mirror of https://github.com/vxunderground/VX-API
parent
0252bef0e6
commit
873caf4511
30
README.md
30
README.md
|
@ -79,6 +79,9 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| IsNvidiaGraphicsCardPresent | smelly__vx | Fingerprinting |
|
||||
| IsProcessRunning | smelly__vx | Fingerprinting |
|
||||
| IsProcessRunningAsAdmin | Vimal Shekar | Fingerprinting |
|
||||
| GetPidFromNtQuerySystemInformation | smelly__vx | Fingerprinting |
|
||||
| GetPidFromWindowsTerminalService | modexp | Fingerprinting |
|
||||
| GetPidFromWmiComInterface | aalimian and modexp | Fingerprinting |
|
||||
| CreateLocalAppDataObjectPath | smelly__vx | Helper Functions |
|
||||
| CreateWindowsObjectPath | smelly__vx | Helper Functions |
|
||||
| DeleteFileWithCreateFileFlag | smelly__vx | Helper Functions |
|
||||
|
@ -95,6 +98,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| RecursiveFindFile | Luke | Helper Functions |
|
||||
| SetProcessPrivilegeToken | Microsoft | Helper Functions |
|
||||
| UrlDownloadToFileSynchronous | Hans Passant | Helper Functions |
|
||||
| IsDllLoaded | smelly__vx | Helper Functions |
|
||||
| GetKUserSharedData | Geoff Chappell | Library Loading |
|
||||
| GetModuleHandleEx2 | smelly__vx | Library Loading |
|
||||
| GetPeb | 29a | Library Loading |
|
||||
|
@ -116,3 +120,29 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| OleGetClipboardData | Microsoft | Malicious Capability |
|
||||
| UacBypassFodHelperMethod | winscripting.blog | Malicious Capability |
|
||||
|
||||
# Todo list
|
||||
| Functionality | Author | Note |
|
||||
| ------------- | ------ | ---- |
|
||||
| NtQueryValueKey | modexp | Lsa pid |
|
||||
| QueryServiceStatusEx | modexp | SAMSS |
|
||||
| NtQueryInformationFile | modexp | lsass |
|
||||
| NtFsControlFile | modexp | lsass pipe |
|
||||
| NtQueryOpenSubKeysEx | modexp | sam |
|
||||
| RegQueryValueExW | modexp | Performance data |
|
||||
| NtDeviceIoControlFile | modexp | TCP table |
|
||||
| EvtQuery | modexp | Security Event Log |
|
||||
| Brute force PID | modexp | incr |
|
||||
| NtMapViewOfSection lsass | modexp | NtMapViewOfSection |
|
||||
| IcmpSendEcho | N/A | Sync PING |
|
||||
| IcmpSendEcho2Ex | N/A | Async PING w/ APC |
|
||||
| WMI PING | N/A | Sync/Async PING with COM |
|
||||
| Run PE in memory | N/A | N/A |
|
||||
| Process Injection | N/A | N/A |
|
||||
| More string manipulation from MSDN | N/A | N/A |
|
||||
| More hashing algorithms | N/A | N/A |
|
||||
|
||||
# Notes
|
||||
| Function Name | Original Author | Note |
|
||||
| ------------- | --------------- | ------- |
|
||||
| CreateProcessByNotepadProxy | x86matthew | Removed, unstable |
|
||||
| SystemFunction036 | MSDN | Removed, unstable |
|
|
@ -0,0 +1,126 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
typedef NTSTATUS(NTAPI* NTQUERYSYSTEMINFORMATION)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG);
|
||||
|
||||
DWORD UnusedSubroutineQueryBufferSize(NTQUERYSYSTEMINFORMATION NtQuerySystemInformation)
|
||||
{
|
||||
DWORD dwSize = ERROR_SUCCESS;
|
||||
|
||||
NtQuerySystemInformation(SystemProcessInformation, NULL, 0, &dwSize);
|
||||
|
||||
return (dwSize + 0x1000);
|
||||
}
|
||||
|
||||
DWORD GetPidFromNtQuerySystemInformationW(_In_ PWCHAR BinaryNameWithFileExtension)
|
||||
{
|
||||
NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
|
||||
DWORD ProcessId = 0, Length = 0, dwOffset = 0;
|
||||
PSYSTEM_PROCESS_INFORMATION ProcessInformationPointer = NULL;
|
||||
HMODULE hModule = NULL;
|
||||
NTSTATUS Status = STATUS_SUCCESS;
|
||||
|
||||
PSYSTEM_PROCESS_INFORMATION Process = NULL;
|
||||
|
||||
hModule = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
if (hModule == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddressA((DWORD64)hModule, "NtQuerySystemInformation");
|
||||
if (!NtQuerySystemInformation)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Length = UnusedSubroutineQueryBufferSize(NtQuerySystemInformation);
|
||||
if (Length == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Process = (PSYSTEM_PROCESS_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Length);
|
||||
if (Process == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Status = NtQuerySystemInformation(SystemProcessInformation, Process, Length, &Length);
|
||||
if (!NT_SUCCESS(Status))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ProcessInformationPointer = Process;
|
||||
do
|
||||
{
|
||||
if (ProcessInformationPointer->ImageName.Buffer)
|
||||
{
|
||||
if (StringCompareW(BinaryNameWithFileExtension, ProcessInformationPointer->ImageName.Buffer) == ERROR_SUCCESS)
|
||||
ProcessId = HandleToLong(ProcessInformationPointer->UniqueProcessId);
|
||||
}
|
||||
|
||||
if (ProcessId != 0)
|
||||
break;
|
||||
|
||||
ProcessInformationPointer = (PSYSTEM_PROCESS_INFORMATION)(((PBYTE)ProcessInformationPointer) + ProcessInformationPointer->NextEntryOffset);
|
||||
|
||||
} while (ProcessInformationPointer->NextEntryOffset);
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (Process)
|
||||
HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, Process);
|
||||
|
||||
return ProcessId;
|
||||
}
|
||||
|
||||
DWORD GetPidFromNtQuerySystemInformationA(_In_ PCHAR BinaryNameWithFileExtension)
|
||||
{
|
||||
NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
|
||||
DWORD ProcessId = 0, Length = 0, dwOffset = 0;
|
||||
PSYSTEM_PROCESS_INFORMATION ProcessInformationPointer = NULL;
|
||||
HMODULE hModule = NULL;
|
||||
NTSTATUS Status = STATUS_SUCCESS;
|
||||
WCHAR BinaryName[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
|
||||
PSYSTEM_PROCESS_INFORMATION Process = NULL;
|
||||
|
||||
if (CharStringToWCharString(BinaryName, BinaryNameWithFileExtension, StringLengthA(BinaryNameWithFileExtension)) == 0)
|
||||
return 0;
|
||||
|
||||
hModule = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
if (hModule == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddressA((DWORD64)hModule, "NtQuerySystemInformation");
|
||||
if (!NtQuerySystemInformation)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Length = UnusedSubroutineQueryBufferSize(NtQuerySystemInformation);
|
||||
if (Length == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Process = (PSYSTEM_PROCESS_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Length);
|
||||
if (Process == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Status = NtQuerySystemInformation(SystemProcessInformation, Process, Length, &Length);
|
||||
if (!NT_SUCCESS(Status))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ProcessInformationPointer = Process;
|
||||
do
|
||||
{
|
||||
if (ProcessInformationPointer->ImageName.Buffer)
|
||||
{
|
||||
if (StringCompareW(BinaryName, ProcessInformationPointer->ImageName.Buffer) == ERROR_SUCCESS)
|
||||
ProcessId = HandleToLong(ProcessInformationPointer->UniqueProcessId);
|
||||
}
|
||||
|
||||
if (ProcessId != 0)
|
||||
break;
|
||||
|
||||
ProcessInformationPointer = (PSYSTEM_PROCESS_INFORMATION)(((PBYTE)ProcessInformationPointer) + ProcessInformationPointer->NextEntryOffset);
|
||||
|
||||
} while (ProcessInformationPointer->NextEntryOffset);
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (Process)
|
||||
HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, Process);
|
||||
|
||||
return ProcessId;
|
||||
}
|
|
@ -0,0 +1,135 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
#define WTS_CURRENT_SERVER_HANDLE ((HANDLE)NULL)
|
||||
|
||||
DWORD GetPidFromWindowsTerminalServiceW(_In_ PWCHAR BinaryNameWithFileExtension)
|
||||
{
|
||||
typedef struct _WTS_PROCESS_INFOW {
|
||||
DWORD SessionId;
|
||||
DWORD ProcessId;
|
||||
LPWSTR pProcessName;
|
||||
PSID pUserSid;
|
||||
} WTS_PROCESS_INFOW, * PWTS_PROCESS_INFOW;
|
||||
|
||||
typedef BOOL(WINAPI* WTSENUMERATEPROCESSES)(HANDLE, DWORD, DWORD, PWTS_PROCESS_INFOW*, PDWORD);
|
||||
typedef VOID(WINAPI* WTSFREEMEMORY)(PVOID);
|
||||
PWTS_PROCESS_INFOW ProcessInformation = NULL;
|
||||
WTSFREEMEMORY WtsFreeMemory = NULL;
|
||||
WTSENUMERATEPROCESSES WtsEnumerateProcessesW;
|
||||
DWORD ProcessId = ERROR_SUCCESS, dwNumberOfProcesses = ERROR_SUCCESS;
|
||||
HMODULE hModule = NULL;
|
||||
BOOL bUnload = FALSE;
|
||||
|
||||
if (!IsDllLoadedW(L"Wtsapi32.dll"))
|
||||
{
|
||||
hModule = LoadLibraryW(L"Wtsapi32.dll");
|
||||
if (hModule == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bUnload = TRUE;
|
||||
}
|
||||
else {
|
||||
hModule = GetModuleHandleEx2W(L"Wtsapi32.dll");
|
||||
if (hModule == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
}
|
||||
|
||||
WtsEnumerateProcessesW = (WTSENUMERATEPROCESSES)GetProcAddressW((DWORD64)hModule, L"WTSEnumerateProcessesW");
|
||||
WtsFreeMemory = (WTSFREEMEMORY)GetProcAddressW((DWORD64)hModule, L"WTSFreeMemory");
|
||||
|
||||
if (!WtsEnumerateProcessesW || !WtsFreeMemory)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!WtsEnumerateProcessesW(WTS_CURRENT_SERVER_HANDLE, NULL, 1, &ProcessInformation, &dwNumberOfProcesses))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (ProcessInformation == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
for (DWORD dwX = 0; dwX < dwNumberOfProcesses; dwX++)
|
||||
{
|
||||
if (StringCompareW(BinaryNameWithFileExtension, ProcessInformation[dwX].pProcessName) == ERROR_SUCCESS)
|
||||
{
|
||||
ProcessId = ProcessInformation[dwX].ProcessId;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (bUnload)
|
||||
FreeLibrary(hModule);
|
||||
|
||||
if (ProcessInformation)
|
||||
WtsFreeMemory(ProcessInformation);
|
||||
|
||||
return ProcessId;
|
||||
}
|
||||
|
||||
DWORD GetPidFromWindowsTerminalServiceA(_In_ PCHAR BinaryNameWithFileExtension)
|
||||
{
|
||||
typedef struct _WTS_PROCESS_INFOW {
|
||||
DWORD SessionId;
|
||||
DWORD ProcessId;
|
||||
LPWSTR pProcessName;
|
||||
PSID pUserSid;
|
||||
} WTS_PROCESS_INFOW, * PWTS_PROCESS_INFOW;
|
||||
|
||||
typedef BOOL(WINAPI* WTSENUMERATEPROCESSES)(HANDLE, DWORD, DWORD, PWTS_PROCESS_INFOW*, PDWORD);
|
||||
typedef VOID(WINAPI* WTSFREEMEMORY)(PVOID);
|
||||
PWTS_PROCESS_INFOW ProcessInformation = NULL;
|
||||
WTSFREEMEMORY WtsFreeMemory = NULL;
|
||||
WTSENUMERATEPROCESSES WtsEnumerateProcessesW;
|
||||
DWORD ProcessId = ERROR_SUCCESS, dwNumberOfProcesses = ERROR_SUCCESS;
|
||||
HMODULE hModule = NULL;
|
||||
BOOL bUnload = FALSE;
|
||||
WCHAR Buffer[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
|
||||
if (CharStringToWCharString(Buffer, BinaryNameWithFileExtension, StringLengthA(BinaryNameWithFileExtension)) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!IsDllLoadedW(L"Wtsapi32.dll"))
|
||||
{
|
||||
hModule = LoadLibraryW(L"Wtsapi32.dll");
|
||||
if (hModule == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bUnload = TRUE;
|
||||
}
|
||||
else {
|
||||
hModule = GetModuleHandleEx2W(L"Wtsapi32.dll");
|
||||
if (hModule == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
}
|
||||
|
||||
WtsEnumerateProcessesW = (WTSENUMERATEPROCESSES)GetProcAddressW((DWORD64)hModule, L"WTSEnumerateProcessesW");
|
||||
WtsFreeMemory = (WTSFREEMEMORY)GetProcAddressW((DWORD64)hModule, L"WTSFreeMemory");
|
||||
|
||||
if (!WtsEnumerateProcessesW || !WtsFreeMemory)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!WtsEnumerateProcessesW(WTS_CURRENT_SERVER_HANDLE, NULL, 1, &ProcessInformation, &dwNumberOfProcesses))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (ProcessInformation == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
for (DWORD dwX = 0; dwX < dwNumberOfProcesses; dwX++)
|
||||
{
|
||||
if (StringCompareW(Buffer, ProcessInformation[dwX].pProcessName) == ERROR_SUCCESS)
|
||||
{
|
||||
ProcessId = ProcessInformation[dwX].ProcessId;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (bUnload)
|
||||
FreeLibrary(hModule);
|
||||
|
||||
if (ProcessInformation)
|
||||
WtsFreeMemory(ProcessInformation);
|
||||
|
||||
return ProcessId;
|
||||
}
|
|
@ -0,0 +1,91 @@
|
|||
#include "Win32Helper.h"
|
||||
#include <comdef.h>
|
||||
#include <Wbemidl.h>
|
||||
|
||||
#pragma comment(lib, "wbemuuid.lib")
|
||||
|
||||
DWORD GetPidFromWmiComInterface(_In_ PWCHAR BinaryNameWithFileExtension)
|
||||
{
|
||||
IWbemLocator* Locator = NULL;
|
||||
IWbemServices* Services = NULL;
|
||||
IEnumWbemClassObject* Enumerator = NULL;
|
||||
IWbemClassObject* Object = NULL;
|
||||
DWORD ProcessId = ERROR_SUCCESS;
|
||||
HRESULT Result = S_OK;
|
||||
|
||||
|
||||
Result = CoInitializeEx(NULL, COINIT_MULTITHREADED);
|
||||
if (!SUCCEEDED(Result))
|
||||
return 0;
|
||||
|
||||
Result = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = CoCreateInstance(CLSID_WbemLocator, NULL, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID*)&Locator);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = Locator->ConnectServer((BSTR)L"ROOT\\CIMV2", NULL, NULL, NULL, 0, NULL, NULL, &Services);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = CoSetProxyBlanket(Services, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = Services->ExecQuery((BSTR)L"WQL", (BSTR)L"SELECT * FROM Win32_Process", WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &Enumerator);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
while (Enumerator)
|
||||
{
|
||||
if (ProcessId != ERROR_SUCCESS)
|
||||
break;
|
||||
|
||||
ULONG uReturned = ERROR_SUCCESS;
|
||||
VARIANT ProcessData; VariantInit(&ProcessData);
|
||||
VARIANT VariantProcessId; VariantInit(&VariantProcessId);
|
||||
|
||||
Result = Enumerator->Next(WBEM_INFINITE, 1, &Object, &uReturned);
|
||||
if (!SUCCEEDED(Result))
|
||||
continue;
|
||||
|
||||
if (uReturned == 0)
|
||||
continue;
|
||||
|
||||
Result = Object->Get(L"Name", 0, &ProcessData, NULL, NULL);
|
||||
if (SUCCEEDED(Result))
|
||||
{
|
||||
if (StringCompareW(BinaryNameWithFileExtension, V_BSTR(&ProcessData)) == ERROR_SUCCESS)
|
||||
{
|
||||
Result = Object->Get(L"ProcessId", 0, &VariantProcessId, NULL, NULL);
|
||||
if(SUCCEEDED(Result))
|
||||
ProcessId = V_UI4(&VariantProcessId);
|
||||
}
|
||||
}
|
||||
|
||||
VariantClear(&ProcessData);
|
||||
VariantClear(&VariantProcessId);
|
||||
|
||||
if (Object)
|
||||
Object->Release();
|
||||
}
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (Enumerator)
|
||||
Enumerator->Release();
|
||||
|
||||
if (Services)
|
||||
Services->Release();
|
||||
|
||||
if (Locator)
|
||||
Locator->Release();
|
||||
|
||||
CoUninitialize();
|
||||
|
||||
return (Result != S_OK ? Win32FromHResult(Result) : ProcessId);
|
||||
|
||||
//return ProcessId;
|
||||
}
|
|
@ -498,4 +498,53 @@ typedef struct _KUSER_SHARED_DATA {
|
|||
XSTATE_CONFIGURATION XState;
|
||||
KSYSTEM_TIME FeatureConfigurationChangeStamp;
|
||||
ULONG Spare;
|
||||
} KUSER_SHARED_DATA, * PKUSER_SHARED_DATA;
|
||||
} KUSER_SHARED_DATA, * PKUSER_SHARED_DATA;
|
||||
|
||||
typedef enum _SYSTEM_INFORMATION_CLASS {
|
||||
SystemBasicInformation = 0,
|
||||
SystemPerformanceInformation = 2,
|
||||
SystemTimeOfDayInformation = 3,
|
||||
SystemProcessInformation = 5,
|
||||
SystemProcessorPerformanceInformation = 8,
|
||||
SystemInterruptInformation = 23,
|
||||
SystemExceptionInformation = 33,
|
||||
SystemRegistryQuotaInformation = 37,
|
||||
SystemLookasideInformation = 45
|
||||
} SYSTEM_INFORMATION_CLASS;
|
||||
|
||||
typedef struct _SYSTEM_PROCESS_INFORMATION{
|
||||
ULONG NextEntryOffset;
|
||||
ULONG NumberOfThreads;
|
||||
LARGE_INTEGER WorkingSetPrivateSize;
|
||||
ULONG HardFaultCount;
|
||||
ULONG NumberOfThreadsHighWatermark;
|
||||
ULONGLONG CycleTime;
|
||||
LARGE_INTEGER CreateTime;
|
||||
LARGE_INTEGER UserTime;
|
||||
LARGE_INTEGER KernelTime;
|
||||
UNICODE_STRING ImageName;
|
||||
LONG BasePriority;
|
||||
HANDLE UniqueProcessId;
|
||||
HANDLE InheritedFromUniqueProcessId;
|
||||
ULONG HandleCount;
|
||||
ULONG SessionId;
|
||||
ULONG_PTR PageDirectoryBase;
|
||||
SIZE_T PeakVirtualSize;
|
||||
SIZE_T VirtualSize;
|
||||
ULONG PageFaultCount;
|
||||
SIZE_T PeakWorkingSetSize;
|
||||
SIZE_T WorkingSetSize;
|
||||
SIZE_T QuotaPeakPagedPoolUsage;
|
||||
SIZE_T QuotaPagedPoolUsage;
|
||||
SIZE_T QuotaPeakNonPagedPoolUsage;
|
||||
SIZE_T QuotaNonPagedPoolUsage;
|
||||
SIZE_T PagefileUsage;
|
||||
SIZE_T PeakPagefileUsage;
|
||||
SIZE_T PrivatePageCount;
|
||||
LARGE_INTEGER ReadOperationCount;
|
||||
LARGE_INTEGER WriteOperationCount;
|
||||
LARGE_INTEGER OtherOperationCount;
|
||||
LARGE_INTEGER ReadTransferCount;
|
||||
LARGE_INTEGER WriteTransferCount;
|
||||
LARGE_INTEGER OtherTransferCount;
|
||||
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
|
|
@ -0,0 +1,11 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL IsDllLoadedW(_In_ LPCWSTR DllName)
|
||||
{
|
||||
return (GetModuleHandleEx2W(DllName) == NULL ? FALSE : TRUE);
|
||||
}
|
||||
|
||||
BOOL IsDllLoadedA(_In_ LPCSTR DllName)
|
||||
{
|
||||
return (GetModuleHandleEx2A(DllName) == NULL ? FALSE : TRUE);
|
||||
}
|
|
@ -10,8 +10,7 @@ TODO:
|
|||
- PID stuff: https://www.mdsec.co.uk/2022/08/fourteen-ways-to-read-the-pid-for-the-local-security-authority-subsystem-service-lsass/
|
||||
- Run PE in memory https://papers.vx-underground.org/papers/Windows/Evasion%20-%20Systems%20Call%20and%20Memory%20Evasion/Executing%20a%20PE%20File%20in%20Memory.zip
|
||||
- Download file options: https://www.x86matthew.com/view_post?id=ntsockets
|
||||
- ???
|
||||
- Profit!!!!11
|
||||
- https://learn.microsoft.com/en-us/windows/win32/api/shlwapi/nf-shlwapi-shansitounicode
|
||||
|
||||
KNOWN ISSUES
|
||||
- Work on In / Out / Inout in function calls
|
||||
|
@ -24,6 +23,7 @@ KNOWN ISSUES
|
|||
int main(VOID)
|
||||
{
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
|
||||
return dwError;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#include "StringManipulation.h"
|
||||
|
||||
VOID RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
|
||||
VOID RtlInitUnicodeString(_Inout_ PUNICODE_STRING DestinationString, _In_ PCWSTR SourceString)
|
||||
{
|
||||
SIZE_T DestSize;
|
||||
|
||||
|
|
|
@ -166,6 +166,9 @@
|
|||
<ClCompile Include="GetOsMinorVersionFromPeb.cpp" />
|
||||
<ClCompile Include="GetOsPlatformIdFromPeb.cpp" />
|
||||
<ClCompile Include="GetPeb.cpp" />
|
||||
<ClCompile Include="GetPidFromNtQuerySystemInformation.cpp" />
|
||||
<ClCompile Include="GetPidFromWindowsTerminalService.cpp" />
|
||||
<ClCompile Include="GetPidFromWmiComInterface.cpp" />
|
||||
<ClCompile Include="GetProcAddress.cpp" />
|
||||
<ClCompile Include="GetProcAddressDjb2.cpp" />
|
||||
<ClCompile Include="GetProcAddressFowlerNollVoVariant1a.cpp" />
|
||||
|
@ -191,6 +194,7 @@
|
|||
<ClCompile Include="HashStringSuperFastHash.cpp" />
|
||||
<ClCompile Include="HashStringUnknownGenericHash1.cpp" />
|
||||
<ClCompile Include="IsDebuggerPresentEx.cpp" />
|
||||
<ClCompile Include="IsDllLoaded.cpp" />
|
||||
<ClCompile Include="IsIntelHardwareBreakpointPresent.cpp" />
|
||||
<ClCompile Include="IsNvidiaGraphicsCardPresent.cpp" />
|
||||
<ClCompile Include="IsPathValid.cpp" />
|
||||
|
|
|
@ -348,6 +348,18 @@
|
|||
<ClCompile Include="GetCurrentLocaleFromTeb.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="IsDllLoaded.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetPidFromNtQuerySystemInformation.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetPidFromWindowsTerminalService.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetPidFromWmiComInterface.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Internal.h">
|
||||
|
|
|
@ -96,6 +96,8 @@ LONGLONG GetFileSizeFromPathA(_In_ PCHAR Path, _In_ DWORD dwFlagsAndAttributes);
|
|||
DWORD UrlDownloadToFileSynchronousW(_In_ PWCHAR Url, _In_ PWCHAR SavePath);
|
||||
DWORD UrlDownloadToFileSynchronousA(_In_ PCHAR Url, _In_ PCHAR SavePath);
|
||||
BOOL SetProcessPrivilegeToken(_In_ DWORD PrivilegeEnum);
|
||||
BOOL IsDllLoadedW(_In_ LPCWSTR DllName);
|
||||
BOOL IsDllLoadedA(_In_ LPCSTR DllName);
|
||||
|
||||
//fingerprinting
|
||||
LCID GetCurrentLocaleFromTeb(VOID);
|
||||
|
@ -109,6 +111,11 @@ ULONG GetOsMajorVersionFromPeb(VOID);
|
|||
ULONG GetOsMinorVersionFromPeb(VOID);
|
||||
ULONG GetOsBuildNumberFromPeb(VOID);
|
||||
ULONG GetOsPlatformIdFromPeb(VOID);
|
||||
DWORD GetPidFromNtQuerySystemInformationW(_In_ PWCHAR BinaryNameWithFileExtension);
|
||||
DWORD GetPidFromNtQuerySystemInformationA(_In_ PCHAR BinaryNameWithFileExtension);
|
||||
DWORD GetPidFromWindowsTerminalServiceW(_In_ PWCHAR BinaryNameWithFileExtension);
|
||||
DWORD GetPidFromWindowsTerminalServiceA(_In_ PCHAR BinaryNameWithFileExtension);
|
||||
DWORD GetPidFromWmiComInterface(_In_ PWCHAR BinaryNameWithFileExtension);
|
||||
|
||||
//malicious capabilities
|
||||
DWORD OleGetClipboardDataA(_Inout_ PCHAR Buffer);
|
||||
|
|
Loading…
Reference in New Issue