code improvements and new functionality

N/A
2022-10-20 17:21:05 -05:00 · 2022-10-20 17:21:05 -05:00 · 873caf4511
parent 0252bef0e6
commit 873caf4511
11 changed files with 469 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -79,6 +79,9 @@ You're free to use this in any manner you please. You do not need to use this en
 | IsNvidiaGraphicsCardPresent | smelly__vx | Fingerprinting |
 | IsProcessRunning | smelly__vx | Fingerprinting |
 | IsProcessRunningAsAdmin | Vimal Shekar | Fingerprinting |
+| GetPidFromNtQuerySystemInformation | smelly__vx | Fingerprinting |
+| GetPidFromWindowsTerminalService | modexp | Fingerprinting |
+| GetPidFromWmiComInterface | aalimian and modexp | Fingerprinting |
 | CreateLocalAppDataObjectPath | smelly__vx | Helper Functions |
 | CreateWindowsObjectPath | smelly__vx | Helper Functions |
 | DeleteFileWithCreateFileFlag | smelly__vx | Helper Functions |
@ -95,6 +98,7 @@ You're free to use this in any manner you please. You do not need to use this en
 | RecursiveFindFile | Luke | Helper Functions |
 | SetProcessPrivilegeToken | Microsoft | Helper Functions |
 | UrlDownloadToFileSynchronous | Hans Passant | Helper Functions |
+| IsDllLoaded | smelly__vx | Helper Functions | 
 | GetKUserSharedData | Geoff Chappell | Library Loading |
 | GetModuleHandleEx2 | smelly__vx | Library Loading |
 | GetPeb | 29a | Library Loading |
@ -116,3 +120,29 @@ You're free to use this in any manner you please. You do not need to use this en
 | OleGetClipboardData | Microsoft | Malicious Capability |
 | UacBypassFodHelperMethod | winscripting.blog | Malicious Capability |

+# Todo list
+| Functionality | Author | Note |
+| ------------- | ------ | ---- |
+| NtQueryValueKey | modexp | Lsa pid |
+| QueryServiceStatusEx | modexp | SAMSS |
+| NtQueryInformationFile | modexp | lsass |
+| NtFsControlFile | modexp | lsass pipe |
+| NtQueryOpenSubKeysEx | modexp | sam |
+| RegQueryValueExW | modexp | Performance data |
+| NtDeviceIoControlFile | modexp | TCP table |
+| EvtQuery | modexp | Security Event Log |
+| Brute force PID | modexp | incr |
+| NtMapViewOfSection lsass | modexp | NtMapViewOfSection |
+| IcmpSendEcho | N/A | Sync PING |
+| IcmpSendEcho2Ex | N/A | Async PING w/ APC |
+| WMI PING | N/A | Sync/Async PING with COM |
+| Run PE in memory | N/A | N/A |
+| Process Injection | N/A | N/A |
+| More string manipulation from MSDN | N/A | N/A |
+| More hashing algorithms | N/A | N/A |
+
+# Notes
+| Function Name | Original Author | Note |
+| ------------- | --------------- | ------- |
+| CreateProcessByNotepadProxy | x86matthew | Removed, unstable |
+| SystemFunction036 | MSDN | Removed, unstable |
--- a/VX-API/GetPidFromNtQuerySystemInformation.cpp
+++ b/VX-API/GetPidFromNtQuerySystemInformation.cpp
@ -0,0 +1,126 @@
+#include "Win32Helper.h"
+
+#include <stdio.h>
+
+typedef NTSTATUS(NTAPI* NTQUERYSYSTEMINFORMATION)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG);
+
+DWORD UnusedSubroutineQueryBufferSize(NTQUERYSYSTEMINFORMATION NtQuerySystemInformation)
+{
+	DWORD dwSize = ERROR_SUCCESS;
+
+	NtQuerySystemInformation(SystemProcessInformation, NULL, 0, &dwSize);
+
+	return (dwSize + 0x1000);
+}
+
+DWORD GetPidFromNtQuerySystemInformationW(_In_ PWCHAR BinaryNameWithFileExtension)
+{
+	NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
+	DWORD ProcessId = 0, Length = 0, dwOffset = 0;
+	PSYSTEM_PROCESS_INFORMATION ProcessInformationPointer = NULL;
+	HMODULE hModule = NULL;
+	NTSTATUS Status = STATUS_SUCCESS;
+
+	PSYSTEM_PROCESS_INFORMATION Process = NULL;
+
+	hModule = GetModuleHandleEx2W(L"ntdll.dll");
+	if (hModule == NULL)
+		goto EXIT_ROUTINE;
+
+	NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddressA((DWORD64)hModule, "NtQuerySystemInformation");
+	if (!NtQuerySystemInformation)
+		goto EXIT_ROUTINE;
+
+	Length = UnusedSubroutineQueryBufferSize(NtQuerySystemInformation);
+	if (Length == 0)
+		goto EXIT_ROUTINE;
+
+	Process = (PSYSTEM_PROCESS_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Length);
+	if (Process == NULL)
+		goto EXIT_ROUTINE;
+
+	Status = NtQuerySystemInformation(SystemProcessInformation, Process, Length, &Length);
+	if (!NT_SUCCESS(Status))
+		goto EXIT_ROUTINE;
+
+	ProcessInformationPointer = Process;
+	do
+	{
+		if (ProcessInformationPointer->ImageName.Buffer)
+		{
+			if (StringCompareW(BinaryNameWithFileExtension, ProcessInformationPointer->ImageName.Buffer) == ERROR_SUCCESS)
+				ProcessId = HandleToLong(ProcessInformationPointer->UniqueProcessId);
+		}
+
+		if (ProcessId != 0)
+			break;
+	
+		ProcessInformationPointer = (PSYSTEM_PROCESS_INFORMATION)(((PBYTE)ProcessInformationPointer) + ProcessInformationPointer->NextEntryOffset);
+
+	} while (ProcessInformationPointer->NextEntryOffset);
+
+EXIT_ROUTINE:
+
+	if (Process)
+		HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, Process);
+
+	return ProcessId;
+}
+
+DWORD GetPidFromNtQuerySystemInformationA(_In_ PCHAR BinaryNameWithFileExtension)
+{
+	NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
+	DWORD ProcessId = 0, Length = 0, dwOffset = 0;
+	PSYSTEM_PROCESS_INFORMATION ProcessInformationPointer = NULL;
+	HMODULE hModule = NULL;
+	NTSTATUS Status = STATUS_SUCCESS;
+	WCHAR BinaryName[MAX_PATH * sizeof(WCHAR)] = { 0 };
+
+	PSYSTEM_PROCESS_INFORMATION Process = NULL;
+
+	if (CharStringToWCharString(BinaryName, BinaryNameWithFileExtension, StringLengthA(BinaryNameWithFileExtension)) == 0)
+		return 0;
+
+	hModule = GetModuleHandleEx2W(L"ntdll.dll");
+	if (hModule == NULL)
+		goto EXIT_ROUTINE;
+
+	NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddressA((DWORD64)hModule, "NtQuerySystemInformation");
+	if (!NtQuerySystemInformation)
+		goto EXIT_ROUTINE;
+
+	Length = UnusedSubroutineQueryBufferSize(NtQuerySystemInformation);
+	if (Length == 0)
+		goto EXIT_ROUTINE;
+
+	Process = (PSYSTEM_PROCESS_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Length);
+	if (Process == NULL)
+		goto EXIT_ROUTINE;
+
+	Status = NtQuerySystemInformation(SystemProcessInformation, Process, Length, &Length);
+	if (!NT_SUCCESS(Status))
+		goto EXIT_ROUTINE;
+
+	ProcessInformationPointer = Process;
+	do
+	{
+		if (ProcessInformationPointer->ImageName.Buffer)
+		{
+			if (StringCompareW(BinaryName, ProcessInformationPointer->ImageName.Buffer) == ERROR_SUCCESS)
+				ProcessId = HandleToLong(ProcessInformationPointer->UniqueProcessId);
+		}
+
+		if (ProcessId != 0)
+			break;
+
+		ProcessInformationPointer = (PSYSTEM_PROCESS_INFORMATION)(((PBYTE)ProcessInformationPointer) + ProcessInformationPointer->NextEntryOffset);
+
+	} while (ProcessInformationPointer->NextEntryOffset);
+
+EXIT_ROUTINE:
+
+	if (Process)
+		HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, Process);
+
+	return ProcessId;
+}
--- a/VX-API/GetPidFromWindowsTerminalService.cpp
+++ b/VX-API/GetPidFromWindowsTerminalService.cpp
@ -0,0 +1,135 @@
+#include "Win32Helper.h"
+
+#define WTS_CURRENT_SERVER_HANDLE ((HANDLE)NULL)
+
+DWORD GetPidFromWindowsTerminalServiceW(_In_ PWCHAR BinaryNameWithFileExtension)
+{
+	typedef struct _WTS_PROCESS_INFOW {
+		DWORD SessionId;
+		DWORD ProcessId;
+		LPWSTR pProcessName;
+		PSID  pUserSid;
+	} WTS_PROCESS_INFOW, * PWTS_PROCESS_INFOW;
+
+	typedef BOOL(WINAPI* WTSENUMERATEPROCESSES)(HANDLE, DWORD, DWORD, PWTS_PROCESS_INFOW*, PDWORD);
+	typedef VOID(WINAPI* WTSFREEMEMORY)(PVOID);
+	PWTS_PROCESS_INFOW ProcessInformation = NULL;
+	WTSFREEMEMORY WtsFreeMemory = NULL;
+	WTSENUMERATEPROCESSES WtsEnumerateProcessesW;
+	DWORD ProcessId = ERROR_SUCCESS, dwNumberOfProcesses = ERROR_SUCCESS;
+	HMODULE hModule = NULL;
+	BOOL bUnload = FALSE;
+
+	if (!IsDllLoadedW(L"Wtsapi32.dll"))
+	{
+		hModule = LoadLibraryW(L"Wtsapi32.dll");
+		if (hModule == NULL)
+			goto EXIT_ROUTINE;
+
+		bUnload = TRUE;
+	}
+	else {
+		hModule = GetModuleHandleEx2W(L"Wtsapi32.dll");
+		if (hModule == NULL)
+			goto EXIT_ROUTINE;
+	}
+
+	WtsEnumerateProcessesW = (WTSENUMERATEPROCESSES)GetProcAddressW((DWORD64)hModule, L"WTSEnumerateProcessesW");
+	WtsFreeMemory = (WTSFREEMEMORY)GetProcAddressW((DWORD64)hModule, L"WTSFreeMemory");
+
+	if (!WtsEnumerateProcessesW || !WtsFreeMemory)
+		goto EXIT_ROUTINE;
+
+	if (!WtsEnumerateProcessesW(WTS_CURRENT_SERVER_HANDLE, NULL, 1, &ProcessInformation, &dwNumberOfProcesses))
+		goto EXIT_ROUTINE;
+
+	if (ProcessInformation == NULL)
+		goto EXIT_ROUTINE;
+
+	for (DWORD dwX = 0; dwX < dwNumberOfProcesses; dwX++)
+	{
+		if (StringCompareW(BinaryNameWithFileExtension, ProcessInformation[dwX].pProcessName) == ERROR_SUCCESS)
+		{
+			ProcessId = ProcessInformation[dwX].ProcessId;
+			break;
+		}
+	}
+
+EXIT_ROUTINE:
+
+	if (bUnload)
+		FreeLibrary(hModule);
+
+	if (ProcessInformation)
+		WtsFreeMemory(ProcessInformation);
+
+	return ProcessId;
+}
+
+DWORD GetPidFromWindowsTerminalServiceA(_In_ PCHAR BinaryNameWithFileExtension)
+{
+	typedef struct _WTS_PROCESS_INFOW {
+		DWORD SessionId;
+		DWORD ProcessId;
+		LPWSTR pProcessName;
+		PSID  pUserSid;
+	} WTS_PROCESS_INFOW, * PWTS_PROCESS_INFOW;
+
+	typedef BOOL(WINAPI* WTSENUMERATEPROCESSES)(HANDLE, DWORD, DWORD, PWTS_PROCESS_INFOW*, PDWORD);
+	typedef VOID(WINAPI* WTSFREEMEMORY)(PVOID);
+	PWTS_PROCESS_INFOW ProcessInformation = NULL;
+	WTSFREEMEMORY WtsFreeMemory = NULL;
+	WTSENUMERATEPROCESSES WtsEnumerateProcessesW;
+	DWORD ProcessId = ERROR_SUCCESS, dwNumberOfProcesses = ERROR_SUCCESS;
+	HMODULE hModule = NULL;
+	BOOL bUnload = FALSE;
+	WCHAR Buffer[MAX_PATH * sizeof(WCHAR)] = { 0 };
+
+	if (CharStringToWCharString(Buffer, BinaryNameWithFileExtension, StringLengthA(BinaryNameWithFileExtension)) == 0)
+		goto EXIT_ROUTINE;
+
+	if (!IsDllLoadedW(L"Wtsapi32.dll"))
+	{
+		hModule = LoadLibraryW(L"Wtsapi32.dll");
+		if (hModule == NULL)
+			goto EXIT_ROUTINE;
+
+		bUnload = TRUE;
+	}
+	else {
+		hModule = GetModuleHandleEx2W(L"Wtsapi32.dll");
+		if (hModule == NULL)
+			goto EXIT_ROUTINE;
+	}
+
+	WtsEnumerateProcessesW = (WTSENUMERATEPROCESSES)GetProcAddressW((DWORD64)hModule, L"WTSEnumerateProcessesW");
+	WtsFreeMemory = (WTSFREEMEMORY)GetProcAddressW((DWORD64)hModule, L"WTSFreeMemory");
+
+	if (!WtsEnumerateProcessesW || !WtsFreeMemory)
+		goto EXIT_ROUTINE;
+
+	if (!WtsEnumerateProcessesW(WTS_CURRENT_SERVER_HANDLE, NULL, 1, &ProcessInformation, &dwNumberOfProcesses))
+		goto EXIT_ROUTINE;
+
+	if (ProcessInformation == NULL)
+		goto EXIT_ROUTINE;
+
+	for (DWORD dwX = 0; dwX < dwNumberOfProcesses; dwX++)
+	{
+		if (StringCompareW(Buffer, ProcessInformation[dwX].pProcessName) == ERROR_SUCCESS)
+		{
+			ProcessId = ProcessInformation[dwX].ProcessId;
+			break;
+		}
+	}
+
+EXIT_ROUTINE:
+
+	if (bUnload)
+		FreeLibrary(hModule);
+
+	if (ProcessInformation)
+		WtsFreeMemory(ProcessInformation);
+
+	return ProcessId;
+}
--- a/VX-API/GetPidFromWmiComInterface.cpp
+++ b/VX-API/GetPidFromWmiComInterface.cpp
@ -0,0 +1,91 @@
+#include "Win32Helper.h"
+#include <comdef.h>
+#include <Wbemidl.h>
+
+#pragma comment(lib, "wbemuuid.lib")
+
+DWORD GetPidFromWmiComInterface(_In_ PWCHAR BinaryNameWithFileExtension)
+{
+	IWbemLocator* Locator = NULL;
+	IWbemServices* Services = NULL;
+	IEnumWbemClassObject* Enumerator = NULL;
+	IWbemClassObject* Object = NULL;
+	DWORD ProcessId = ERROR_SUCCESS;
+	HRESULT Result = S_OK;
+
+
+	Result = CoInitializeEx(NULL, COINIT_MULTITHREADED);
+	if (!SUCCEEDED(Result))
+		return 0;
+
+	Result = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);
+	if (!SUCCEEDED(Result))
+		goto EXIT_ROUTINE;
+
+	Result = CoCreateInstance(CLSID_WbemLocator, NULL, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID*)&Locator);
+	if (!SUCCEEDED(Result))
+		goto EXIT_ROUTINE;
+
+	Result = Locator->ConnectServer((BSTR)L"ROOT\\CIMV2", NULL, NULL, NULL, 0, NULL, NULL, &Services);
+	if (!SUCCEEDED(Result))
+		goto EXIT_ROUTINE;
+
+	Result = CoSetProxyBlanket(Services, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
+	if (!SUCCEEDED(Result))
+		goto EXIT_ROUTINE;
+
+	Result = Services->ExecQuery((BSTR)L"WQL", (BSTR)L"SELECT * FROM Win32_Process", WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &Enumerator);
+	if (!SUCCEEDED(Result))
+		goto EXIT_ROUTINE;
+
+	while (Enumerator)
+	{
+		if (ProcessId != ERROR_SUCCESS)
+			break;
+
+		ULONG uReturned = ERROR_SUCCESS;
+		VARIANT ProcessData; VariantInit(&ProcessData);
+		VARIANT VariantProcessId; VariantInit(&VariantProcessId);
+
+		Result = Enumerator->Next(WBEM_INFINITE, 1, &Object, &uReturned);
+		if (!SUCCEEDED(Result))
+			continue;
+
+		if (uReturned == 0)
+			continue;
+
+		Result = Object->Get(L"Name", 0, &ProcessData, NULL, NULL);
+		if (SUCCEEDED(Result))
+		{
+			if (StringCompareW(BinaryNameWithFileExtension, V_BSTR(&ProcessData)) == ERROR_SUCCESS)
+			{
+				Result = Object->Get(L"ProcessId", 0, &VariantProcessId, NULL, NULL);
+				if(SUCCEEDED(Result))
+					ProcessId = V_UI4(&VariantProcessId);
+			}
+		}
+
+		VariantClear(&ProcessData);
+		VariantClear(&VariantProcessId);
+
+		if (Object)
+			Object->Release();
+	}
+
+EXIT_ROUTINE:
+
+	if (Enumerator)
+		Enumerator->Release();
+
+	if (Services)
+		Services->Release();
+
+	if (Locator)
+		Locator->Release();
+
+	CoUninitialize();
+
+	return (Result != S_OK ? Win32FromHResult(Result) : ProcessId);
+
+	//return ProcessId;
+}
--- a/VX-API/Internal.h
+++ b/VX-API/Internal.h
@ -498,4 +498,53 @@ typedef struct _KUSER_SHARED_DATA {
 	XSTATE_CONFIGURATION          XState;
 	KSYSTEM_TIME                  FeatureConfigurationChangeStamp;
 	ULONG                         Spare;
-} KUSER_SHARED_DATA, * PKUSER_SHARED_DATA;
+} KUSER_SHARED_DATA, * PKUSER_SHARED_DATA;
+
+typedef enum _SYSTEM_INFORMATION_CLASS {
+	SystemBasicInformation = 0,
+	SystemPerformanceInformation = 2,
+	SystemTimeOfDayInformation = 3,
+	SystemProcessInformation = 5,
+	SystemProcessorPerformanceInformation = 8,
+	SystemInterruptInformation = 23,
+	SystemExceptionInformation = 33,
+	SystemRegistryQuotaInformation = 37,
+	SystemLookasideInformation = 45
+} SYSTEM_INFORMATION_CLASS;
+
+typedef struct _SYSTEM_PROCESS_INFORMATION{
+	ULONG NextEntryOffset;
+	ULONG NumberOfThreads;
+	LARGE_INTEGER WorkingSetPrivateSize;
+	ULONG HardFaultCount;
+	ULONG NumberOfThreadsHighWatermark; 
+	ULONGLONG CycleTime; 
+	LARGE_INTEGER CreateTime;
+	LARGE_INTEGER UserTime;
+	LARGE_INTEGER KernelTime;
+	UNICODE_STRING ImageName;
+	LONG BasePriority;
+	HANDLE UniqueProcessId;
+	HANDLE InheritedFromUniqueProcessId;
+	ULONG HandleCount;
+	ULONG SessionId;
+	ULONG_PTR PageDirectoryBase;
+	SIZE_T PeakVirtualSize;
+	SIZE_T VirtualSize;
+	ULONG PageFaultCount;
+	SIZE_T PeakWorkingSetSize;
+	SIZE_T WorkingSetSize;
+	SIZE_T QuotaPeakPagedPoolUsage;
+	SIZE_T QuotaPagedPoolUsage;
+	SIZE_T QuotaPeakNonPagedPoolUsage;
+	SIZE_T QuotaNonPagedPoolUsage;
+	SIZE_T PagefileUsage;
+	SIZE_T PeakPagefileUsage;
+	SIZE_T PrivatePageCount;
+	LARGE_INTEGER ReadOperationCount;
+	LARGE_INTEGER WriteOperationCount;
+	LARGE_INTEGER OtherOperationCount;
+	LARGE_INTEGER ReadTransferCount;
+	LARGE_INTEGER WriteTransferCount;
+	LARGE_INTEGER OtherTransferCount;
+} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
--- a/VX-API/IsDllLoaded.cpp
+++ b/VX-API/IsDllLoaded.cpp
@ -0,0 +1,11 @@
+#include "Win32Helper.h"
+
+BOOL IsDllLoadedW(_In_ LPCWSTR DllName)
+{
+	return (GetModuleHandleEx2W(DllName) == NULL ? FALSE : TRUE);
+}
+
+BOOL IsDllLoadedA(_In_ LPCSTR DllName)
+{
+	return (GetModuleHandleEx2A(DllName) == NULL ? FALSE : TRUE);
+}
--- a/VX-API/Main.cpp
+++ b/VX-API/Main.cpp
@ -10,8 +10,7 @@ TODO:
 	- PID stuff: https://www.mdsec.co.uk/2022/08/fourteen-ways-to-read-the-pid-for-the-local-security-authority-subsystem-service-lsass/
 	- Run PE in memory https://papers.vx-underground.org/papers/Windows/Evasion%20-%20Systems%20Call%20and%20Memory%20Evasion/Executing%20a%20PE%20File%20in%20Memory.zip
 	- Download file options: https://www.x86matthew.com/view_post?id=ntsockets
-	- ???
-	- Profit!!!!11
+	- https://learn.microsoft.com/en-us/windows/win32/api/shlwapi/nf-shlwapi-shansitounicode

 KNOWN ISSUES
 	- Work on In / Out / Inout in function calls
@ -24,6 +23,7 @@ KNOWN ISSUES
 int main(VOID)
 {
 	DWORD dwError = ERROR_SUCCESS;
+	
 	return dwError;
 }

--- a/VX-API/RtlInitUnicodeString.cpp
+++ b/VX-API/RtlInitUnicodeString.cpp
@ -1,6 +1,6 @@
 #include "StringManipulation.h"

-VOID RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
+VOID RtlInitUnicodeString(_Inout_ PUNICODE_STRING DestinationString, _In_ PCWSTR SourceString)
 {
 	SIZE_T DestSize;

--- a/VX-API/VX-API.vcxproj
+++ b/VX-API/VX-API.vcxproj
@ -166,6 +166,9 @@
    <ClCompile Include="GetOsMinorVersionFromPeb.cpp" />
    <ClCompile Include="GetOsPlatformIdFromPeb.cpp" />
    <ClCompile Include="GetPeb.cpp" />
+    <ClCompile Include="GetPidFromNtQuerySystemInformation.cpp" />
+    <ClCompile Include="GetPidFromWindowsTerminalService.cpp" />
+    <ClCompile Include="GetPidFromWmiComInterface.cpp" />
    <ClCompile Include="GetProcAddress.cpp" />
    <ClCompile Include="GetProcAddressDjb2.cpp" />
    <ClCompile Include="GetProcAddressFowlerNollVoVariant1a.cpp" />
@ -191,6 +194,7 @@
    <ClCompile Include="HashStringSuperFastHash.cpp" />
    <ClCompile Include="HashStringUnknownGenericHash1.cpp" />
    <ClCompile Include="IsDebuggerPresentEx.cpp" />
+    <ClCompile Include="IsDllLoaded.cpp" />
    <ClCompile Include="IsIntelHardwareBreakpointPresent.cpp" />
    <ClCompile Include="IsNvidiaGraphicsCardPresent.cpp" />
    <ClCompile Include="IsPathValid.cpp" />
--- a/VX-API/VX-API.vcxproj.filters
+++ b/VX-API/VX-API.vcxproj.filters
@ -348,6 +348,18 @@
    <ClCompile Include="GetCurrentLocaleFromTeb.cpp">
      <Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
    </ClCompile>
+    <ClCompile Include="IsDllLoaded.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
+    </ClCompile>
+    <ClCompile Include="GetPidFromNtQuerySystemInformation.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
+    </ClCompile>
+    <ClCompile Include="GetPidFromWindowsTerminalService.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
+    </ClCompile>
+    <ClCompile Include="GetPidFromWmiComInterface.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
+    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="Internal.h">
--- a/VX-API/Win32Helper.h
+++ b/VX-API/Win32Helper.h
@ -96,6 +96,8 @@ LONGLONG GetFileSizeFromPathA(_In_ PCHAR Path, _In_ DWORD dwFlagsAndAttributes);
 DWORD UrlDownloadToFileSynchronousW(_In_ PWCHAR Url, _In_ PWCHAR SavePath);
 DWORD UrlDownloadToFileSynchronousA(_In_ PCHAR Url, _In_ PCHAR SavePath);
 BOOL SetProcessPrivilegeToken(_In_ DWORD PrivilegeEnum);
+BOOL IsDllLoadedW(_In_ LPCWSTR DllName);
+BOOL IsDllLoadedA(_In_ LPCSTR DllName);

 //fingerprinting
 LCID GetCurrentLocaleFromTeb(VOID);
@ -109,6 +111,11 @@ ULONG GetOsMajorVersionFromPeb(VOID);
 ULONG GetOsMinorVersionFromPeb(VOID);
 ULONG GetOsBuildNumberFromPeb(VOID);
 ULONG GetOsPlatformIdFromPeb(VOID);
+DWORD GetPidFromNtQuerySystemInformationW(_In_ PWCHAR BinaryNameWithFileExtension);
+DWORD GetPidFromNtQuerySystemInformationA(_In_ PCHAR BinaryNameWithFileExtension);
+DWORD GetPidFromWindowsTerminalServiceW(_In_ PWCHAR BinaryNameWithFileExtension);
+DWORD GetPidFromWindowsTerminalServiceA(_In_ PCHAR BinaryNameWithFileExtension);
+DWORD GetPidFromWmiComInterface(_In_ PWCHAR BinaryNameWithFileExtension);

 //malicious capabilities
 DWORD OleGetClipboardDataA(_Inout_ PCHAR Buffer);