Question about using a particular method in another project

[FaridAghili]

This is a very interesting repository. I've found it very complicated to take one particular method and use it in another project/exe. For example, I wanted to use method 35 in my own exe, and make it auto elevate itself if it's not executed as administrator. To be honest, in the first place, it was a little trouble to find out where to look for it. After finding the correct c file, I figured out it won't work just by copy & pasting the function. There are dependencies (other functions) and also some header files for Nt and Rtl functions.

Sorry for newbies questions:

1. Is it possible to use on of this methods in regular windows applications? Because I guess some of this functions are not accessible.
2. Which files and headers should I include to make them work?
3. Do you mind to separate each method in feature for more reusability?

You did a great job here, thanks in advance.

[hfiref0x]

Hello,

It is designed so that you can't just blindly copy-paste and make it work in "your malware". However it demonstrate principle of methods work leaving you to decide what to do.

If you unfamiliar with NT API and cannot work with it then replace it with usual Windows API, e.g. NtDuplicateToken -> DuplicateTokenEx, NtSetInformationToken - SetTokenInformation, RtlAllocateAndInitializeSid -> AllocateAndInitializeSid etc.

1) Yes it is possible. 2) See my answer above. 3) No.

Here is the version of method 35 without support of Windows 10 and without most of native API. https://gist.github.com/hfiref0x/59c689a14f1fc2302d858ae0aa3f6b86

[FaridAghili]

Thanks for the answer, it's really helpful. I didn't know that it's ok to replace those NT APIs, I'll try. About the method 35 code in end of your answer, I prefer it to be working on windows 10 as well, so I will try to get the original code working.

Honestly, I'm not developing a malware (yet!), I don't have that sort of skill, but I'm really interested in the way this kind of codes work.

One more question. if you mind, what's the difference between usual WinAPI and NtApi starting with Rtl, Zw, Nt, etc? What's the benefit of using them? Are they hidden from the AVs? Do they give us the ability to run some codes that we don't have privileges to run normally? I'm in some kind of research, can you please suggest me some articles that I can follow to understand this concepts?

I really appreciate the time you're putting on this, thank you.

[FaridAghili]

OK, I've managed to get it to work,

I just noticed of a little bug: Method 35 launches wusa.exe, the problem is that wusa.exe process won't be closed after ucmTokenModification() return and it will likely be running forever. This is not a huge mess, but can be fixed easily.

tyranid.c : line 303: if (shinfo.hProcess) NtClose(shinfo.hProcess); To: if (shinfo.hProcess) { TerminateProcess(shinfo.hProcess, 0); NtClose(shinfo.hProcess); }

[hfiref0x]

Wusa was left alive for a debug reason as well as debug message blocks (to help tracking future MS fix because it is general OS design failure and they have to fix it anyway), but you are right it should be terminated after work, this will be added in the next update.

There are multiple difference between Windows API and Native API as the first is public and second is private. Windows API is high abstraction level based on Native API.

Difference between Nt and Zw -> https://msdn.microsoft.com/en-us/library/windows/hardware/ff565438(v=vs.85).aspx

Rtl is an internal subset of routines implemented in ntdll, while native services Nt implemented in the ntoskrnl and ntdll is just a call gate to them.

Benefit of using them is the following: they are faster because there is no abstraction layers and they are much powerful in the meaning of provided functionality. Disadvantages are obvious, undocumented state of most of them, sometimes you need more code to do what you can do in Windows API by one call, example given ImpersonateLoggedOnUser - compare one call of it or how it implemented in method 35. However if you work with windows internals for decades it is doesn't matter for you anymore.

[FaridAghili]

Thank you very much @hfiref0x. Keep up the good work.