new func

+

README.md

@@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
   
 # VX-API
 
-Version: 2022.210
+Version: 2022.215
 
 Developer: smelly__vx
   
@@ -126,12 +126,12 @@ You're free to use this in any manner you please. You do not need to use this en
 | MpfComVssDeleteShadowVolumeBackups | am0nsec | Malicious Capability |
 | OleGetClipboardData | Microsoft | Malicious Capability |
 | UacBypassFodHelperMethod | winscripting.blog | Malicious Capability |
+| MpfGetLsaPidFromServiceManager | modexp | Malicious Capability |
 | MpfGetLsaPidFromRegistry | modexp | Malicious Capability |
 
 # Todo list
 | Functionality | Author | Note |
 | ------------- | ------ | ---- |
-| QueryServiceStatusEx | modexp | SAMSS |
 | NtQueryInformationFile | modexp | lsass |
 | NtFsControlFile | modexp | lsass pipe |
 | NtQueryOpenSubKeysEx | modexp | sam |

VX-API/FunctionDeclaration.h

@@ -79,6 +79,3 @@ typedef VOID(WINAPI* WTSFREEMEMORY)(PVOID);
 *******************************************/
 typedef BOOL(WINAPI* CONVERTSIDTOSTRINGSIDW)(PSID, LPWSTR*);
 typedef BOOL(WINAPI* CONVERTSIDTOSTRINGSIDA)(PSID, LPSTR*);
-typedef SC_HANDLE(WINAPI* OPENSCMANAGERW)(LPCWSTR, LPCWSTR, DWORD);
-typedef SC_HANDLE(WINAPI* OPENSERVICEW)(SC_HANDLE, LPCWSTR, DWORD);
-typedef SC_HANDLE(WINAPI* QUERYSERVICESTATUSEX)(SC_HANDLE, SC_STATUS_TYPE, LPBYTE, DWORD, LPDWORD);

VX-API/Main.cpp

@@ -23,7 +23,7 @@ int main(VOID)
 {
 	DWORD dwError = ERROR_SUCCESS;
 
-	dwError = GetPidFromPidBruteForcingW((PWCHAR)L"cmd.exe");
+	dwError = MpfGetLsaPidFromServiceManager();
 
 	return dwError;
 }

VX-API/MpfGetLsaPidFromServiceManager.cpp

@@ -0,0 +1,31 @@
+#include "Win32Helper.h"
+
+DWORD MpfGetLsaPidFromServiceManager(VOID)
+{
+	SC_HANDLE Manager = NULL, ServiceHandle = NULL;
+	DWORD ProcessId = ERROR_SUCCESS, BytesNeeded = ERROR_SUCCESS;
+	SERVICE_STATUS_PROCESS ServiceStatus = { 0 };
+
+	Manager = OpenSCManagerW(NULL, NULL, SC_MANAGER_CONNECT);
+	if (Manager == NULL)
+		return 0;
+
+	ServiceHandle = OpenServiceW(Manager, L"samss", SERVICE_QUERY_STATUS);
+	if (ServiceHandle == NULL)
+		goto EXIT_ROUTINE;
+
+	if(!QueryServiceStatusEx(ServiceHandle, SC_STATUS_PROCESS_INFO, (LPBYTE)&ServiceStatus, sizeof(ServiceStatus), &BytesNeeded))
+		goto EXIT_ROUTINE;
+
+	ProcessId = ServiceStatus.dwProcessId;
+
+EXIT_ROUTINE:
+
+	if(ServiceHandle)
+		CloseServiceHandle(ServiceHandle);
+
+	if (Manager)
+		CloseServiceHandle(Manager);
+
+	return ProcessId;
+}

VX-API/VX-API.vcxproj

@@ -207,6 +207,7 @@
     <ClCompile Include="MpfComModifyShortcutTarget.cpp" />
     <ClCompile Include="MpfComVssDeleteShadowVolumeBackups.cpp" />
     <ClCompile Include="MpfGetLsaPidFromRegistry.cpp" />
+    <ClCompile Include="MpfGetLsaPidFromServiceManager.cpp" />
     <ClCompile Include="OleGetClipboardData.cpp" />
     <ClCompile Include="RecursiveFindFile.cpp" />
     <ClCompile Include="RemoveDllFromPeb.cpp" />

VX-API/VX-API.vcxproj.filters

@@ -372,6 +372,9 @@
     <ClCompile Include="TryLoadDllMultiMethod.cpp">
       <Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
     </ClCompile>
+    <ClCompile Include="MpfGetLsaPidFromServiceManager.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="Internal.h">

VX-API/Win32Helper.h

@@ -134,6 +134,7 @@ BOOL MpfComModifyShortcutTargetA(_In_ PCHAR LnkPath, _In_  PCHAR LnkExecutionPro
 BOOL UacBypassFodHelperMethodA(_In_ PCHAR PathToBinaryToExecute, _Inout_ PPROCESS_INFORMATION Pi);
 BOOL UacBypassFodHelperMethodW(_In_ PWCHAR PathToBinaryToExecute, _Inout_ PPROCESS_INFORMATION Pi);
 DWORD MpfGetLsaPidFromRegistry(VOID);
+DWORD MpfGetLsaPidFromServiceManager(VOID);
 
 //evasion
 BOOL CreateProcessWithCfGuardW(_Inout_ PPROCESS_INFORMATION Pi, _In_ PWCHAR Path);