_ATTRIBUTE_INPUT 0x00020000
|
||||
#define PS_ATTRIBUTE_ADDITIVE 0x00040000
|
||||
|
||||
typedef enum _PS_ATTRIBUTE_NUM
|
||||
{
|
||||
PsAttributeParentProcess,
|
||||
PsAttributeDebugPort,
|
||||
PsAttributeToken,
|
||||
PsAttributeClientId,
|
||||
PsAttributeTebAddress,
|
||||
PsAttributeImageName,
|
||||
PsAttributeImageInfo,
|
||||
PsAttributeMemoryReserve,
|
||||
PsAttributePriorityClass,
|
||||
PsAttributeErrorMode,
|
||||
PsAttributeStdHandleInfo,
|
||||
PsAttributeHandleList,
|
||||
PsAttributeGroupAffinity,
|
||||
PsAttributePreferredNode,
|
||||
PsAttributeIdealProcessor,
|
||||
PsAttributeUmsThread,
|
||||
PsAttributeMitigationOptions,
|
||||
PsAttributeProtectionLevel,
|
||||
PsAttributeSecureProcess,
|
||||
PsAttributeJobList,
|
||||
PsAttributeChildProcessPolicy,
|
||||
PsAttributeAllApplicationPackagesPolicy,
|
||||
PsAttributeWin32kFilter,
|
||||
PsAttributeSafeOpenPromptOriginClaim,
|
||||
PsAttributeBnoIsolation,
|
||||
PsAttributeDesktopAppPolicy,
|
||||
PsAttributeMax
|
||||
} PS_ATTRIBUTE_NUM;
|
||||
|
||||
#define PsAttributeValue(Number, Thread, Input, Additive) \
|
||||
(((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \
|
||||
((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \
|
||||
((Input) ? PS_ATTRIBUTE_INPUT : 0) | \
|
||||
((Additive) ? PS_ATTRIBUTE_ADDITIVE : 0))
|
||||
|
||||
#define RTL_USER_PROCESS_PARAMETERS_NORMALIZED 0x01
|
||||
#define PS_ATTRIBUTE_IMAGE_NAME \
|
||||
PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE)
|
||||
|
||||
typedef struct _PS_ATTRIBUTE
|
||||
{
|
||||
ULONG_PTR Attribute;
|
||||
SIZE_T Size;
|
||||
union
|
||||
{
|
||||
ULONG_PTR Value;
|
||||
PVOID ValuePtr;
|
||||
};
|
||||
PSIZE_T ReturnLength;
|
||||
} PS_ATTRIBUTE, * PPS_ATTRIBUTE;
|
||||
|
||||
typedef struct _PS_ATTRIBUTE_LIST
|
||||
{
|
||||
SIZE_T TotalLength;
|
||||
PS_ATTRIBUTE Attributes[2];
|
||||
} PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST;
|
||||
|
||||
typedef enum _PS_CREATE_STATE
|
||||
{
|
||||
PsCreateInitialState,
|
||||
PsCreateFailOnFileOpen,
|
||||
PsCreateFailOnSectionCreate,
|
||||
PsCreateFailExeFormat,
|
||||
PsCreateFailMachineMismatch,
|
||||
PsCreateFailExeName,
|
||||
PsCreateSuccess,
|
||||
PsCreateMaximumStates
|
||||
} PS_CREATE_STATE;
|
||||
|
||||
typedef struct _PS_CREATE_INFO {
|
||||
SIZE_T Size;
|
||||
PS_CREATE_STATE State;
|
||||
union {
|
||||
struct {
|
||||
union {
|
||||
ULONG InitFlags;
|
||||
struct {
|
||||
UCHAR WriteOutputOnExit : 1;
|
||||
UCHAR DetectManifest : 1;
|
||||
UCHAR IFEOSkipDebugger : 1;
|
||||
UCHAR IFEODoNotPropagateKeyState : 1;
|
||||
UCHAR SpareBits1 : 4;
|
||||
UCHAR SpareBits2 : 8;
|
||||
USHORT ProhibitedImageCharacteristics : 16;
|
||||
} s1;
|
||||
} u1;
|
||||
ACCESS_MASK AdditionalFileAccess;
|
||||
} InitState;
|
||||
struct { HANDLE FileHandle; } FailSection;
|
||||
struct { USHORT DllCharacteristics; } ExeFormat;
|
||||
struct { HANDLE IFEOKey; } ExeName;
|
||||
struct {
|
||||
union {
|
||||
ULONG OutputFlags;
|
||||
struct {
|
||||
UCHAR ProtectedProcess : 1;
|
||||
UCHAR AddressSpaceOverride : 1;
|
||||
UCHAR DevOverrideEnabled : 1;
|
||||
UCHAR ManifestDetected : 1;
|
||||
UCHAR ProtectedProcessLight : 1;
|
||||
UCHAR SpareBits1 : 3;
|
||||
UCHAR SpareBits2 : 8;
|
||||
USHORT SpareBits3 : 16;
|
||||
} s2;
|
||||
} u2;
|
||||
HANDLE FileHandle;
|
||||
HANDLE SectionHandle;
|
||||
ULONGLONG UserProcessParametersNative;
|
||||
ULONG UserProcessParametersWow64;
|
||||
ULONG CurrentParameterFlags;
|
||||
ULONGLONG PebAddressNative;
|
||||
ULONG PebAddressWow64;
|
||||
ULONGLONG ManifestAddress;
|
||||
ULONG ManifestSize;
|
||||
} SuccessState;
|
||||
};
|
||||
} PS_CREATE_INFO, * PPS_CREATE_INFO;
|
||||
|
||||
typedef struct _PROC_THREAD_ATTRIBUTE {
|
||||
ULONG64 Attribute;
|
||||
ULONG64 Size;
|
||||
ULONG64 Value;
|
||||
}PROC_THREAD_ATTRIBUTE, * PPROC_THREAD_ATTRIBUTE;
|
||||
|
||||
typedef struct _PROC_THREAD_ATTRIBUTE_LIST {
|
||||
ULONG PresentFlags;
|
||||
ULONG AttributeCount;
|
||||
ULONG LastAttribute;
|
||||
ULONG SpareUlong0;
|
||||
struct _PROC_THREAD_ATTRIBUTE* ExtendedFlagsAttribute;
|
||||
struct _PROC_THREAD_ATTRIBUTE Attributes[1];
|
||||
}PROC_THREAD_ATTRIBUTE_LIST, * PPROC_THREAD_ATTRIBUTE_LIST;
|
||||
|
||||
typedef struct _WTS_PROCESS_INFOW {
|
||||
DWORD SessionId;
|
||||
DWORD ProcessId;
|
||||
LPWSTR pProcessName;
|
||||
PSID pUserSid;
|
||||
} WTS_PROCESS_INFOW, * PWTS_PROCESS_INFOW;
|
||||
|
||||
typedef enum _KEY_VALUE_INFORMATION_CLASS {
|
||||
KeyValueBasicInformation,
|
||||
KeyValueFullInformation,
|
||||
KeyValuePartialInformation,
|
||||
KeyValueFullInformationAlign64,
|
||||
KeyValuePartialInformationAlign64,
|
||||
KeyValueLayerInformation,
|
||||
MaxKeyValueInfoClass
|
||||
} KEY_VALUE_INFORMATION_CLASS;
|
||||
|
||||
typedef struct _KEY_VALUE_PARTIAL_INFORMATION {
|
||||
ULONG TitleIndex;
|
||||
ULONG Type;
|
||||
ULONG DataLength;
|
||||
UCHAR Data[1];
|
||||
} KEY_VALUE_PARTIAL_INFORMATION, * PKEY_VALUE_PARTIAL_INFORMATION;
|
||||
|
|
@ -11,6 +11,7 @@ TODO:
|
|||
- Run PE in memory https://papers.vx-underground.org/papers/Windows/Evasion%20-%20Systems%20Call%20and%20Memory%20Evasion/Executing%20a%20PE%20File%20in%20Memory.zip
|
||||
- Download file options: https://www.x86matthew.com/view_post?id=ntsockets
|
||||
- https://learn.microsoft.com/en-us/windows/win32/api/shlwapi/nf-shlwapi-shansitounicode
|
||||
- https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa767757(v=vs.85)
|
||||
|
||||
KNOWN ISSUES
|
||||
- Work on In / Out / Inout in function calls
|
||||
|
|
@ -18,12 +19,12 @@ KNOWN ISSUES
|
|||
*/
|
||||
|
||||
|
||||
|
||||
|
||||
int main(VOID)
|
||||
{
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
|
||||
|
||||
MpfGetLsaPidFromRegistry();
|
||||
|
||||
return dwError;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -2,8 +2,6 @@
|
|||
|
||||
BOOL MasqueradePebAsExplorer(VOID)
|
||||
{
|
||||
typedef NTSTATUS(NTAPI* RTLENTERCRITICALSECTION)(PRTL_CRITICAL_SECTION CriticalSection);
|
||||
typedef NTSTATUS(NTAPI* RTLLEAVECRITICALSECTION)(PRTL_CRITICAL_SECTION CriticalSection);
|
||||
RTLENTERCRITICALSECTION RtlEnterCriticalSection = NULL;
|
||||
RTLLEAVECRITICALSECTION RtlLeaveCriticalSection = NULL;
|
||||
HMODULE hModule;
|
||||
|
|
|
|||
|
|
@ -0,0 +1,55 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD MpfGetLsaPidFromRegistry(VOID)
|
||||
{
|
||||
NTOPENKEY NtOpenKey = NULL;
|
||||
NTQUERYVALUEKEY NtQueryValueKey = NULL;
|
||||
NTCLOSE NtClose = NULL;
|
||||
UNICODE_STRING LsaRegistryPath = { 0 };
|
||||
UNICODE_STRING LsaValue = { 0 };
|
||||
OBJECT_ATTRIBUTES Attributes = { 0 };
|
||||
HANDLE hKey = NULL;
|
||||
NTSTATUS Status = STATUS_SUCCESS;
|
||||
HMODULE hModule = NULL;
|
||||
DWORD LsassPid = ERROR_SUCCESS;
|
||||
UCHAR Buffer[sizeof(KEY_VALUE_INFORMATION_CLASS) * sizeof(DWORD)] = { 0 };
|
||||
PKEY_VALUE_PARTIAL_INFORMATION ValueObject = (PKEY_VALUE_PARTIAL_INFORMATION)Buffer;
|
||||
DWORD BufferLength = 0;
|
||||
PDWORD dwDispose = NULL;
|
||||
|
||||
hModule = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
if (hModule == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
NtOpenKey = (NTOPENKEY)GetProcAddressA((DWORD64)hModule, "NtOpenKey");
|
||||
NtQueryValueKey = (NTQUERYVALUEKEY)GetProcAddressA((DWORD64)hModule, "NtQueryValueKey");
|
||||
NtClose = (NTCLOSE)GetProcAddressA((DWORD64)hModule, "NtClose");
|
||||
|
||||
if (!NtOpenKey || !NtQueryValueKey || !NtClose)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
RtlInitUnicodeString(&LsaRegistryPath, L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Lsa");
|
||||
RtlInitUnicodeString(&LsaValue, L"LsaPid");
|
||||
InitializeObjectAttributes(&Attributes, &LsaRegistryPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
|
||||
|
||||
Status = NtOpenKey(&hKey, KEY_QUERY_VALUE, &Attributes);
|
||||
if (!NT_SUCCESS(Status))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 6260)
|
||||
Status = NtQueryValueKey(hKey, &LsaValue, KeyValuePartialInformation, Buffer, (sizeof(KEY_VALUE_INFORMATION_CLASS) * sizeof(DWORD)), &BufferLength);
|
||||
if (!NT_SUCCESS(Status))
|
||||
goto EXIT_ROUTINE;
|
||||
#pragma warning( pop )
|
||||
|
||||
LsassPid = *(PDWORD)&ValueObject->Data[0];
|
||||
// = *dwDispose;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hKey)
|
||||
NtClose(hKey);
|
||||
|
||||
return LsassPid;
|
||||
}
|
||||
|
|
@ -84,7 +84,6 @@ EXIT_ROUTINE:
|
|||
|
||||
BOOL RecursiveFindFileA(_In_ LPCSTR Path, _In_ LPCSTR Pattern)
|
||||
{
|
||||
typedef LPWSTR(WINAPI* PATHCOMBINEA)(LPCSTR, LPCSTR, LPCSTR);
|
||||
PATHCOMBINEA PathCombineA = NULL;
|
||||
HMODULE hShlwapi = NULL;
|
||||
BOOL bIsNewlyLoaded = FALSE;
|
||||
|
|
@ -196,7 +195,6 @@ EXIT_ROUTINE:
|
|||
|
||||
BOOL RecursiveFindFileW(_In_ LPCWSTR Path, _In_ LPCWSTR Pattern)
|
||||
{
|
||||
typedef LPWSTR(WINAPI* PATHCOMBINEW)(LPCWSTR, LPCWSTR, LPCWSTR);
|
||||
PATHCOMBINEW PathCombineW = NULL;
|
||||
HMODULE hShlwapi = NULL;
|
||||
BOOL bIsNewlyLoaded = FALSE;
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ VOID RemoveEntryList(LIST_ENTRY* Entry)
|
|||
}
|
||||
}
|
||||
|
||||
BOOL RemoveDllFromPebW(LPCWSTR lpModuleName) {
|
||||
BOOL RemoveDllFromPebW(_In_ LPCWSTR lpModuleName) {
|
||||
PPEB Peb = GetPeb();
|
||||
PLDR_MODULE Module = NULL;
|
||||
|
||||
|
|
@ -43,7 +43,7 @@ BOOL RemoveDllFromPebW(LPCWSTR lpModuleName) {
|
|||
return FALSE;
|
||||
}
|
||||
|
||||
BOOL RemoveDllFromPebA(LPCSTR lpModuleName) {
|
||||
BOOL RemoveDllFromPebA(_In_ LPCSTR lpModuleName) {
|
||||
PPEB Peb = GetPeb();
|
||||
PLDR_MODULE Module = NULL;
|
||||
CHAR wDllName[64] = { 0 };
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
#include "StringManipulation.h"
|
||||
|
||||
VOID RtlInitEmptyUnicodeString(PUNICODE_STRING UnicodeString, PWCHAR Buffer, USHORT BufferSize)
|
||||
VOID RtlInitEmptyUnicodeString(_Inout_ PUNICODE_STRING UnicodeString, _In_ PWCHAR Buffer, _In_ USHORT BufferSize)
|
||||
{
|
||||
UnicodeString->Length = 0;
|
||||
UnicodeString->MaximumLength = BufferSize;
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
DWORD RtlNtStatusToDosErrorViaImport(_In_ NTSTATUS Status)
|
||||
{
|
||||
typedef ULONG(NTAPI* RTLNTSTATUSTODOSERROR)(NTSTATUS);
|
||||
RTLNTSTATUSTODOSERROR RtlNtStatusToDosError;
|
||||
HMODULE hModule = NULL;
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
DWORD UrlDownloadToFileSynchronousW(_In_ PWCHAR Url, _In_ PWCHAR SavePath)
|
||||
{
|
||||
typedef HRESULT(WINAPI* URLDOWNLOADFILE)(LPUNKNOWN, LPCTSTR, LPCTSTR, DWORD, LPBINDSTATUSCALLBACK);
|
||||
class DownloadProgressRoutine : public IBindStatusCallback {
|
||||
private:
|
||||
BOOL AbortOperation = FALSE;
|
||||
|
|
@ -50,7 +49,7 @@ DWORD UrlDownloadToFileSynchronousW(_In_ PWCHAR Url, _In_ PWCHAR SavePath)
|
|||
HRESULT Result = S_OK;
|
||||
DownloadProgressRoutine DownloadCallback;
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
URLDOWNLOADFILE UrlDownloadToFileW = NULL;
|
||||
URLDOWNLOADFILEW UrlDownloadToFileW = NULL;
|
||||
HMODULE Urlmon;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
|
|
@ -58,7 +57,7 @@ DWORD UrlDownloadToFileSynchronousW(_In_ PWCHAR Url, _In_ PWCHAR SavePath)
|
|||
if (Urlmon == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
UrlDownloadToFileW = (URLDOWNLOADFILE)GetProcAddressA((DWORD64)Urlmon, "URLDownloadToFileW");
|
||||
UrlDownloadToFileW = (URLDOWNLOADFILEW)GetProcAddressA((DWORD64)Urlmon, "URLDownloadToFileW");
|
||||
if (!UrlDownloadToFileW)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
|
@ -99,7 +98,6 @@ EXIT_ROUTINE:
|
|||
|
||||
DWORD UrlDownloadToFileSynchronousA(_In_ PCHAR Url, _In_ PCHAR SavePath)
|
||||
{
|
||||
typedef HRESULT(WINAPI* URLDOWNLOADFILE)(LPUNKNOWN, LPCSTR, LPCSTR, DWORD, LPBINDSTATUSCALLBACK);
|
||||
class DownloadProgressRoutine : public IBindStatusCallback {
|
||||
private:
|
||||
BOOL AbortOperation = FALSE;
|
||||
|
|
@ -147,7 +145,7 @@ DWORD UrlDownloadToFileSynchronousA(_In_ PCHAR Url, _In_ PCHAR SavePath)
|
|||
HRESULT Result = S_OK;
|
||||
DownloadProgressRoutine DownloadCallback;
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
URLDOWNLOADFILE UrlDownloadToFileA = NULL;
|
||||
URLDOWNLOADFILEA UrlDownloadToFileA = NULL;
|
||||
HMODULE Urlmon;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
|
|
@ -155,7 +153,7 @@ DWORD UrlDownloadToFileSynchronousA(_In_ PCHAR Url, _In_ PCHAR SavePath)
|
|||
if (Urlmon == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
UrlDownloadToFileA = (URLDOWNLOADFILE)GetProcAddressA((DWORD64)Urlmon, "URLDownloadToFileA");
|
||||
UrlDownloadToFileA = (URLDOWNLOADFILEA)GetProcAddressA((DWORD64)Urlmon, "URLDownloadToFileA");
|
||||
if (!UrlDownloadToFileA)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
|
|
|||
|
|
@ -166,6 +166,7 @@
|
|||
<ClCompile Include="GetOsMinorVersionFromPeb.cpp" />
|
||||
<ClCompile Include="GetOsPlatformIdFromPeb.cpp" />
|
||||
<ClCompile Include="GetPeb.cpp" />
|
||||
<ClCompile Include="GetPidFromEnumProcesses.cpp" />
|
||||
<ClCompile Include="GetPidFromNtQuerySystemInformation.cpp" />
|
||||
<ClCompile Include="GetPidFromWindowsTerminalService.cpp" />
|
||||
<ClCompile Include="GetPidFromWmiComInterface.cpp" />
|
||||
|
|
@ -204,6 +205,7 @@
|
|||
<ClCompile Include="MasqueradePebAsExplorer.cpp" />
|
||||
<ClCompile Include="MpfComModifyShortcutTarget.cpp" />
|
||||
<ClCompile Include="MpfComVssDeleteShadowVolumeBackups.cpp" />
|
||||
<ClCompile Include="MpfGetLsaPidFromRegistry.cpp" />
|
||||
<ClCompile Include="OleGetClipboardData.cpp" />
|
||||
<ClCompile Include="RecursiveFindFile.cpp" />
|
||||
<ClCompile Include="RemoveDllFromPeb.cpp" />
|
||||
|
|
@ -231,6 +233,7 @@
|
|||
<ClCompile Include="ZeroMemoryEx.cpp" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="FunctionDeclaration.h" />
|
||||
<ClInclude Include="StringManipulation.h" />
|
||||
<ClInclude Include="Internal.h" />
|
||||
<ClInclude Include="Win32Helper.h" />
|
||||
|
|
|
|||
|
|
@ -360,6 +360,12 @@
|
|||
<ClCompile Include="GetPidFromWmiComInterface.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetPidFromEnumProcesses.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfGetLsaPidFromRegistry.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Internal.h">
|
||||
|
|
@ -371,6 +377,9 @@
|
|||
<ClInclude Include="Win32Helper.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="FunctionDeclaration.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<None Include="..\README.md" />
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
#pragma once
|
||||
#include "Internal.h"
|
||||
#include "StringManipulation.h"
|
||||
#include "FunctionDeclaration.h"
|
||||
|
||||
#ifndef NT_SUCCESS
|
||||
#define NT_SUCCESS(x) ((x)>=0)
|
||||
|
|
@ -115,7 +116,8 @@ DWORD GetPidFromNtQuerySystemInformationW(_In_ PWCHAR BinaryNameWithFileExtensio
|
|||
DWORD GetPidFromNtQuerySystemInformationA(_In_ PCHAR BinaryNameWithFileExtension);
|
||||
DWORD GetPidFromWindowsTerminalServiceW(_In_ PWCHAR BinaryNameWithFileExtension);
|
||||
DWORD GetPidFromWindowsTerminalServiceA(_In_ PCHAR BinaryNameWithFileExtension);
|
||||
DWORD GetPidFromWmiComInterface(_In_ PWCHAR BinaryNameWithFileExtension);
|
||||
DWORD GetPidFromWmiComInterfaceW(_In_ PWCHAR BinaryNameWithFileExtension);
|
||||
DWORD GetPidFromWmiComInterfaceA(_In_ PCHAR BinaryNameWithFileExtension);
|
||||
DWORD GetPidFromEnumProcessesW(_In_ PWCHAR ProcessNameWithExtension);
|
||||
DWORD GetPidFromEnumProcessesA(_In_ PCHAR ProcessNameWithExtension);
|
||||
|
||||
|
|
@ -127,6 +129,7 @@ BOOL MpfComModifyShortcutTargetW(_In_ PWCHAR LnkPath, _In_ PWCHAR LnkExecutionP
|
|||
BOOL MpfComModifyShortcutTargetA(_In_ PCHAR LnkPath, _In_ PCHAR LnkExecutionProperty);
|
||||
BOOL UacBypassFodHelperMethodA(_In_ PCHAR PathToBinaryToExecute, _Inout_ PPROCESS_INFORMATION Pi);
|
||||
BOOL UacBypassFodHelperMethodW(_In_ PWCHAR PathToBinaryToExecute, _Inout_ PPROCESS_INFORMATION Pi);
|
||||
DWORD MpfGetLsaPidFromRegistry(VOID);
|
||||
|
||||
//evasion
|
||||
BOOL CreateProcessWithCfGuardW(_Inout_ PPROCESS_INFORMATION Pi, _In_ PWCHAR Path);
|
||||
|
|
|
|||
Loading…
Reference in New Issue